Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge branch 'master' into topic/cmake-port

Browse source 
Resolved Conflicts:
	CMakeLists.txt
	INSTALL
	aux/binpac
	aux/bro-aux
	aux/broccoli
	aux/broctl
	cmake/CheckTypes.cmake
	cmake/FindBIND.cmake
	cmake/OSSpecific.cmake
	cmake/OpenSSLTests.cmake
	cmake/PCAPTests.cmake
	src/CMakeLists.txt
This commit is contained in:
Jon Siwek 2010-11-30 15:07:29 -06:00
commit 1442af616f
305 changed files with 306 additions and 127825 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
build

0
AUTHORS
View file

42
CHANGES
View file

@ -2,6 +2,48 @@
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1.6-dev.1 Sat Nov 27 12:19:47 PST 2010
- Merge with Subversion repository as of r7098. Incorporated changes:
* Rotation post-processors are now passed an additional argument
indicating whether Bro is terminating (Robin Sommer).
* Bro now consistently generates a file_opened event for all
fopen() calls. (Robin Sommer).
* You can now redefine the email_notice_to function (Robin
Sommer).
1.6-dev.0 Fri Nov 26 13:48:11 PST 2010
- The Bro source code is now developed in the new git repositories.
See the developer pages at http://www.bro-ids.org for more
information on the new development process.
- Bro's build and installation setup has been moved from GNU
autotools to CMake. As a result of that, layout and specifics of
the distribution has changed significantly.
- Lots of pieces have been removed from the distribution that are
either now unnecessary or are no longer maintained.
- As part of the cleanup, a numbef of Bro configure options and
their corresponding functionality have been removed, including:
* --disable-select-loop
* --with-dag
* --disable-nbdns
* --enable-activemapping
* --enable-activemapping
* --enable-shippedpcap
- The previous configure option --enable-int64 is now enabled by default,
and can no longer be disabled.
- ClamAV support has been removed, which has been non-functional for
a while already.
1.5.2.7 Sun Sep 12 19:39:49 PDT 2010
- Addressed a number of lint nits (Vern Paxson).

7
COPYING
View file

@ -1,4 +1,4 @@
Copyright (c) 1995-2008, The Regents of the University of California,
Copyright (c) 1995-2010, The Regents of the University of California,
through Lawrence Berkeley National Laboratory. All rights reserved.
Redistribution and use in source and binary forms, with or without
@ -44,6 +44,5 @@ noted below) and the source files in src/ , other than:
src/patricia.c
src/patricia.h
In addition, the build components such as Makefile.in, acinclude.m4, and
others have separate copyrights, as do a number of the elements in the
aux/ subdirectory and in scripts/s2b/snort_rules2.2/ .
In addition, other components, such as the build system, may have
separate copyrights.

0
ChangeLog
View file

3
Checklist-for-Release
View file

@ -1,3 +1,6 @@
TODO: Needs update. -Robin
- Make sure BroV6 works.
- Make sure --enable-int64 builds w/o warnings.

3
FILES.bin
View file

@ -1,3 +0,0 @@
README
VERSION
bro

47
INSTALL
View file

@ -1,3 +1,8 @@
==============
Installing Bro
==============
Prerequisites
=============
@ -60,8 +65,12 @@ To build and install into /usr/local/bro:
> make
> make install
This will perform an out-of-source build into the build directory using the
default build options and then install binaries into /usr/local/bro/bin.
This will perform an out-of-source build into a directory called
build/, using default build options. It then installs the Bro binary
into /usr/local/bro/bin. Depending on the Bro package you
downloaded, there may be auxiliary tools and libraries available in
the aux/ directory. If so, they will be installed by default as well
if not explicitly disabled via configure options.
You can specify a different installation directory with
@ -73,34 +82,6 @@ Running Bro
===========
Bro is a complex program and it takes a bit of time to get familiar
with it. In the following we give a few simple examples. See
http://www.bro-ids.org/wiki for more information.
To run a policy file from /usr/local/share/bro, such as mt.bro, on a
previously captured tcpdump save file named foo:
bro -r foo mt.bro
To run from interface le0:
bro -i le0 mt
You can alternatively specify interface and scripts to load in your own
policy file:
@load mt
redef interfaces = "le0";
and then run
bro ./my-policy.bro
You can see the BPF filter Bro will use (if not overridden) by executing
bro mt print-filter
To run interactively (e.g., for playing with expression evaluation):
bro
"bro -h" lists the various options.
with it. In the following we give a few simple examples. See the
quickstart guide at http://www.bro-ids.org for more information; you
can the source that in doc/quick-start.

28
Makefile Normal file
View file

@ -0,0 +1,28 @@
#
# A simple static wrapper for a number of standard Makefile targets,
# mostly just forwarding to build/Makefile. This is provided only for
# convenience and supports only a subset of what CMake's Makefile
# to offer. For more, execute that one directly.
#
BUILD=build
all: configured
( cd $(BUILD) && make )
install: configured
( cd $(BUILD) && make install )
clean: configured
( cd $(BUILD) && make clean )
dist: configured
( cd $(BUILD) && make package_source )
distclean:
rm -rf $(BUILD)
.PHONY : configured
configured:
@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
@test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 )

64
Makefile.am
View file

@ -1,64 +0,0 @@
## Process this file with automake to produce Makefile.in
# snag the whole linux-include directory
EXTRA_DIST = CHANGES README VERSION shtool linux-include \
autogen.sh depcomp ylwrap
# When running distcheck, make sure we skip building GtkDoc-based
# documentation. This applies to Broccoli only, and needs to be
# duplicated here because DISTCHECK_CONFIGURE_FLAGS isn't otherwise
# noticed.
#
DISTCHECK_CONFIGURE_FLAGS = --disable-gtk-doc
chown = @CHOWN@
# aux before src so we compile the libpcap
SUBDIRS = aux src scripts policy doc
test:
( cd ../testing && $(MAKE) test )
install-broctl:
$(MAKE) install
( cd aux/broctl && $(MAKE) install-broctl )
# Deprecated. Don't use.
install-brolite:
$(MAKE) install
$(INSTALL) -d $(prefix)/logs
$(INSTALL) -d $(prefix)/archive
$(INSTALL) -d $(prefix)/var
( cd scripts && $(MAKE) install-brolite )
( cd aux && $(MAKE) install-brolite )
- @CHOWN@ -R `cat scripts/bro_user_id` ${prefix}/
@echo "*********************************************************"
@echo "Please run \"${prefix}/etc/bro.rc --start\" to start bro"
@echo "*********************************************************"
docs:
( cd doc && $(MAKE) doc )
doc-install:
( cd doc && $(MAKE) doc-install )
update:
( cd scripts && $(MAKE) update )
( cd policy && $(MAKE) install )
update-sigs:
(cd scripts && $(MAKE) update-sigs )
reports:
( cd scripts && $(MAKE) reports )
# make sure we don't leak CVS/SVN or private policy files
dist-hook:
rm -rf `find $(distdir) -name CVS`
rm -rf `find $(distdir) -name .svn`
rm -rf $(distdir)/policy/local
release:
./autogen.sh
./configure
$(MAKE) distcheck

0
NEWS
View file

27
README
View file

@ -1,29 +1,24 @@
This is release 1.5 of Bro, a system for detecting network intruders in
This is release 1.6 of Bro, a system for detecting network intruders in
real-time using passive network monitoring.
Please see the file INSTALL for installation instructions and some examples
on how to run Bro. For more documentation, see the Bro Wiki:
Please see the file INSTALL for installation instructions and
pointers for getting started. For more documentation, see the
documentation on Bro's home page:
http://www.bro-ids.org/wiki/index.php/User_Manual
http://www.bro-ids.org/docs
Please note that this documentation is preliminary and still missing pieces.
PDF and HTML versions of older versions of the manuals are also available
in the doc/ directory.
There's also in doc/misc/conn-logs/ a brief summary of the connection logs
generated by the sample policy scripts (which are in policy/).
The main parts of Bro's documentation are also available in the doc/
directory of the distribution. (Please note that the documentation
is still a work in progress; there will be more in future releases.)
Numerous other Bro-related publications, including a paper describing the
system, can be found at
http://www.bro-ids.org/publications.html
Some auxiliary scripts and utilities are available in the aux/ directory.
Note that these are not installed by default.
Send comments, etc., to the Bro mailing list, bro@bro-ids.org. However,
please note that you must first subscribe to the list in order to be able
to post to it.
Send comments, etc., to the Bro mailing list, bro@bro-ids.org.
However, please note that you must first subscribe to the list in
order to be able to post to it.
- Vern Paxson & Robin Sommer, on behalf of the Bro development team

9
TODO-For-Next-Release
View file

@ -1,9 +0,0 @@
Plan for 1.6:
Originally, with 1.5 we were going to start working with --use-binpac
as the default. However, this has been deferred pending development
of BinPAC++. We might however turn on BinPAC for the SSL analyzer,
for which the BinPAC version is more robust. It, though, doesn't
support storing certs to disk, which some folks use operationally.
Given DPD means we might not filter traffic anyway, we no longer
have such a good excuse for not dealing with IPv6 options.

2
VERSION
View file

@ -1 +1 @@
1.5.2.7
1.6-dev.1

1007
acinclude.m4
View file

File diff suppressed because it is too large Load diff

143
autogen.sh
View file

@ -1,143 +0,0 @@
#!/bin/sh
# Initialization script to set up the initial configuration files etc.
# shtool usage inspired by the autogen script of the ferite scripting
# language -- cheers Chris :)
#
# This is 'borrowed' from netdude, with minor changes for bro
BLD_ON=`./shtool echo -n -e %B`
BLD_OFF=`./shtool echo -n -e %b`
srcdir=`dirname $0`
NAME=bro
DIE=0
echo
echo " "${BLD_ON}"BRO Build Tools Setup"${BLD_OFF}
echo "===================================================="
echo
echo "Checking whether we have all tools available ..."
(autoconf --version) < /dev/null > /dev/null 2>&1 || {
echo
echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
echo "Download the appropriate package for your distribution,"
echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
DIE=1
}
(automake --version) < /dev/null > /dev/null 2>&1 || {
echo
echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
echo "(or a newer version if it is available)"
DIE=1
NO_AUTOMAKE=yes
}
# if no automake, don't bother testing for aclocal
test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
echo
echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'. The version of \`automake'"
echo "installed doesn't appear recent enough."
echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
echo "(or a newer version if it is available)"
DIE=1
}
if test "$DIE" -eq 1; then
exit 1
fi
echo "All necessary tools found."
echo
if [ -d autom4te.cache ] ; then
echo "Removing autom4te.cache ..."
rm -rf autom4te.cache
#echo
#echo ${BLD_ON}"Error"${BLD_OFF}": autom4te.cache directory exists"
#echo "please remove it, and rerun this script"
#echo
#exit 1
fi
echo
echo "running "${BLD_ON}"aclocal"${BLD_OFF}
echo "----------------------------------------------------"
aclocal -I . $ACLOCAL_FLAGS
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo "running "${BLD_ON}"autoheader"${BLD_OFF}
echo "----------------------------------------------------"
autoheader
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo "running "${BLD_ON}"automake"${BLD_OFF}
echo "----------------------------------------------------"
automake -a -c
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo "running "${BLD_ON}"autoconf"${BLD_OFF}
echo "----------------------------------------------------"
autoconf
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Running aux/binpac/autogen.sh"
echo "----------------------------------------------------"
(cd aux/binpac/ && BROBUILD=yes ./autogen.sh)
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Running aux/broccoli/autogen.sh"
echo "----------------------------------------------------"
(cd aux/broccoli/ && BROBUILD=yes ./autogen.sh)
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Running aux/broctl/aux/capstats/autogen.sh"
echo "----------------------------------------------------"
(cd aux/broctl/aux/capstats && ./autogen.sh)
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Setup finished. Now run:"
echo
echo " $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
echo
echo "and then"
echo
echo " $ "${BLD_ON}"make"${BLD_OFF}
echo " # "${BLD_ON}"make install"${BLD_OFF}
echo

2
aux/binpac

@ -1 +1 @@
Subproject commit 627e6bdfd34b0b6ae124fe2e0bccd3a132b0aa93
Subproject commit ef63323e63fef4684abee42c41f0da149a74166a

2
aux/bro-aux

@ -1 +1 @@
Subproject commit afb29b38bcb08b67f2a86ea580a9b55d1a9ace05
Subproject commit 0a946b4d660fda37a868bb01974211df9cd48ac7

2
aux/broccoli

@ -1 +1 @@
Subproject commit d35cff92395a28b66d6863d1e3f956005ec87300
Subproject commit 38f06c30f39571ab45d493cb9c8913bf1c4b5bb8

2
aux/broctl

@ -1 +1 @@
Subproject commit f3a2d34bf4dcc37cd1ae5ed9197ee625b2d41422
Subproject commit de2cd13692a54cf07bbb1f18cdb14d297ec186f1

87
cmake/ChangeMacInstallNames.cmake Normal file
View file

@ -0,0 +1,87 @@
# Calling this macro with the name of a list variable will modify that
# list such that any third party libraries that do not come with a
# vanilla Mac OS X system will be replaced by an adjusted library that
# has an install_name relative to the location of any executable that
# links to it.
#
# Also, it will schedule the modified libraries for installation in a
# 'support_libs' subdirectory of the CMAKE_INSTALL_PREFIX.
#
# The case of third party libraries depending on other third party
# libraries is currently not handled by this macro.
#
# Ex.
#
# set(libs /usr/lib/libz.dylib
# /usr/lib/libssl.dylib
# /usr/local/lib/libmagic.dylib
# /usr/local/lib/libGeoIP.dylib
# /usr/local/lib/somestaticlib.a)
#
# include(ChangeMacInstallNames)
# ChangeMacInstallNames(libs)
#
# Should result in ${libs} containing:
# /usr/lib/libz.dylib
# /usr/lib/libssl.dylib
# ${CMAKE_BINARY_DIR}/darwin_support_libs/libmagic.dylib
# ${CMAKE_BINARY_DIR}/darwin_support_libs/libGeoIP.dylib
# /usr/local/lib/somestaticlib.a
#
# such that we can now do:
#
# add_executable(some_exe ${srcs})
# target_link_libraries(some_exe ${libs})
#
# Any binary packages created from such a build should be self-contained
# and provide working installs on vanilla OS X systems.
macro(ChangeMacInstallNames libListVar)
if (APPLE)
find_program(INSTALL_NAME_TOOL install_name_tool)
set(MAC_INSTALL_NAME_DEPS)
set(SUPPORT_BIN_DIR ${CMAKE_BINARY_DIR}/darwin_support_libs)
set(SUPPORT_INSTALL_DIR support_libs)
file(MAKE_DIRECTORY ${SUPPORT_BIN_DIR})
foreach (_lib ${${libListVar}})
# only care about install_name for shared libraries that are
# not shipped in Apple's vanilla OS X installs
string(REGEX MATCH ^/usr/lib/* apple_provided_lib ${_lib})
string(REGEX MATCH dylib$ is_shared_lib ${_lib})
if (NOT apple_provided_lib AND is_shared_lib)
get_filename_component(_libname ${_lib} NAME)
set(_adjustedLib ${SUPPORT_BIN_DIR}/${_libname})
set(_tmpLib
${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/${_libname})
# make a tempory copy so we can adjust permissions
configure_file(${_lib} ${_tmpLib} COPYONLY)
# copy to build directory with correct write permissions
file(COPY ${_tmpLib}
DESTINATION ${SUPPORT_BIN_DIR}
FILE_PERMISSIONS OWNER_READ OWNER_WRITE
GROUP_READ WORLD_READ)
# remove the old library from the list provided as macro
# argument and add the new library with modified install_name
list(REMOVE_ITEM ${libListVar} ${_lib})
list(APPEND ${libListVar} ${_adjustedLib})
# update the install target to install the third party libs
# with modified install_name
install(FILES ${_adjustedLib}
DESTINATION ${SUPPORT_INSTALL_DIR})
# perform the install_name change
execute_process(COMMAND install_name_tool -id
@executable_path/../${SUPPORT_INSTALL_DIR}/${_libname}
${_adjustedLib})
endif ()
endforeach ()
endif ()
endmacro()

1
cmake/OSSpecific.cmake
View file

@ -10,7 +10,6 @@ elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
set(HAVE_LINUX true)
include_directories(BEFORE ${CMAKE_SOURCE_DIR}/linux-include)
elseif (${CMAKE_SYSTEM_NAME} MATCHES "Solaris")
set(SOCKET_LIBS nsl socket)

136
compile
View file

@ -1,136 +0,0 @@
#! /bin/sh
# Wrapper for compilers which do not understand `-c -o'.
scriptversion=2003-11-09.00
# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand `-c -o'.
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file `INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
exit 0
;;
-v | --v*)
echo "compile $scriptversion"
exit 0
;;
esac
prog=$1
shift
ofile=
cfile=
args=
while test $# -gt 0; do
case "$1" in
-o)
# configure might choose to run compile as `compile cc -o foo foo.c'.
# So we do something ugly here.
ofile=$2
shift
case "$ofile" in
*.o | *.obj)
;;
*)
args="$args -o $ofile"
ofile=
;;
esac
;;
*.c)
cfile=$1
args="$args $1"
;;
*)
args="$args $1"
;;
esac
shift
done
if test -z "$ofile" || test -z "$cfile"; then
# If no `-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# `.c' file was seen then we are probably linking. That is also
# ok.
exec "$prog" $args
fi
# Name of file we expect compiler to create.
cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
# Create the lock directory.
# Note: use `[/.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d
while true; do
if mkdir $lockdir > /dev/null 2>&1; then
break
fi
sleep 1
done
# FIXME: race condition here if user kills between mkdir and trap.
trap "rmdir $lockdir; exit 1" 1 2 15
# Run the compile.
"$prog" $args
status=$?
if test -f "$cofile"; then
mv "$cofile" "$ofile"
fi
rmdir $lockdir
exit $status
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

1388
config.guess vendored
View file

File diff suppressed because it is too large Load diff

1492
config.sub vendored
View file

File diff suppressed because it is too large Load diff

964
configure.in
View file

@ -1,964 +0,0 @@
dnl @(#) $Id: configure.in 6960 2009-12-19 06:22:16Z vern $ (LBL)
dnl
dnl Copyright (c) 1997, 1998, 2001, 2002
dnl The Regents of the University of California. All rights reserved.
dnl
dnl Process this file with autoconf to produce a configure script.
dnl
## broken versioning stuff
##m4_include([version.m4])
##AC_INIT([bro], VERSION_NUMBER)
## NOTICE: this sets the version at the autoconf time, not
## at configure time, so it may be out of date!
## start of changes for different versions of automake/conf
# this will work with automake 1.8.5
dnl AC_INIT(bro, esyscmd([tr -d '\n' < VERSION]))
dnl AC_CONFIG_SRCDIR(src/Active.cc)
dnl AC_CANONICAL_SYSTEM
dnl AM_INIT_AUTOMAKE
dnl AC_CONFIG_HEADER(config.h)
dnl AC_LBL_C_INIT(V_CCOPT, V_INCLS)
dnl AC_PROG_LEX
## This should work with automake 1.6
AC_INIT(src/Active.cc)
AC_CANONICAL_SYSTEM
#AM_INIT_AUTOMAKE(bro, 0.1.0)
AM_INIT_AUTOMAKE(bro, esyscmd([tr -d '\n' < VERSION]))
AM_CONFIG_HEADER(config.h)
AC_LBL_C_INIT(V_CCOPT, V_INCLS)
AM_PROG_LEX
## end of changes for versions of automake/conf
dnl Commands for funkier shell output:
BLD_ON=`./shtool echo -n -e %B`
BLD_OFF=`./shtool echo -n -e %b`
# We should install everything in /usr/local/bro{bin,lib,policy,etc}
AC_PREFIX_DEFAULT(/usr/local/bro)
dnl ################################################
dnl # Checks for programs
dnl ################################################
AC_PROG_YACC
AC_PROG_CXX
AC_PROG_INSTALL
AC_PROG_MAKE_SET
AC_PROG_RANLIB
AC_CHECK_PROGS(COMPRESS, gzip, compress)
AM_CONDITIONAL(USEV6, false)
AC_ARG_ENABLE(brov6,
[ --enable-brov6 enable IPV6 processing],
AC_DEFINE(BROv6,,[enable IPV6 processing])
AM_CONDITIONAL(USEV6,true))
AC_ARG_ENABLE(int64,
[ --enable-int64 enable use of int64 (long long) for integers],
AC_DEFINE(USE_INT64,1,[enable use of 64-bit integers]))
AC_ARG_ENABLE(activemapping,
[ --enable-activemapping enable active mapping processing],
AC_DEFINE(ACTIVE_MAPPING,,[Enable active mapping processing]))
AC_ARG_ENABLE(expire-dfa-states,
[ --enable-expire-dfa-states enable DFA state expiration],
AC_DEFINE(EXPIRE_DFA_STATES,,[Enable DFA state expiration]))
AC_ARG_ENABLE(debug,
[ --enable-debug no compiler optimizations],
debug="yes"
V_CCOPT="-g -DDEBUG"
CFLAGS="-DDEBUG `echo $CFLAGS | sed -e 's/-O2//'`"
CPPFLAGS="-DDEBUG `echo $CPPFLAGS | sed -e 's/-O2//'`"
CXXFLAGS="-DDEBUG `echo $CXXFLAGS | sed -e 's/-O2//'`",
debug="no")
AC_ARG_ENABLE(select-loop,
[ --disable-select-loop disable select-based main loop],
check_select_loop=no,
check_select_loop=yes)
AC_ARG_ENABLE(perftools,
[ --enable-perftools use Google's perftools],
use_perftools=yes,
use_perftools=no)
AC_ARG_WITH(openssl,
[ --with-openssl=PATH path to OpenSSL (needed for SSL analyzer and secure communication)],
if test "$withval" != "no" -a "$withval" != "NO"; then
use_openssl=yes
OPENSSL="$withval"
LDFLAGS="${LDFLAGS} -L${OPENSSL}/lib "
V_INCLS="${V_INCLS} -I${OPENSSL}/include"
CXXFLAGS="${CXXFLAGS} -I${OPENSSL}/include"
else
use_openssl=no
fi
)
AC_ARG_ENABLE(shippedpcap,
[ --enable-shippedpcap use the shipped version of libpcap ],
[ if test "$enableval" = yes; then
use_shippedpcap=yes
else
use_shippedpcap=no
fi ],
[ use_shippedpcap=no ])
AC_ARG_WITH(perl, [ --with-perl=PATH path/name of the Perl interpreter],
PERL=$withval, PERL=${PERL:-})
AC_ARG_WITH(dag,
[ --with-dag=PATH path to the DAG library (for native support for Endace Tech.'s DAG monitoring cards)],
if test "$withval" != "no" -a "$withval" != "NO"; then
use_dag=yes
DAGPATH="$withval"
LDFLAGS="${LDFLAGS} -L${DAGPATH}/lib "
V_INCLS="${V_INCLS} -I${DAGPATH}/include"
else
use_dag=no
fi
)
AC_ARG_WITH(binpac,
[ --with-binpac=PATH path to a binpac executable for compiling analyzer code],
BINPAC="$withval")
AC_ARG_ENABLE(nbdns,
AC_HELP_STRING([--disable-nbdns], [Disable non-blocking DNS support]),
nbdns="no", nbdns="yes")
AC_LBL_ENABLE_CHECK([activemapping binpac broccoli brov6 debug \
expire-dfa-states gtk-doc int64 openssl perftools perl \
select-loop shippedpcap broctl cluster nbdns])
dnl ################################################
dnl # OpenSSL
dnl ################################################
if test "$use_openssl" != "no" -a "$use_openssl" != "NO"; then
saved_libs="${LIBS}"
AC_CHECK_LIB(crypto, OPENSSL_add_all_algorithms_conf,
LIBS="${LDFLAGS} -lcrypto"
AC_CHECK_LIB(ssl, SSL_new,, AC_MSG_ERROR([Can't find SSL library]))
LIBS="${LDFLAGS} -lssl"
use_openssl=yes,
use_openssl=no
)
LIBS="${saved_libs}"
else
use_openssl=no
fi
if test "$use_openssl" != "no"; then
saved_cflags="${CFLAGS}"
CFLAGS="${CFLAGS} -I${OPENSSL}/include"
AC_CHECK_DECL(OPENSSL_add_all_algorithms_conf,,
use_openssl=no,
[#include <openssl/evp.h>])
CFLAGS="${saved_cflags}"
fi
if test "$use_openssl" = "yes"; then
# On Red Hat we may need to include Kerberos header.
# (CHECK_HEADER doesn't work here)
saved_cflags="${CFLAGS}"
CFLAGS="${CFLAGS} -I${OPENSSL}/include"
AC_COMPILE_IFELSE([#include <openssl/ssl.h>],,
CFLAGS="${CFLAGS} -I/usr/kerberos/include"
AC_CHECK_HEADER(krb5.h,
V_INCLS="${V_INCLS} -I/usr/kerberos/include"
AC_DEFINE(NEED_KRB5_H,,[Include krb5.h]),
use_openssl=no
AC_MSG_WARN([Can't compile OpenSSL test; disabling OpenSSL.]);
,
[#include <krb5.h>
#include <openssl/ssl.h>]
)
CFLAGS="${saved_cflags}"
)
fi
# Check for version >= 0.9.7
if test "$use_openssl" = "yes"; then
saved_libs="${LIBS}"
LIBS="${LIBS} -lssl -lcrypto"
AC_MSG_CHECKING([for OpenSSL >= 0.9.7])
AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include <openssl/evp.h>]], [[OPENSSL_add_all_algorithms_conf();]]),
AC_MSG_RESULT(yes)
use_openssl=yes,
AC_MSG_RESULT(no)
use_openssl=no)
LIBS="${saved_libs}"
fi
AM_CONDITIONAL(USE_OPENSSL, false)
if test "$use_openssl" = "yes"; then
AM_CONDITIONAL(USE_OPENSSL, true)
AC_DEFINE(USE_OPENSSL,,[Use OpenSSL])
LIBS="${LIBS} -lssl -lcrypto"
fi
# A test to see whether d2i_X509() uses const for the u_char**
# argument. Since one cannot just cast a u_char** to a const one
# (http://parashift.com/c++-faq-lite/const-correctness.html#faq-18.17)
# we test and then force a u_char** cast only when needed.
#
if test "$use_openssl" = "yes"; then
AC_MSG_CHECKING([whether d2i_X509() uses a const unsigned char**])
AC_LANG_PUSH([C++])
AC_COMPILE_IFELSE(
AC_LANG_PROGRAM([[#include <openssl/x509.h>]],
[[const unsigned char** cpp = 0;
X509** x = 0; d2i_X509(x, cpp, 0);]]),
AC_DEFINE(OPENSSL_D2I_X509_USES_CONST_CHAR,,[d2i_x509 uses const char**])
AC_MSG_RESULT(yes),
AC_MSG_RESULT(no))
AC_LANG_POP([C++])
fi
# do we use ssl?
AM_CONDITIONAL(USE_SSL, test "$use_openssl" = "yes")
dnl ################################################
dnl # Check for Perl executable
dnl ################################################
if test -n "$PERL"; then
if echo "$PERL" | grep '^/' >/dev/null; then
AC_MSG_CHECKING(for $PERL)
if test -s "$PERL"; then
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
PERL='none'
fi
else
find_perl="$PERL"
PERL=''
fi
fi
dnl if there is no perl, go find one!
if test -z "$PERL"; then
AC_PATH_PROGS(PERL,perl5 perl,,/usr/local/bin:/opt/local/bin:/usr/bin::.)
fi
dnl if we still can't find it, warn them
if test -z "$PERL"; then
AC_MSG_WARN([Cannot find perl; please use --with-perl=/path/to/perl option.])
else
dnl this seems backwards to me .....? but works
if ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then
AC_MSG_WARN([Bad perl version, need perl 5.6.1 or higher.; please use --with-perl=/path/to/perl option.])
fi
fi
AC_SUBST(PERL)
dnl ################################################
dnl # Check for chown binary
dnl ################################################
AC_PATH_PROG(CHOWN, chown, ,
[/usr/sbin:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin])
AC_SUBST(CHOWN)
dnl ################################################
dnl # OS-specific hacks and tweaks
dnl ################################################
AC_LBL_DEVEL(V_CCOPT)
AM_CONDITIONAL(USE_NMALLOC, false)
dnl Our resolver tests below include an absolute libray location.
dnl This is its default, it may be changed for some OSs.
bro_absolute_libresolv="/usr/lib/libresolv.a"
case "$target_os" in
freebsd*)
# alternate malloc is faster for FreeBSD, but needs more testing
# need to add way to set this from the command line
AM_CONDITIONAL(USE_NMALLOC, true)
;;
darwin*)
AC_MSG_CHECKING([if we need to include arpa/nameser_compat.h])
AC_COMPILE_IFELSE(AC_LANG_PROGRAM([[#include <arpa/nameser.h>]], [[HEADER *hdr; int d = NS_IN6ADDRSZ;]]), bro_ns_header_defined=yes, bro_ns_header_defined=no)
# if the header is found, we don't need compatibility
if test "x$bro_ns_header_defined" = xyes; then
AC_MSG_RESULT(no)
else
AC_DEFINE(NEED_NAMESER_COMPAT_H,,[Compatibility for Darwin])
AC_MSG_RESULT(yes)
fi
# Support for MacPorts and Fink package-management.
test -d /opt/local/lib && LDFLAGS="${LDFLAGS} -L/opt/local/lib"
test -d /sw/lib && LDFLAGS="${LDFLAGS} -L/sw/lib"
V_INCLS="${V_INCLS} -I/opt/local/include -I/sw/include"
CXXFLAGS="${CXXFLAGS} -I/opt/local/include -I/sw/include"
;;
openbsd*)
AM_CONDITIONAL(USE_NMALLOC, true)
AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system])
LDFLAGS="${LDFLAGS} -L/usr/local/lib"
V_INCLS="${V_INCLS} -I/usr/local/include"
CXXFLAGS="${CXXFLAGS} -I/usr/local/include"
;;
linux*)
V_INCLS="$V_INCLS -I\${top_srcdir}/linux-include"
AC_DEFINE(HAVE_LINUX,,[We are on a Linux system])
AC_MSG_CHECKING(Linux kernel version)
AC_CACHE_VAL(ac_cv_linux_vers,
ac_cv_linux_vers=`uname -r 2>&1 | \
sed -n -e '$s/.* //' -e '$s/\..*//p'`)
AC_MSG_RESULT($ac_cv_linux_vers)
if test $ac_cv_linux_vers -lt 2 ; then
AC_MSG_ERROR(version 2 or higher required; see the INSTALL doc for more info)
fi
if test "a$build_cpu" = "ax86_64"; then
bro_absolute_libresolv="/usr/lib64/libresolv.a"
fi
;;
solaris*)
LIBS="${LIBS} -lnsl -lsocket"
;;
osf*)
dnl Workaround around ip_hl vs. ip_vhl problem in netinet/ip.h
V_CCOPT="$V_CCOPT -D__STDC__=2"
esac
dnl ################################################
dnl # Enable large file support for all platforms.
dnl # Can be disabled with --disable-largefile
dnl ################################################
AC_SYS_LARGEFILE
dnl ################################################
dnl # Checks for types and header files.
dnl ################################################
AC_HEADER_STDC
AC_LBL_TYPE_SIGNAL
AC_LBL_CHECK_TYPE(int32_t, int)
AC_LBL_CHECK_TYPE(u_int32_t, u_int)
AC_LBL_CHECK_TYPE(u_int16_t, u_short)
AC_LBL_CHECK_TYPE(u_int8_t, u_char)
AC_HEADER_TIME
AC_CHECK_HEADERS(memory.h netinet/in.h socket.h getopt.h)
AC_CHECK_HEADERS(net/ethernet.h netinet/ether.h netinet/if_ether.h sys/ethernet.h,,,
[#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/if.h>])
AC_CHECK_HEADERS(netinet/ip6.h,,,
[#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/if.h>])
AC_DEFUN([AC_C_SOCKLEN_T],
[AC_CACHE_CHECK(for socklen_t, ac_cv_c_socklen_t,
[
AC_TRY_COMPILE([
#include <sys/types.h>
#include <sys/socket.h>
],[
socklen_t foo;
],[
ac_cv_c_socklen_t=yes
],[
ac_cv_c_socklen_t=no
])
])
if test $ac_cv_c_socklen_t = no; then
AC_DEFINE(socklen_t, int, [define to int if socklen_t not available])
fi
])
AC_C_SOCKLEN_T
AC_BRO_SYSLOG_INT
AC_BRO_SOCK_DECL
dnl ################################################
dnl # PCAP stuff.
dnl ################################################
# ensure we are either YES or NO
if test "$use_shippedpcap" = "no" ; then
pcap_local="NO"
pcapmsg="system-provided"
AM_CONDITIONAL(USE_LOCALPCAP, false)
else
pcap_local="YES"
pcapmsg="shipped with Bro"
AM_CONDITIONAL(USE_LOCALPCAP, true)
fi
# if not using local version, find one on the system
if test "$pcap_local" = "NO"; then
AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
CPPFLAGS="$CPPFLAGS $V_INCLS"
AC_CHECK_HEADERS(pcap-int.h)
AC_CHECK_FUNCS(bpf_set_bufsize)
dnl ################################################
dnl # Check whether pcap provides pcap_version
dnl ################################################
AC_MSG_CHECKING([for pcap_version in libpcap])
AC_LINK_IFELSE(
AC_LANG_PROGRAM([extern char pcap_version[];], [puts(pcap_version);]),
AC_MSG_RESULT(yes)
AC_DEFINE(PCAP_VERSION_STRING,,[Have a version string in libpcap]),
AC_MSG_RESULT(no))
dnl ################################################
dnl # Check whether linking to pcap works
dnl ################################################
AC_CHECK_LIB(pcap, main, , AC_MSG_ERROR([Bro requires pcap - install from aux/ if necessary.]))
else
# we have to define the abilites of the local pcap
# as it hasn't been unpacked/configured/installed
# yet and we can't query it.
AC_DEFINE(HAVE_PCAP_INT_H, 1, [Define to 1 if you have the <pcap-int.h> header file.])
AC_DEFINE(HAVE_BPF_SET_BUFSIZE, 0, [Define to 1 if you have the bpf_set_bufsize function.])
AC_DEFINE(PCAP_VERSION_STRING, 1, [Have a version string in libpcap])
AC_DEFINE(HAVE_LIBPCAP, 1, [Define to 1 if you have the pcap library (-lpcap).])
fi
dnl AC_CHECK_HEADERS(pcap-int.h)
dnl AC_CHECK_FUNCS(bpf_set_bufsize)
dnl ################################################
dnl # STL compatibility tests.
dnl ################################################
dnl # Whether basic_string<> requires additional
dnl # definitions for char_traits. In that case, we
dnl # fall back to vector.
dnl #
AC_MSG_CHECKING([if char_traits defines all methods])
AC_LANG_PUSH([C++])
AC_LINK_IFELSE(
AC_LANG_PROGRAM([[
#include <string>
using namespace std;
class Foo { };
]], [[
char_traits<Foo*> foo;
Foo f;
Foo *fp;
foo.assign(&fp, 10, &f);]]),
AC_MSG_RESULT([yes])
basic_string_works=yes,
AC_MSG_RESULT([no])
basic_string_works=no
AC_DEFINE(BASIC_STRING_BROKEN,,[basic_string not usable with non-char template arg]))
AC_LANG_POP([C++])
dnl ################################################
dnl # Include the Broccoli tree in aux/broccoli in
dnl # the setup, unless specifically disabled.
dnl ################################################
AC_ARG_ENABLE(broccoli,
AC_HELP_STRING([--disable-broccoli], [Do not build/package Broccoli]),
broccoli="no", broccoli="yes")
AM_CONDITIONAL(USE_BROCCOLI, test "x$broccoli" = xyes)
if test "x$broccoli" = xyes; then
AC_CONFIG_SUBDIRS(aux/broccoli)
fi
dnl ################################################
dnl # Include the broctl tree in aux/broctl into
dnl # the setup, unless specifically disabled.
dnl # Per default, we configure it in standalone mode;
dnl # if --enable-cluster is given, we switch to
dnl # cluster mode.
dnl ################################################
AC_ARG_ENABLE(broctl,
AC_HELP_STRING([--disable-broctl], [Do not build/package broctl framework]),
broctl=$enableval, broctl="yes")
AC_ARG_ENABLE(cluster,
AC_HELP_STRING([--enable-cluster], [Configure broctl for cluster usage]),
cluster=$enableval, cluster="no")
dnl ################################################
dnl # Include the Binpac tree in aux/binpac in the
dnl # build, unless the user selected another binpac
dnl # via --with-binpac=.
dnl ################################################
if test "$BINPAC" = ""; then
AC_CONFIG_SUBDIRS(aux/binpac)
BINPAC="\${top_builddir}/aux/binpac/src/binpac"
binpacmsg="shipped with Bro"
else # Check (somewhat) whether the binpac given is valid
AC_MSG_CHECKING([whether given binpac is executable])
if test -x "$BINPAC"; then
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
echo "Please check whether $BINPAC is correct."
exit 1
fi
binpacmsg="$BINPAC"
fi
AC_SUBST(BINPAC)
dnl ################################################
dnl # DNS resolver checks.
dnl ################################################
dnl
dnl Check whether our arpa/nameser.h provides type ns_msg.
dnl If not, we disable nonblocking DNS lookups.
dnl We assume worst case first and improve on it below.
AM_CONDITIONAL(USE_NBDNS, false)
dnl Add potential header locations to path
if test -d /usr/local/include/bind; then
CFLAGS="$CFLAGS -I/usr/local/include/bind"
fi
AC_CHECK_TYPE(ns_msg, bro_check_nb_dns=yes, bro_check_nb_dns=no, [#include <arpa/nameser.h>])
if test $bro_check_nb_dns = no; then
AC_MSG_NOTICE([Nonblocking DNS disabled.])
use_nb_dns=no
else
dnl We will check for ns_initparse and res_mkquery using a number
dnl of resolver library variations, a list of which we build up now.
bro_resolver_options="none -lresolv ${bro_absolute_libresolv} -lbind"
save_cflags="$CFLAGS"
save_ldflags="$LDFLAGS"
save_libs="$LIBS"
dnl Okay now try to link both symbols with each of the resolver
dnl location variants. As soon as one works, we're happy.
for res in $bro_resolver_options; do
AC_MSG_CHECKING([for ns_inittab/res_mkquery with resolver '$res'])
dnl "none" just means "try without any additional flags".
if test "$res" = "none"; then
res=""
fi
CFLAGS="${save_cflags}"
LDFLAGS="${save_ldflags}"
LIBS="${save_libs} $res"
dnl In the generic -lbind case, we check for the existence
dnl of a number of directories and add them to the relevant
dnl paths.
dnl
if test "$res" = "-lbind"; then
if test -d /usr/local/bind/lib; then
LDFLAGS="$LDFLAGS -L/usr/local/bind/lib"
fi
if test -d /usr/local/lib; then
LDFLAGS="$LDFLAGS -L/usr/local/lib"
fi
fi
bro_ns_initparse_works=no
bro_res_mkquery_works=no
AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include <arpa/nameser.h>]],
[[ns_initparse(0,0,0);]]),
bro_ns_initparse_works=yes)
AC_LINK_IFELSE(AC_LANG_PROGRAM([[
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>]],
[[int (*p)() = res_mkquery]]), bro_res_mkquery_works=yes)
if test $bro_ns_initparse_works = yes && test $bro_res_mkquery_works = yes && test $nbdns = yes; then
AC_MSG_RESULT(yes)
AC_MSG_NOTICE([Nonblocking DNS enabled.])
dnl Make sure that nb_dns.o is linked in.
NBDNS="nb_dns.o"
AC_SUBST(NBDNS)
AM_CONDITIONAL(USE_NBDNS, true)
AC_DEFINE(HAVE_NB_DNS,,[async dns support])
use_nb_dns=yes
break
else
AC_MSG_RESULT(no)
fi
done
if test "x$NBDNS" != "xnb_dns.o"; then
AC_MSG_NOTICE([Nonblocking DNS disabled.])
use_nb_dns=no
CFLAGS="${save_cflags}"
LDFLAGS="${save_ldflags}"
LIBS="${save_libs}"
fi
fi
dnl ################################################
dnl # Checks for library functions.
dnl ################################################
AC_FUNC_MEMCMP
AC_FUNC_STRFTIME
AC_CHECK_FUNCS(strerror strsep strcasestr mallinfo getopt_long)
AC_SEARCH_LIBS(inet_aton, resolv)
# We use deflatePrime() to make sure that zlib is recent enough.
AC_CHECK_LIB(z, deflatePrime)
# Libmagic
have_libmagic=yes
AC_CHECK_HEADERS([magic.h],,have_libmagic=no)
AC_CHECK_LIB(magic,magic_open,,have_libmagic=no)
# Libclamav
# have_libclamav=yes
# AC_CHECK_HEADERS([clamav.h],,have_libclamav=no)
# AC_CHECK_LIB(clamav,cl_retdbdir,,have_libclamav=no)
# Libclamav is broken because of changed API.
have_libclamav=no
if test "$have_libclamav" = "yes"; then
AC_DEFINE(USE_LIBCLAMAV,,[Use libclamav])
fi
# LibGeoIP
have_libgeoip=yes
AC_CHECK_HEADERS([GeoIPCity.h],,have_libgeoip=no)
if test "$have_libgeoip" = "yes"; then
AC_CHECK_LIB(GeoIP,GeoIP_open_type,,have_libgeoip=no)
fi
if test "$have_libgeoip" = "yes"; then
AC_DEFINE(USE_GEOIP,,[GeoIP geographic lookup functionality])
fi
dnl ################################################
dnl # Terminal library support
dnl ################################################
bro_have_termlibrary=no
dnl 1) Check if termcap is available
AC_CHECK_LIB(termcap, tgetnum,
[AC_CHECK_HEADERS([termcap.h term.h],
LIBS="${LIBS} -ltermcap"
bro_have_termlibrary=yes)])
dnl 2) Check if curses is available instaed
if test "$bro_have_termlibrary" = no; then
AC_CHECK_LIB(curses, tgetnum,
[AC_CHECK_HEADERS([curses.h term.h],
LIBS="${LIBS} -lcurses"
bro_have_termlibrary=yes)])
fi
dnl 3) Check for ncurses as a final resort
if test "$bro_have_termlibrary" = no; then
AC_CHECK_LIB(ncurses, tgetnum,
[AC_CHECK_HEADERS([ncurses.h curses.h term.h],
LIBS="${LIBS} -lncurses"
bro_have_termlibrary=yes)])
fi
if test "$bro_have_termlibrary" != yes; then
AC_MSG_RESULT(no)
AC_MSG_ERROR([No terminal emulation library found! Consider installing termcap, curses, or ncurses.])
else
AC_MSG_RESULT(yes)
fi
dnl Check whether we have readline and history libraries
AC_CHECK_HEADER([readline/readline.h], bro_readline=yes)
AC_CHECK_HEADER([readline/history.h], bro_history=yes)
AC_CHECK_LIB(readline, using_history,, bro_libreadline=no)
if test "$bro_history" = yes; then
AC_CHECK_MEMBER([HISTORY_STATE.entries],
[bro_history_entries=yes], [],
[#include <stdio.h>
#include <readline/history.h>])
fi
if test "$bro_readline" = yes -a \
"$bro_history" = yes -a \
"$bro_libreadline" != no -a \
"$bro_history_entries" = yes; then
AC_DEFINE(HAVE_READLINE,1,[line editing & history powers])
fi
AC_C_BIGENDIAN(
AC_DEFINE(WORDS_BIGENDIAN,1,[whether words are stored with the most significant byte first])
dnl This is intentionally named differently so as to not collide with WORDS_BIGENDIAN
HOST_BIGENDIAN="#define HOST_BIGENDIAN 1"
AC_SUBST(HOST_BIGENDIAN))
AC_CHECK_TYPES([union semun, struct sembuf],[],[],
[#include <sys/types.h>
#include <sys/sem.h>
])
# see if we have sin_len
AC_CHECK_MEMBER(struct sockaddr_in.sin_len,
[AC_DEFINE(SIN_LEN,,[have sin_len field in sockaddr_in])],,
[
#if HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#if HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#endif
#if HAVE_NETINET_IN_H
# include <netinet/in.h>
#endif
])
AC_CHECK_SIZEOF(long long)
AC_CHECK_SIZEOF(long int)
AC_CHECK_SIZEOF(void *)
# Per default we do not use the select-based main loop. We activate it only if
# (i) the user requests it
# (ii) we know the OS to support selectable pcap fds
use_select_loop=no
if test $check_select_loop = yes; then
case "$target_os" in
linux*)
# Linux should support selectable at least since 2.2 (not sure
# about earlier versions)
AC_MSG_CHECKING(Linux kernel version support selectable fds)
AC_CACHE_VAL(ac_cv_linux_major_vers,
ac_cv_linux_major_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
AC_CACHE_VAL(ac_cv_linux_minor_vers,
ac_cv_linux_minor_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
linux_version=`expr $ac_cv_linux_major_vers '*' 10 '+' $ac_cv_linux_minor_vers`
if test $linux_version -gt 21; then
use_select_loop=yes
AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is ok)
else
AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is too old)
fi
;;
freebsd*)
# FreeBSD supports selectable fds correctly since 4.6.
AC_MSG_CHECKING(FreeBSD kernel version support selectable fds)
AC_CACHE_VAL(ac_cv_freebsd_major_vers,
ac_cv_freebsd_major_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
AC_CACHE_VAL(ac_cv_freebsd_minor_vers,
ac_cv_freebsd_minor_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
freebsd_version=`expr $ac_cv_freebsd_major_vers '*' 10 '+' $ac_cv_freebsd_minor_vers`
if test $freebsd_version -gt 45; then
use_select_loop=yes
AC_MSG_RESULT($ac_cv_freebsd_major_vers.$ac_cv_freebsd_minor_vers is ok)
else
AC_MSG_RESULT($ac_cv_freebsd_major_vers X $ac_cv_freebsd_minor_vers is too old)
fi
;;
esac
fi
if test "$use_select_loop" = "yes"; then
AC_DEFINE(USE_SELECT_LOOP,,[Use select-based main loop])
fi
dnl ################################################
dnl # Endace DAG support
dnl ################################################
if test "$use_dag" != "no" -a "$use_dag" != "NO"; then
AC_CHECK_LIB(dag, dag_open, use_dag=yes, use_dag=no)
AC_CHECK_HEADER(pcap.h,,use_dag=no)
if test "$use_dag" = "yes"; then
AC_DEFINE(USE_DAG,,[Include Endace DAG support])
LIBS="${LIBS} -ldag"
AC_SUBST(WANT_DAG_OBJ, "\$(DAG_OBJ)")
else
AC_SUBST(WANT_DAG_OBJ, "")
fi
else
use_dag=no
fi
dnl ################################################
dnl # If configured with --enable-perftools, look for
dnl # Google's perftools to do heap checking.
dnl ################################################
if test "$use_perftools" != "no" -a "$use_perftools" != "NO"; then
AC_LANG_PUSH(C++)
saved_libs="${LIBS}"
LIBS="${LIBS} -ltcmalloc -lpthread"
AC_TRY_LINK([#include <google/heap-checker.h>],
[HeapLeakChecker heap_checker("test");],
[use_perftools="yes"],[use_perftools="no"])
LIBS="${saved_libs}"
AC_LANG_POP([C++])
if test "$use_perftools" = "yes"; then
AC_DEFINE(USE_PERFTOOLS,,[Use Google's perftools])
LIBS="${LIBS} -ltcmalloc -lpthread"
fi
fi
###############################
# Configure broctl.
###############################
# Need Python >= 2.4.
have_python=no
AC_PATH_TOOL(pybin, python, "")
if test "x$pybin" != x -a "x$broctl" = xyes; then
AC_MSG_CHECKING([for Python >= 2.4])
AC_CACHE_VAL(ac_cv_python_major_vers,
ac_cv_python_major_vers=`python -V 2>&1 | \
sed 's/^Python //g' | awk -v FS='.' '{print $1}'`)
AC_CACHE_VAL(ac_cv_python_minor_vers,
ac_cv_python_minor_vers=`python -V 2>&1 | \
sed 's/^Python //g' | awk -v FS='.' '{print $2}'`)
pyversion=`expr $ac_cv_python_major_vers '*' 10 '+' $ac_cv_python_minor_vers`
if test $pyversion -ge 24; then
AC_MSG_RESULT([yes])
have_python=yes
fi
AC_CHECK_PROG(have_python, python-config, $have_python, no)
if test "x$have_python" != xyes; then
AC_MSG_RESULT([no, disabling broctl])
fi
fi
if test "x$have_python" != xyes; then
broctl=no
fi
AM_CONDITIONAL(USE_BROCTL, test "x$broctl" = xyes)
if test "x$broctl" = xyes; then
if test "x$cluster" = xno; then
standalone="--standalone"
fi
echo "=== configuring in aux/broctl"
test -d aux || mkdir aux
test -d aux/broctl || mkdir aux/broctl
${srcdir}/aux/broctl/configure --prefix=${prefix} --builddir=`pwd`/aux/broctl --brodist=${srcdir} ${standalone}
AC_CONFIG_SUBDIRS([aux/broctl/aux/capstats])
fi
if test "$use_xqilla" = "yes"; then
LIBS="${LIBS} -lxqilla"
fi
# grab the hostname
BROHOST=`hostname 2>/dev/null` || `uname -n 2>/dev/null`
AC_SUBST(BROHOST)
dnl Setup pcap path just before creating files, this way tests won't fail
dnl with 'can't find libpcap' when we use the local pcap which hasn't
dnl been unpacked yet
if test "$pcap_local" = "YES"; then
LIBS="-L\${top_srcdir}/aux/libpcap-0.9.8 -lpcap $LIBS"
V_INCLS="$V_INCLS -I\${top_builddir}/aux/libpcap-0.9.8"
fi
AC_SUBST(V_CCOPT)
AC_SUBST(V_INCLS)
AC_SUBST(LDFLAGS)
dnl AC_SUBST(V_PCAPDEP) dnl (libpcap dependancies -- not used)
AC_OUTPUT([Makefile
src/Makefile
doc/Makefile
doc/ref-manual/Makefile
doc/quick-start/Makefile
doc/user-manual/Makefile
aux/adtrace/Makefile
aux/cf/Makefile
aux/hf/Makefile
aux/nftools/Makefile
aux/scripts/Makefile
aux/bdcat/Makefile
aux/rst/Makefile
aux/Makefile
policy/Makefile
policy/sigs/Makefile
policy/time-machine/Makefile
scripts/Makefile
scripts/bro_config
scripts/bro.rc
scripts/localnetMAC.pl
scripts/s2b/Makefile
scripts/s2b/bro-include/Makefile
scripts/s2b/example_bro_files/Makefile
scripts/s2b/etc/Makefile
scripts/s2b/bin/Makefile
scripts/s2b/pm/Makefile
scripts/s2b/snort_rules2.2/Makefile
],
[chmod +x scripts/bro_config
chmod +x scripts/localnetMAC.pl]
)
if test "$use_openssl" != "yes"; then
OPENSSL=""
#else
# AC_OUTPUT(aux/bdcat/Makefile)
fi
echo
echo " "${BLD_ON}"Bro Configuration Summary"${BLD_OFF}
echo "=========================================================="
echo
echo " - Debugging enabled: "${BLD_ON}$debug${BLD_OFF}
echo " - OpenSSL support: "${BLD_ON}$use_openssl $OPENSSL${BLD_OFF}
echo " - Non-blocking main loop: "${BLD_ON}$use_select_loop${BLD_OFF}
echo " - Non-blocking resolver: "${BLD_ON}$use_nb_dns${BLD_OFF}
echo " - Installation prefix: "${BLD_ON}$prefix${BLD_OFF}
echo " - Perl interpreter: "${BLD_ON}$PERL${BLD_OFF}
echo " - Using basic_string: "${BLD_ON}$basic_string_works${BLD_OFF}
echo " - Using libmagic: "${BLD_ON}$have_libmagic${BLD_OFF}
# echo " - Using libclamav: "${BLD_ON}$have_libclamav${BLD_OFF}
echo " - Using perftools: "${BLD_ON}$use_perftools${BLD_OFF}
echo " - Binpac used: "${BLD_ON}$binpacmsg${BLD_OFF}
echo " - Using libGeoIP: "${BLD_ON}$have_libgeoip${BLD_OFF}
echo " - Enabled broctl: "${BLD_ON}$broctl${BLD_OFF}
echo " - Enabled cluster: "${BLD_ON}$cluster${BLD_OFF}
echo " - Pcap used: "${BLD_ON}$pcapmsg${BLD_OFF}
echo
exit 0

526
depcomp
View file

@ -1,526 +0,0 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2004-04-25.13
# Copyright (C) 1999, 2000, 2003, 2004 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
Run PROGRAMS ARGS to compile a file, generating dependencies
as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by `PROGRAMS ARGS'.
object Object file output by `PROGRAMS ARGS'.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputing dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
EOF
exit 0
;;
-v | --v*)
echo "depcomp $scriptversion"
exit 0
;;
esac
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
fi
# `libtool' can also be set to `yes' or `no'.
if test -z "$depfile"; then
base=`echo "$object" | sed -e 's,^.*/,,' -e 's,\.\([^.]*\)$,.P\1,'`
dir=`echo "$object" | sed 's,/.*$,/,'`
if test "$dir" = "$object"; then
dir=
fi
# FIXME: should be _deps on DOS.
depfile="$dir.deps/$base"
fi
tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
# here, because this file can only contain one case statement.
if test "$depmode" = hp; then
# HP compiler uses -M and no extra arg.
gccflag=-M
depmode=gcc
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
case "$depmode" in
gcc3)
## gcc 3 implements dependency tracking that does exactly what
## we want. Yay! Note: for some reason libtool 1.4 doesn't like
## it if -MD -MP comes after the -MF stuff. Hmm.
"$@" -MT "$object" -MD -MP -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
mv "$tmpdepfile" "$depfile"
;;
gcc)
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say).
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
gccflag=-MD,
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
## The second -e expression handles DOS-style file names with drive letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the `deleted header file' problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
tr ' ' '
' < "$tmpdepfile" |
## Some versions of gcc put a space before the `:'. On the theory
## that the space means something, we add a space to the output as
## well.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
sgi)
if test "$libtool" = yes; then
"$@" "-Wp,-MDupdate,$tmpdepfile"
else
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like `#:fec' to the end of the
# dependency line.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
tr '
' ' ' >> $depfile
echo >> $depfile
# The second pass generates a dummy entry for each header file.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> $depfile
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts `$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'`
tmpdepfile="$stripped.u"
if test "$libtool" = yes; then
"$@" -Wc,-M
else
"$@" -M
fi
stat=$?
if test -f "$tmpdepfile"; then :
else
stripped=`echo "$stripped" | sed 's,^.*/,,'`
tmpdepfile="$stripped.u"
fi
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
if test -f "$tmpdepfile"; then
outname="$stripped.o"
# Each line is of the form `foo.o: dependent.h'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile"
sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
icc)
# Intel's C compiler understands `-MD -MF file'. However on
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
# ICC 7.0 will fill foo.d with something like
# foo.o: sub/foo.c
# foo.o: sub/foo.h
# which is wrong. We want:
# sub/foo.o: sub/foo.c
# sub/foo.o: sub/foo.h
# sub/foo.c:
# sub/foo.h:
# ICC 7.1 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using \ :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each line is of the form `foo.o: dependent.h',
# or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in `foo.d' instead, so we check for that too.
# Subdirectories are respected.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
if test "$libtool" = yes; then
# Dependencies are output in .lo.d with libtool 1.4.
# They are output in .o.d with libtool 1.5.
tmpdepfile1="$dir.libs/$base.lo.d"
tmpdepfile2="$dir.libs/$base.o.d"
tmpdepfile3="$dir.libs/$base.d"
"$@" -Wc,-MD
else
tmpdepfile1="$dir$base.o.d"
tmpdepfile2="$dir$base.d"
tmpdepfile3="$dir$base.d"
"$@" -MD
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
if test -f "$tmpdepfile1"; then
tmpdepfile="$tmpdepfile1"
elif test -f "$tmpdepfile2"; then
tmpdepfile="$tmpdepfile2"
else
tmpdepfile="$tmpdepfile3"
fi
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
# dependency tracking mechanisms from slower ones.
dashmstdout)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for `:'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
"$@" $dashmflag |
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
tr ' ' '
' < "$tmpdepfile" | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
dashXmstdout)
# This case only exists to satisfy depend.m4. It is never actually
# run, as this mode is specially recognized in the preamble.
exit 1
;;
makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no
for arg in "$@"; do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix="`echo $object | sed 's/^.*\././'`"
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
sed '1,2d' "$tmpdepfile" | tr ' ' '
' | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
cpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
"$@" -E |
sed -n '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o,
# because we must use -o when running libtool.
"$@" || exit $?
IFS=" "
for arg
do
case "$arg" in
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
echo " " >> "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
none)
exec "$@"
;;
*)
echo "Unknown depmode $depmode" 1>&2
exit 1
;;
esac
exit 0
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

9
doc/Makefile.am
View file

@ -1,9 +0,0 @@
EXTRA_DIST = README.txt
SUBDIRS = ref-manual quick-start user-manual
doc:
@echo "Build Bro Documentation (html and pdf)"
for d in $(SUBDIRS); do \
( cd $$d && $(MAKE) $@ ); \
done

1
doc/README Normal file
View file

@ -0,0 +1 @@
TODO.

14
doc/README.txt
View file

@ -1,14 +0,0 @@
The current documentation is in the following directories:
quick-start/
user-manual/
ref-manual/
To build html and pdf version of the documents, 'makeinfo' and 'texi2dvi', part
of the GNU texinfo package, version 4.7 or higher is required.
Pre-built (and probably more current) versions of the documentation
are available at:
http://www.bro-ids.org/manuals.html

82
doc/misc/conn-logs
View file

@ -1,82 +0,0 @@
TCP connection logs are generated by tcp.bro. The summaries are written
to stdout, one line per connection:
start-time duration protocol orig-bytes resp-bytes \
local-addr remote-addr state flags additional
start-time: timestamp of when the connection's first packet was
observed
duration: time until connection finished, in seconds, or '?' if
not determined
protocol: TCP protocol, if well-known port; or portmapper request
orig-bytes: total bytes sent by originator. Computed from difference
between starting and ending sequence numbers, so sometimes
wrong (if wrong, the values tend to be erroneously large)
resp-bytes: same for bytes sent by connection responder
local-addr: IP address of local end of connection
remote-addr: IP address of remote end of connection
Note that these would make more sense as originator/responder,
but for historical reasons they're defined in terms of
"local" and "remote", where "local" is specified by the
"local_nets" set in hot.bro. To pull out the originator
and responder addresses requires looking at the "flags"
field to see whether the connection originated locally.
state: final connection state (see below)
flags: some characteristics of the connection. The most important is
the 'L' flag, which if present indicates that the connection
was initiated by the local address (see above); otherwise
it was initiated by the remote address.
additional: protocol-specific additional information, such as the FTP
session identifier, telnet user name, finger request, or
portmapper results.
The scripts "hot-report" and "mon-report" (in the aux/scripts/ directory)
generate readable versions of these connection summaries. They include
a mnemonic indicating the connection's state. Here is the list of
abbreviations used:
Symbol Name Meaning
------ ------- -------------------
} S0 Initial SYN seen, no reply seen ("unanswered")
> S1 Initial SYN handshake seen ("established")
> SF Established and normal FIN handshake seen
for termination. Note that this is the same
symbol as for state S1. You can tell the two
apart because for S1 there will not be any
byte counts, while for SF there will be.
[ REJ Initial SYN elicited RST in reply ("rejected")
}2 S2 Established and FIN from originator only seen
}3 S3 Established and FIN from responder only seen
>] RSTO Established, originator sent a RST to terminate
>[ RSTR Established, responder sent a RST to terminate
}] RSTOS0 Originator sent a SYN followed by a RST,
we never saw a SYN ack from the responder
<[ RSTRH Responder sent a SYN ack followed by a RST,
we never saw a SYN from the originator
>h SH Originator sent a SYN followed by a FIN,
we never saw a SYN ack from the responder
(so "half" open)
<h SHR Responder sent a SYN ack followed by a FIN,
we never saw a SYN from the originator
?>? OTH No SYN seen, just midstream traffic
The sundry weird states can arise from broken TCPs, but also from split
routing in which Bro just sees one side of a connection.
For UDP, if we see a request but no reply, that's state S0 ("}"); a request
followed by a reply is SF (">"); and a reply but no request is SHR ("<h").

49
doc/misc/ssl.txt
View file

@ -1,49 +0,0 @@
How to create certificates to authorize Bro's SSL connections
=============================================================
- Create a global CA key/certificate once:
* Create some directory to store the CA stuff, and create
a few things there:
mkdir <ca-dir>
cd <ca-dir>
mkdir private newcerts cert crl
chmod 700 private
touch index.txt
echo 01 >serial
cp bro/openssl.conf .
* Create a private CA key:
openssl genrsa -des3 -out private/ca_key.pem
* Self-sign it:
openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem -days 1095
- For each Bro:
* Create a private key (w/o password):
openssl genrsa -out bro_key.pem
* Create a certification request:
openssl req -new -key bro_key.pem -out bro.csr
* Create a certificate using the CA key:
openssl ca -config openssl.cnf -in bro.csr -out bro_cert.pem
* Verify that the certicate is ok:
openssl verify -CAfile ca_cert.pem bro_cert.pem
* Concat Bro key and certificate:
cat bro_key.pem bro_cert.pem >bro.pem
* Copy this and the CA certificate to the IDS machine:
scp bro.pem ca_cert.pem ids:...
* Redef Bro's variables to point to the files:
redef ssl_ca_certificate = "...../ca_cert.pem";
redef ssl_private_key = "...../bro.pem";
* Remove the unnecessary stuff:
rm bro_key.pem bro.csr bro_cert.pem bro.pem

BIN
doc/old/manual-src.tar.gz
View file

Binary file not shown.

BIN
doc/old/manual.pdf
View file

Binary file not shown.

60
doc/old/manual/WARNINGS
View file

@ -1,60 +0,0 @@
The manual.aux file was not found, so sections will not be numbered
and cross-references will be shown as icons.
There is no author for this document.
? brace missing for \emph
? brace missing for \index
couldn't convert character bb into available encodings
...set $ACCENT_IMAGES to get an image
couldn't convert character cring into available encodings
couldn't convert character tt into available encodings
No number for "Differenttypesofdirectionsfor<TT>set_contents_file</TT>"
No number for "<TT>print-filter</TT>printsoutthe<TT>tcpdump</TT>filteryourBroscriptwoulduseandthenexits."
No number for "Definitionofthe<TT>net_stats</TT>record."
No number for "Definitionof<TT>conn_id</TT>and<TT>connection</TT>records."
No number for "TCPandUDPconnectionstates,asstoredinan<TT>endpoint</TT>record."
No number for "Summariesofconnectionstates,asreportedin<TT>red</TT>files."
No number for "Differentconnectionstatestousewhencalling<TT>check_hot</TT>."
No number for "Sampledefinitionof<TT>log_hook</TT>"
No number for "Definitionofthe<TT>dns_mapping</TT>record."
No number for "Definitionofthe<TT>ftp_session_info</TT>record"
No number for "ExampleofFTPlogfileentriesforasingleFTPsession."
No number for "ExampleofHTTPlogfileentriesforasingleHTTPsession."
No number for "Differenttypesofconfusionthat<TT>login</TT>analyzercanreport."
No number for "TypesofcallstotheRPCportmapperservice."
No number for "TypesofRPCstatuscodes."
No number for "<TT>endpoint_stats</TT>fieldsforsummarizingconnectionendpointstatistics,alloftype<TT>count</TT>."
No number for "Possibleactionstotakeforsignaturesmatches.<I>signatures-log</I>defaultsto<TT>open_log_file(;SPMquot;signatures;SPMquot;)</TT>."
No number for "Definitionofthe<TT>x509</TT>record"
No number for "Definitionofthe<TT>ssl_connection_info</TT>record"
No number for "ExampleofSSLlogfilewithasingleSSLsession."
No number for "Differenttypesofpossibleactionstotakefor``weird''events."
No number for "Definitionofthe<TT>signature_state</TT>record."
Failed to convert image /tmp/l2h6233/image052.ps

1
doc/old/manual/images.aux
View file

@ -1 +0,0 @@
\relax

0
doc/old/manual/images.idx
View file

607
doc/old/manual/images.log
View file

@ -1,607 +0,0 @@
This is TeX, Version 3.14159 (Web2C 7.3.1) (format=latex 2001.8.15) 21 MAR 2004 07:20
**./images.tex
(./images.tex
LaTeX2e <1999/12/01> patch level 1
Babel <v3.6Z> and hyphenation patterns for american, french, german, ngerman, n
ohyphenation, loaded.
(/usr/local/share/texmf/tex/latex/base/report.cls
Document Class: report 1999/09/10 v1.4a Standard LaTeX document class
(/usr/local/share/texmf/tex/latex/base/size10.clo
File: size10.clo 1999/09/10 v1.4a Standard LaTeX file (size option)
)
\c@part=\count79
\c@chapter=\count80
\c@section=\count81
\c@subsection=\count82
\c@subsubsection=\count83
\c@paragraph=\count84
\c@subparagraph=\count85
\c@figure=\count86
\c@table=\count87
\abovecaptionskip=\skip41
\belowcaptionskip=\skip42
\bibindent=\dimen102
) (/usr/local/share/texmf/tex/latex/base/ifthen.sty
Package: ifthen 1999/09/10 v1.1b Standard LaTeX ifthen package (DPC)
) (/usr/local/share/texmf/tex/latex/base/makeidx.sty
Package: makeidx 1999/09/17 v1.0l Standard LaTeX package
) (/usr/local/share/texmf/tex/latex/psnfss/times.sty
Package: times 1999/03/29 PSNFSS v.7.2 Times font as default roman : S Rahtz
) (/usr/local/share/texmf/tex/generic/misc/psfig.sty
\@unused=\write3
\ps@stream=\read1
\p@intvaluex=\dimen103
\p@intvaluey=\dimen104
psfig/tex 1.10-dvips
) (/home/jaguar/u0/vern/latex2html/texinputs/html.sty
Package: html 1999/07/19 v1.38 hypertext commands for latex2html (nd, hws, rrm)
\c@lpart=\count88
\c@lchapter=\count89
\c@lsection=\count90
\c@lsubsection=\count91
\c@lsubsubsection=\count92
\c@lparagraph=\count93
\c@lsubparagraph=\count94
\c@lsubsubparagraph=\count95
\ptrfile=\write4
)
\@indexfile=\write5
\openout5 = `images.idx'.
Writing index file images.idx
(/usr/local/share/texmf/tex/latex/graphics/color.sty
Package: color 1999/02/16 v1.0i Standard LaTeX Color (DPC)
(/usr/local/share/texmf/tex/latex/config/color.cfg)
Package color Info: Driver file: dvips.def on input line 125.
(/usr/local/share/texmf/tex/latex/graphics/dvips.def
File: dvips.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
) (/usr/local/share/texmf/tex/latex/graphics/dvipsnam.def
File: dvipsnam.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
)) (/usr/local/share/texmf/tex/latex/base/inputenc.sty
Package: inputenc 1999/09/17 v0.992 Input encoding file
(/usr/local/share/texmf/tex/latex/base/latin1.def
File: latin1.def 1999/09/17 v0.992 Input encoding file
))
\sizebox=\box26
\lthtmlwrite=\write6
No file images.aux.
\openout1 = `images.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Try loading font information for OT1+ptm on input line 334.
(/usr/local/share/texmf/tex/latex/psnfss/ot1ptm.fd
File: ot1ptm.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/ptm.
)
latex2htmlLength hsize=349.0pt
latex2htmlLength vsize=633.0pt
latex2htmlLength hoffset=0.0pt
latex2htmlLength voffset=0.0pt
latex2htmlLength topmargin=0.0pt
latex2htmlLength topskip=0.00003pt
latex2htmlLength headheight=0.0pt
latex2htmlLength headsep=0.0pt
latex2htmlLength parskip=0.0pt plus 1.0pt
latex2htmlLength oddsidemargin=-10.84006pt
latex2htmlLength evensidemargin=-10.84006pt
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <7> on input line 399.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <5> on input line 399.
l2hSize :tex2html_wrap_inline5436:6.74997pt::0.0pt::13.00003pt.
[1
]
l2hSize :tex2html_wrap_inline5438:6.74997pt::0.0pt::8.00003pt.
[2
]
l2hSize :tex2html_wrap_inline5440:6.83331pt::0.0pt::73.23354pt.
[3
]
l2hSize :tex2html_wrap_inline5442:6.83331pt::0.0pt::15.04518pt.
[4
]
l2hSize :tex2html_wrap_inline5444:8.14003pt::0.0pt::13.9723pt.
[5
]
l2hSize :tex2html_wrap_inline5446:8.14003pt::0.0pt::13.9723pt.
[6
]
l2hSize :tex2html_wrap_inline5448:8.14003pt::0.0pt::9.98618pt.
[7
]
l2hSize :tex2html_wrap_inline5450:6.83331pt::0.0pt::41.50558pt.
[8
]
l2hSize :tex2html_wrap_inline5452:6.83331pt::0.0pt::59.23058pt.
[9
]
l2hSize :tex2html_wrap_inline5454:6.83331pt::0.0pt::16.67014pt.
[10
]
l2hSize :tex2html_wrap_inline5456:7.96227pt::0.0pt::7.13895pt.
[11
]
l2hSize :tex2html_wrap_inline5458:6.88586pt::0.0pt::5.09726pt.
[12
]
l2hSize :tex2html_wrap_inline8536:7.24997pt::7.24997pt::4.98616pt.
[13
]
l2hSize :tex2html_wrap_inline8540:7.24997pt::7.24997pt::4.98616pt.
[14
]
l2hSize :tex2html_wrap_inline8614:7.24997pt::7.24997pt::4.98616pt.
[15
]
l2hSize :tex2html_wrap_inline16373:7.24997pt::7.24997pt::21.05557pt.
[16
]
l2hSize :tex2html_wrap_inline16375:6.74997pt::0.0pt::9.28017pt.
[17
]
l2hSize :tex2html_wrap_inline16379:6.74997pt::0.0pt::6.50238pt.
[18
]
l2hSize :tex2html_wrap_inline16393:6.94444pt::0.0pt::6.26161pt.
[19
]
LaTeX Font Info: Try loading font information for OT1+pcr on input line 614.
(/usr/local/share/texmf/tex/latex/psnfss/ot1pcr.fd
File: ot1pcr.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/pcr.
)
Overfull \hbox (59.0pt too wide) in paragraph at lines 631--631
[] \OT1/pcr/m/n/10 print fmt("(%s) and (%s)", capture_filter, restrict_f
ilter);[]
[]
l2hSize :figure22361:203.09998pt::0.0pt::349.0pt.
[20
]
Overfull \hbox (41.0pt too wide) in paragraph at lines 647--647
[] \OT1/pcr/m/n/10 pkts_recvd: count; # Number of packets received so
far.[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 647--647
[] \OT1/pcr/m/n/10 pkts_dropped: count; # Number of packets *reported* d
ropped.[]
[]
Overfull \hbox (83.0pt too wide) in paragraph at lines 647--647
[] \OT1/pcr/m/n/10 interface_drops: count; # Number of drops reported by in
terface(s).[]
[]
l2hSize :figure22485:83.09998pt::0.0pt::349.0pt.
[21
]
Overfull \hbox (29.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 id: conn_id; # Originator/responder addresses/port
s.[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 duration: interval; # How long it was active (or has been
so far).[]
[]
Overfull \hbox (95.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 service: string; # The service we associate with it (e
.g., "http").[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 addl: string; # Additional information associated w
ith it.[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 hot: count; # How many times we've marked it as s
ensitive.[]
[]
l2hSize :figure22528:275.09998pt::0.0pt::349.0pt.
[22
]
l2hSize :tex2html_wrap_inline31877:6.83331pt::0.0pt::8.00005pt.
[23
]
l2hSize :tex2html_wrap_inline31879:6.83331pt::0.0pt::8.58684pt.
[24
]
l2hSize :tex2html_wrap_inline31899:7.33331pt::7.33331pt::12.53233pt.
[25
]
l2hSize :tex2html_wrap_inline31901:7.33331pt::7.33331pt::12.51337pt.
[26
]
l2hSize :tex2html_wrap_inline31903:7.33331pt::7.33331pt::11.0695pt.
[27
]
l2hSize :tex2html_wrap_inline31905:7.33331pt::7.33331pt::12.4283pt.
[28
]
l2hSize :tex2html_wrap_inline31927:7.33331pt::7.33331pt::12.44727pt.
[29
]
l2hSize :tex2html_wrap_inline31937:7.33331pt::7.33331pt::11.0792pt.
[30
]
l2hSize :tex2html_wrap_inline31941:7.33331pt::7.33331pt::11.06023pt.
[31
]
l2hSize :tex2html_wrap_inline31943:6.83331pt::0.0pt::9.05698pt.
[32
]
l2hSize :tex2html_wrap_inline31957:7.33331pt::7.33331pt::11.36739pt.
[33
]
l2hSize :tex2html_wrap_inline31961:7.33331pt::7.33331pt::11.34842pt.
[34
]
l2hSize :tex2html_wrap_inline31971:7.24997pt::7.24997pt::5.53128pt.
[35
]
l2hSize :figure23775:263.09998pt::0.0pt::349.0pt.
[36
]
Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 req_host: string; # The hostname in the request, if a
ny.[]
[]
Overfull \hbox (29.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 req_addr: addr; # The address in the request, if an
y.[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 hostname: string; # The hostname in the answer, or "<
none>".[]
[]
Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 addrs: set[addr]; # The addresses in the answer, if a
ny.[]
[]
l2hSize :figure23860:131.09998pt::0.0pt::349.0pt.
[37
]
Overfull \hbox (41.0pt too wide) in paragraph at lines 858--858
[] \OT1/pcr/m/n/10 id: count; # unique number associated w/ ses
sion[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
[] \OT1/pcr/m/n/10 log_if_not_denied: bool; # unless code 530 on repl
y, log it[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
[] \OT1/pcr/m/n/10 log_if_not_unavail: bool; # unless code 550 on repl
y, log it[]
[]
l2hSize :figure24088:131.09998pt::0.0pt::349.0pt.
[38
]
Overfull \hbox (35.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp st
art[]
[]
Overfull \hbox (5.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499886.685046 #26 response (220 tuvok.ooc.com FTP server[]
[]
Overfull \hbox (23.0pt too wide) in paragraph at lines 877--877
[] \OT1/pcr/m/n/10 (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
)[]
[]
Overfull \hbox (41.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675
597)[]
[]
Overfull \hbox (65.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (c
omplete)[]
[]
Overfull \hbox (11.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972500055.491045 #26 response (225 ABOR command successful.)[
]
[]
l2hSize :figure24192:119.53992pt::0.0pt::349.0pt.
[39
]
l2hSize :figure24357:83.53992pt::0.0pt::349.0pt.
[40
]
l2hSize :tex2html_wrap_inline31983:7.24997pt::7.24997pt::16.05556pt.
[41
]
l2hSize :tex2html_wrap_inline31987:7.24997pt::7.24997pt::26.05559pt.
[42
]
l2hSize :tex2html_wrap_inline31989:7.24997pt::7.24997pt::31.0556pt.
[43
]
l2hSize :tex2html_wrap_inline31991:7.24997pt::7.24997pt::8.27783pt.
[44
]
l2hSize :figure25695:59.09998pt::0.0pt::349.0pt.
[45
]
Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 id: count; # the log identifier numb
er[]
[]
Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 connection_id: conn_id; # IP connection informati
on[]
[]
Overfull \hbox (83.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 version: count; # version associated with
connection[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 id_index: string; # index for associated se
ssionID[]
[]
Overfull \hbox (131.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 handshake_cipher: count; # cipher suite client and
server agreed upon[]
[]
l2hSize :figure25707:119.09998pt::0.0pt::349.0pt.
[46
]
Overfull \hbox (59.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/http
s start[]
[]
Overfull \hbox (2135.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_M
D5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_
EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_D
ES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPOR
T1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_
RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),[]
[]
Overfull \hbox (65.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD
5 (0x4),[]
[]
Overfull \hbox (749.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=
Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter C
lass 3 CA/Email=certificate@trustcenter.de,[]
[]
Overfull \hbox (521.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=
Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehman
ns.de[]
[]
Overfull \hbox (257.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.894567 #1 handshake finished, version 3.1, cipher
suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)[]
[]
l2hSize :figure25794:155.25494pt::0.0pt::349.0pt.
[47
]
l2hSize :tex2html_wrap_inline31993:7.31989pt::7.31989pt::51.61522pt.
[48
]
Overfull \hbox (41.0pt too wide) in paragraph at lines 1037--1037
[] \OT1/pcr/m/n/10 is_orig: bool; # True if current endpoint is origin
ator[]
[]
Overfull \hbox (95.0pt too wide) in paragraph at lines 1037--1037
[] \OT1/pcr/m/n/10 payload_size: count; # Payload size of the first pkt of c
urr. endpoint[]
[]
l2hSize :figure39539:83.09998pt::0.0pt::349.0pt.
[49
]
l2hSize :tex2html_wrap_inline39988:6.83331pt::0.0pt::9.625pt.
[50
]
l2hSize :tex2html_wrap_inline39992:7.33331pt::7.33331pt::17.4028pt.
[51
] (/home/jaguar/u0/vern/bro/bro-doc/index.tex (/home/jaguar/u0/vern/bro/bro-doc
/doc.ind
LaTeX Font Info: Font shape `OT1/ptm/bx/n' in size <24.88> not available
(Font) Font shape `OT1/ptm/b/n' tried instead on input line 1.
LaTeX Font Info: Font shape `OT1/pcr/m/it' in size <10> not available
(Font) Font shape `OT1/pcr/m/sl' tried instead on input line 1539.
! TeX capacity exceeded, sorry [main memory size=263001].
\par ...@m \@noitemerr {\@@par }\fi \else {\@@par
}\fi
l.2843 \subitem
reading, 17
If you really absolutely need more capacity,
you can ask a wizard to enlarge me.
Here is how much of TeX's memory you used:
1313 strings out of 10901
15527 string characters out of 72380
263001 words of memory out of 263001
4278 multiletter control sequences out of 10000+0
6696 words of font info for 23 fonts, out of 400000 for 1000
14 hyphenation exceptions out of 1000
23i,5n,19p,429b,425s stack positions out of 300i,100n,500p,50000b,4000s
Output written on images.dvi (51 pages, 17976 bytes).

332
doc/old/manual/images.pl
View file

@ -1,332 +0,0 @@
# LaTeX2HTML 2002-2 (1.70)
# Associate images original text with physical files.
$key = q/B;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="19" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img24.gif"
ALT="$B$">|;
$key = q/A_i;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="29" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img4.gif"
ALT="$A\_i$">|;
$key = q/ge1024;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="55" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img43.gif"
ALT="$\ge 1024$">|;
$key = q/2^{24};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img5.gif"
ALT="$2^{24}$">|;
$key = q/S_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img30.gif"
ALT="$S_{o}$">|;
$key = q/ge256;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="47" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img42.gif"
ALT="$\ge 256$">|;
$key = q/pmN;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="33" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img51.gif"
ALT="$\pm N$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim312#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="645" HEIGHT="185" BORDER="0"
SRC="|."$dir".q|img37.gif"
ALT="\begin{figure}\begin{verbatim}type dns_mapping: record {
creation_time: time;...
... set[addr]; ...">|;
$key = q/_{2};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img13.gif"
ALT="$_{2}$">|;
$key = q/N_1{{tt{.}N_2{{tt{.};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="71" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img8.gif"
ALT="$N\_1 {\tt .} N\_2 {\tt .}$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim338#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="763" HEIGHT="166" BORDER="0"
SRC="|."$dir".q|img46.gif"
ALT="\begin{figure}\begin{verbatim}type ssl_connection_info: record {
id: count; ...">|;
$key = q/A_{l};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img27.gif"
ALT="$A_{l}$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim345#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="705" HEIGHT="109" BORDER="0"
SRC="|."$dir".q|img49.gif"
ALT="\begin{figure}\begin{verbatim}type signature_state: record {
id: string; ...">|;
$key = q/ge;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="18" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img44.gif"
ALT="$\ge$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim298#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="644" HEIGHT="299" BORDER="0"
SRC="|."$dir".q|img20.gif"
ALT="\begin{figure}\begin{verbatim}event bro_init()
{
if ( restrict_filter == '''...
...%s)'', capture_filter, restrict_filter);exit();
}\end{verbatim}
\end{figure}">|;
$key = q/S_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img31.gif"
ALT="$S_{r}$">|;
$key = q/P_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img33.gif"
ALT="$P_{o}$">|;
$key = q/2^8;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="21" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img7.gif"
ALT="$2^8$">|;
$key = q/A_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img29.gif"
ALT="$A_{o}$">|;
$key = q/p;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="14" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img35.gif"
ALT="$p$">|;
$key = q/D;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img32.gif"
ALT="$D$">|;
$key = q/_{1};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img14.gif"
ALT="$_{1}$">|;
$key = q/N;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="21" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img50.gif"
ALT="$N$">|;
$key = q/~tilde{~}~~~;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="26" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img1.gif"
ALT="$&nbsp;\tilde{&nbsp;}&nbsp;&nbsp;&nbsp;$">|;
$key = q/P_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img34.gif"
ALT="$P_{r}$">|;
$key = q/A_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img28.gif"
ALT="$A_{r}$">|;
$key = q/N_i;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="32" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img10.gif"
ALT="$N\_i$">|;
$key = q/B_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img25.gif"
ALT="$B_{o}$">|;
$key = q/2cdotmbox{MSL}=4;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="87" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img48.gif"
ALT="$2 \cdot \mbox{MSL} = 4$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim300#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="703" HEIGHT="414" BORDER="0"
SRC="|."$dir".q|img22.gif"
ALT="\begin{figure}\begin{verbatim}type conn_id: record {
orig_h: addr; ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim319#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="551" HEIGHT="109" BORDER="0"
SRC="|."$dir".q|img40.gif"
ALT="\begin{figure}\begin{verbatim}972482763.371224 %1596 start 200.241.229.80 &gt; 13...
...g/movies/off.gif
%1596 GET /vfrog/new.frog.small.gif
\end{verbatim}
\end{figure}">|;
$key = q/{figure}preform{<verbatim_mark>verbatim317#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="652" HEIGHT="167" BORDER="0"
SRC="|."$dir".q|img39.gif"
ALT="\begin{figure}\begin{verbatim}972499885.784104 ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim315#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="667" HEIGHT="185" BORDER="0"
SRC="|."$dir".q|img38.gif"
ALT="\begin{figure}\begin{verbatim}type ftp_session_info: record {
id: count; ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim311#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="514" HEIGHT="394" BORDER="0"
SRC="|."$dir".q|img36.gif"
ALT="\begin{figure}\begin{verbatim}global msg_count: table[string] of count &amp;defaul...
... schedule +5 min { log_summary(msg) };return F;
}\end{verbatim}
\end{figure}">|;
$key = q/{figure}preform{<verbatim_mark>verbatim339#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="3949" HEIGHT="223" BORDER="0"
SRC="|."$dir".q|img47.gif"
ALT="\begin{figure}\begin{verbatim}1046778101.534846 ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim337#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="515" HEIGHT="70" BORDER="0"
SRC="|."$dir".q|img45.gif"
ALT="\begin{figure}\begin{verbatim}type x509: record {
issuer: string; ...">|;
$key = q/^*;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img12.gif"
ALT="$^*$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim299#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="684" HEIGHT="109" BORDER="0"
SRC="|."$dir".q|img21.gif"
ALT="\begin{figure}\begin{verbatim}type net_stats: record {
...">|;
$key = q/h;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="15" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img19.gif"
ALT="$h$">|;
$key = q/B_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img26.gif"
ALT="$B_{r}$">|;
$key = q/m;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img17.gif"
ALT="$m$">|;
$key = q/le2;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="31" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img41.gif"
ALT="$\le 2$">|;
$key = q/2^{16};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img6.gif"
ALT="$2^{16}$">|;
$key = q/le26;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="39" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img16.gif"
ALT="$\le 26$">|;
$key = q/A;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img23.gif"
ALT="$A$">|;
$key = q/A_1{{tt{.}A_2{{tt{.}A_3{{tt{.}A_4;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="122" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img3.gif"
ALT="$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$">|;
$key = q/_{3};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img15.gif"
ALT="$_{3}$">|;
$key = q/^+;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="17" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img11.gif"
ALT="$^+$">|;
$key = q/N_1{{tt{.}N_2{{tt{.}N_3;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="99" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img9.gif"
ALT="$N\_1 {\tt .} N\_2 {\tt .} N\_3 $">|;
$key = q/tilde{~}~~;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img2.gif"
ALT="$\tilde{&nbsp;}&nbsp;&nbsp;$">|;
$key = q/n;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="16" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img18.gif"
ALT="$n$">|;
1;

1104
doc/old/manual/images.tex
View file

File diff suppressed because it is too large Load diff

BIN
doc/old/manual/img1.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 111 B

BIN
doc/old/manual/img10.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 224 B

BIN
doc/old/manual/img11.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 108 B

BIN
doc/old/manual/img12.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 139 B

BIN
doc/old/manual/img13.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 160 B

BIN
doc/old/manual/img14.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 120 B

BIN
doc/old/manual/img15.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 159 B

BIN
doc/old/manual/img16.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 284 B

BIN
doc/old/manual/img17.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 182 B

BIN
doc/old/manual/img18.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 159 B

BIN
doc/old/manual/img19.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 161 B

BIN
doc/old/manual/img2.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 104 B

BIN
doc/old/manual/img20.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.6 KiB

BIN
doc/old/manual/img21.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.9 KiB

BIN
doc/old/manual/img22.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
doc/old/manual/img23.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 166 B

BIN
doc/old/manual/img24.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 174 B

BIN
doc/old/manual/img25.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 230 B

BIN
doc/old/manual/img26.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 228 B

BIN
doc/old/manual/img27.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 221 B

BIN
doc/old/manual/img28.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 222 B

BIN
doc/old/manual/img29.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 223 B

BIN
doc/old/manual/img3.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 478 B

BIN
doc/old/manual/img30.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 224 B

BIN
doc/old/manual/img31.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 223 B

BIN
doc/old/manual/img32.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 173 B

BIN
doc/old/manual/img33.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 215 B

BIN
doc/old/manual/img34.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 213 B

BIN
doc/old/manual/img35.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 179 B

BIN
doc/old/manual/img36.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 9.1 KiB

BIN
doc/old/manual/img37.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 6.9 KiB

BIN
doc/old/manual/img38.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 7.9 KiB

BIN
doc/old/manual/img39.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
doc/old/manual/img4.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 205 B

BIN
doc/old/manual/img40.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.4 KiB

BIN
doc/old/manual/img41.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 229 B

BIN
doc/old/manual/img42.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 331 B

BIN
doc/old/manual/img43.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 331 B

BIN
doc/old/manual/img44.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 173 B

BIN
doc/old/manual/img45.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 2.6 KiB

BIN
doc/old/manual/img46.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 6.5 KiB

BIN
doc/old/manual/img47.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
doc/old/manual/img48.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 427 B

BIN
doc/old/manual/img49.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.4 KiB

BIN
doc/old/manual/img5.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 207 B

BIN
doc/old/manual/img50.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 183 B

BIN
doc/old/manual/img51.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 240 B

BIN
doc/old/manual/img6.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 207 B

BIN
doc/old/manual/img7.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 196 B

BIN
doc/old/manual/img8.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 335 B

BIN
doc/old/manual/img9.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 434 B

3978
doc/old/manual/internals.pl
View file

File diff suppressed because it is too large Load diff

3985
doc/old/manual/labels.pl
View file

File diff suppressed because it is too large Load diff

30
doc/old/manual/manual.css
View file

@ -1,30 +0,0 @@
/* Century Schoolbook font is very similar to Computer Modern Math: cmmi */
.MATH { font-family: "Century Schoolbook", serif; }
.MATH I { font-family: "Century Schoolbook", serif; font-style: italic }
.BOLDMATH { font-family: "Century Schoolbook", serif; font-weight: bold }
/* implement both fixed-size and relative sizes */
SMALL.XTINY { font-size : xx-small }
SMALL.TINY { font-size : x-small }
SMALL.SCRIPTSIZE { font-size : smaller }
SMALL.FOOTNOTESIZE { font-size : small }
SMALL.SMALL { }
BIG.LARGE { }
BIG.XLARGE { font-size : large }
BIG.XXLARGE { font-size : x-large }
BIG.HUGE { font-size : larger }
BIG.XHUGE { font-size : xx-large }
/* heading styles */
H1 { }
H2 { }
H3 { }
H4 { }
H5 { }
/* mathematics styles */
DIV.displaymath { } /* math displays */
TD.eqno { } /* equation-number cells */
/* document-specific styles come next */

5025
doc/pubs/bro-CN99.ps
View file

File diff suppressed because it is too large Load diff

229
doc/quick-start/Bro-installation.texi
View file

@ -1,229 +0,0 @@
@menu
* Download ::
* Install ::
* Configuration ::
* Encrypted Reports ::
@end menu
@node Download
@section Download
@cindex download
Download Bro from: @uref{http://www.bro-ids.org/}
You can unpack the distribution anywhere except into the directory
you plan to install into. To untar the file, type:
@example
tar xvzf bro-0.9a6.6.tar.gz
@end example
@node Install
@section Install
You'll need to collect the following information before beginning the installation.
@itemize
@item localnets: a list of local subnets for your network. Bro needs to know which networks are "internal" and which are "external".
@item interface names: the names of the capture interfaces in your host (e.g. sk0 or en1). Use @code{ifconfig -a} to get the list of all network interfaces on your Bro host.
@end itemize
If you want to use Bro's periodic email report feature, you'll also need:
@itemize
@item email list: a list of email addresses to send the reports to.
@item pgp keys: if you want to encrypt all email reports, the location of the
@uref{http://www.gnupg.org/,GPG keyring} of all recipients.
@end itemize
Bro is very easy to install. Just log in as @code{root}, and type:
@example
./configure
@end example
or to install Bro in a location other than @file{/usr/local/bro}, use:
@example
./configure --prefix=/path/to/bro
@end example
and then type:
@example
make
make install
@end example
To update an existing Bro installation with new binaries and standard policy file, instead
of @code{'make install'} do a @code{'make update'}. This will preserve all your local customizations.
@node Configuration
@section Configuration
@cindex bro_config
@cindex bro.cfg
The @emph{Bro-Lite} configuration script can be used to automatically configure Bro for you. It
checks your system's BPF settings, creates a 'bro' user account, installs
a script to start bro at boot time, and installs a number of @code{cron} jobs
to checkpoint bro every night, run perioidic reports, and manage log files.
To run this configuration script type:
@example
make install-brolite
@end example
This will run the script @code{bro_config}, which creates the file @file{$BROHOME/etc/bro.cfg}.
@code{bro_config} will ask a number of simple questions.
Sample output of @code{bro_config}, along with explanation, is shown below:
@quotation
@verbatim
Running Bro Configuration Utility
Checking interfaces .... Done.
Reading /usr/local/bro/etc/bro.cfg.example for defaults.
@end verbatim
@quotation
@quotation
The @code{bro_config} script looks first at ./bro.cfg, then /usr/local/bro/etc,
for default values to use below.
@end quotation
@end quotation
@verbatim
Bro Log archive location [/usr/local/bro/archive]
@end verbatim
@quotation
@quotation
This is the directory where log file archives are kept.
If you expect the log files to be very large, it is recommended to put these in a separate disk partition.
@end quotation
@end quotation
@verbatim
User id to install and run Bro under [bro]
@end verbatim
@quotation
@quotation
@code{bro_config} will create a new user account with this username if the user does not exist.
@end quotation
@end quotation
@verbatim
Interface names to listen on. [en1,en2]
@end verbatim
@quotation
@quotation
@code{bro_config} looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default.
@end quotation
@end quotation
@verbatim
Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) []
Starting Report Time [0600]
Report interval (in hours) [24]
Email addresses for internal reports [bro@localhost]
Do you want to send external reports to a incident
reporting org (e.g.: CERT, CIAC, etc) (Y/N)
Y
Email addresses for external reports []
@end verbatim
@quotation
@quotation
Daily reports will be created.
Enter the site name you want to appear at the top and in the subject of all email reports.
The 'start time' and 'interval' define the window of
network activity that the daily report will cover, starting at 'Starting Report Time' and
lasting through 'Report interval'. The start time should be entered using 24hr clock notation.
For example: 12:30am = 0030, 2pm = 1400
Two types of reports will be generated,
"internal" and "external". Internal reports contain the same basic information as
the external reports, along with traffic statistics and more detailed information on
incidents. Both internal and external reports will be sent to the "internal" email address list.
External reports are only sent if you answer "Y" and enter an external email address.
(Note: currently only internal reports are generated)
@end quotation
@end quotation
@verbatim
Do you want to encrypt the email reports (Y/N) [N]
Y
@end verbatim
@quotation
@quotation
If you want the email reports encrypted, you will need to set up GPG (@uref{http://www.gnupg.org})
and create a GPG keyring containing the public keys of all email recipients. Instructions
for this are in @ref{Encrypted Reports}.
@end quotation
@end quotation
@verbatim
Running script to determine your local subnets ...
Your Local subnets [198.129.224.1/32]
@end verbatim
@quotation
@quotation
Bro needs to know a list of your local subnets. @code{bro_config} runs a tool
that attempts to discover this automatically.
You should always verify the results of this tool. The format is a list of subnet/significant
bits of address.
For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32
@end quotation
This information will be stored in the file @code{$BROHOME/site/local.site.bro}
@end quotation
@verbatim
Saving settings to file: /usr/local/bro/etc/bro.cfg
Bro configuration finished.
To change these values, you can rerun bro_config at any time.
@end verbatim
@quotation
@quotation
Indicates that the script finished successfully.
@end quotation
@end quotation
@end quotation
For site monitoring very high traffic rates on Gigabit ethernet, there is some
additional system tuning that should be done. See the @uref{http://www.bro-ids.org/, Bro User Guide} for more details.
To reconfigure Bro, just type:
@example
bro_config
@end example
This will update your @file{/usr/local/bro/etc/bro.cfg} file. You can also edit this file using your favorite editor if you prefer.
For other site customizations, you can edit the file $BROHOME/site/local.site.bro.
For example, to tell bro to not look at traffic for host 198.162.44.66, add:
@verbatim
redef restrict_filters += { ["ignore host 198.162.44.66 "] = "not (host 198.162.44.66)" };
@end verbatim
Or to disable alarms for "WeirdActivity", you can add this:
@verbatim
redef notice_action_filters += { [[WeirdActivity]] = ignore_notice, };
@end verbatim
Any changes you make in $BROHOME/site will not be touched during an upgrade
or reinstall of Bro. You should avoid editing files in $BROHOME/policy,
as these will be overwritten.
More details are available in the Bro user guide.
@node Encrypted Reports
@section Encrypted Reports
@cindex GPG
Bro can use GPG (@uref{http://www.gnupg.org/}) to encrypt
the reports that it sends. To have Bro encrypt your
reports you must have said 'yes' to the bro_config question to
encrypt your reports. For information on configuring
GPG for Bro reports, see the @uref{http://www.bro-ids.org/, Bro User Manual}.

143
doc/quick-start/Bro-overview.texi
View file

@ -1,143 +0,0 @@
@menu
* What is Bro? ::
* Bro features and benefits ::
* Getting more Information ::
@end menu
@node What is Bro?
@section What is Bro?
@cindex Network Intrusion Detection System
Bro is a Unix-based Network Intrusion Detection System (IDS). Bro monitors network traffic and detects intrusion attempts based on the traffic
characteristics and content. Bro detects intrusions by comparing network traffic against rules describing events that are deemed troublesome. These rules
might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alerting (e.g., attempts to a given number of different hosts constitutes
a "scan"), or signatures describing known attacks or access to known vulnerabilities. If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command.
Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques,
Bro is able to achieve the performance necessary to do so while running on commercially
available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection.
@node Bro features and benefits
@section Bro features and benefits
@itemize
@item @strong{Network Based}
@quotation
Bro is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific
network location. A single Bro monitor, strategically placed at a key network junction, can be
used to monitor all incoming and outgoing traffic for the entire site. Bro does not use or
require installation of client software on each individual, networked computer.
@end quotation
@item @strong{Custom Scripting Language}
@quotation
Bro policy scripts are programs written in the Bro language. They contain the "rules" that
describe what sorts of activities are deemed troublesome. They analyze the network activity and
initiate actions based on the analysis. Although the Bro language takes some time and effort to
learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually
any type of network activity.
@end quotation
@item @strong{Pre-written Policy Scripts}
@quotation
Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks
while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the
important attack activity. These supplied policy scripts will run "out of the box" and do not
require knowledge of the Bro language or policy script mechanics.
@end quotation
@item @strong{Powerful Signature Matching Facility}
@quotation
Bro policies incorporate a signature matching facility that looks for specific traffic content. For
Bro, these signatures are expressed as regular expressions, rather than fixed strings. Bro adds a
great deal of power to its signature-matching capability because of its rich language. This allows
Bro to not only examine the network content, but to understand the context of the signature,
greatly reducing the number of false positives. Bro comes with a set of high value signatures
policies, selected for their high detection and low false positive characteristics.
@end quotation
@item @strong{Network Traffic Analysis}
@quotation
Bro not only looks for signatures, but can also analyze network protocols, connections,
transactions, data amounts, and many other network characteristics. It has powerful facilities for
storing information about past activity and incorporating it into analyses of new activity.
@end quotation
@item @strong{Detection Followed by Action}
@quotation
Bro policy scripts can generate output files recording the activity seen on the network (including
normal, non-attack activity). They can also send alarms to event logs, including the
operating system syslog facility. In addition, scripts can execute programs, which can, in turn,
send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with
appropriate additional software, insert access control blocks into a router's access control list.
With Bro's ability to execute programs at the operating system level, the actions that Bro can
initiate are only limited by the computer and network capabilities that support Bro.
@end quotation
@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support}
@cindex Snort
@quotation
The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro
signatures. Along with translating the format of the signatures, snort2bro also incorporates a large
number of enhancements to the standard set of Snort signatures to take advantage of Bro's
additional contextual power and reduce false positives.
@end quotation
@end itemize
@node Getting more Information
@section Getting more Information
@itemize
@item @strong{Reference manual}
@quotation
An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language
@end quotation
@item @strong{FAQ}
@cindex FAQ
@quotation
Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}.
Do you have a question that's not
in the FAQ, send it to us and we'll add it.
@end quotation
@item @strong{E-mail list}
@cindex Email list
@quotation
Send questions on any Bro subject to Bro@@bro-ids.org
The list is frequented by all of the Bro developers, including the primary author of Bro, Dr. Vern
Paxson.
You can subscribe by going to the website:
@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro},
@*
or by placing the following command in either the subject or the body of a message addressed to
Bro-request@@ICSI.Berkeley.EDU.
@example
subscribe [password] [digest-option] [address=<address>]
@end example
A password must be given to
unsubscribe or change your options. Once subscribed to the
list, you'll be reminded of your password periodically.
The 'digest-option' may be either: 'nodigest' or 'digest' (no
quotes!) If you wish to subscribe an address other than the
address you use to send this request from, you may specify
"address=<email address>" (no brackets around the email
address, no quotes!)
@end quotation
@item @strong{Website}
@quotation
The official Bro website is located at:
@uref{http://www.bro-ids.org}.
It contains all of the above documentation and more.
@end quotation
@end itemize

BIN
doc/quick-start/Bro-quick-start.pdf
View file

Binary file not shown.

99
doc/quick-start/Bro-quick-start.texi
View file

@ -1,99 +0,0 @@
\input texinfo @c -*-texinfo-*-
@comment $Id: Bro-quick-start.texi 958 2004-12-21 16:51:44Z tierney $
@comment %**start of header
@setfilename Bro-quick-start.info
@settitle Bro Quick Start Guide
@setcontentsaftertitlepage
@comment %**end of header
@set VERSION 0.9
@set UPDATED 11-15-2004
@copying
This the Quick Start Guide for Bro
version @value{VERSION}.
This software is copyright @copyright{}
1995-2004, The Regents of the University of California
and the International Computer Science Institute. All rights reserved.
For further information about this notice, contact:
Vern Paxson
email: @email{vern@@icir.org}
@end copying
@dircategory Bro
@direntry
* Bro: Network Intrusion Detection System
@end direntry
@ifnottex
@node Top
@top Bro Quick Start Guide
@copyright{} Lawrence Berkeley National Laboratory
@end ifnottex
@titlepage
@title Bro Quick Start Guide
@subtitle version @value{VERSION}, @value{UPDATED}, @strong{DRAFT}
@author Vern Paxson, Jim Rothfuss, Brian Tierney
@author Contact: @email{vern@@icir.org}
@author @uref{http://www.bro-ids.org/}
@page
@insertcopying
@vskip 0pt plus 1filll
@end titlepage
@contents
@ifnottex
@strong{Bro Quick Start Guide}:
This manual contains info on installing, configuring, and running
Bro. For more details, see the @uref{http://www.bro-ids.org/Bro-user-manual/,
Bro User Manual}
@end ifnottex
@menu
* Overview of Bro::
* Requirements ::
* Installation and Configuration::
* Running Bro ::
* Index::
@end menu
@comment ********************************************
@node Overview of Bro
@chapter Overview of Bro
@include Bro-overview.texi
@comment ********************************************
@node Requirements
@chapter Requirements
@cindex Software requirements
@cindex Hardware requirements
@include Bro-requirements.texi
@comment ********************************************
@node Installation and Configuration
@chapter Installation and Configuration
@cindex Installation instructions
@include Bro-installation.texi
@cindex Configuration instructions
@comment ********************************************
@node Running Bro
@chapter Running Bro
@include Bro-running.texi
@comment ********************************************
@node Index
@unnumbered Index
@printindex cp
@bye

79
doc/quick-start/Bro-requirements.texi
View file

@ -1,79 +0,0 @@
@menu
* Network Tap ::
* Hardware and Software Requirements ::
@end menu
@node Network Tap
@section Network Tap
@cindex network tap
A network tap must be installed to provide Bro with access to live network traffic.
For Bro to be most effective, access to the network must be full-bandwidth (no bandwidth limitations) and full-duplex. A passive tap is recommended to ensure minimal impact on network operations.
Normally the network tap for Bro should be placed behind an external firewall and on the DMZ
(the portion of the network under the control of the organization but outside of the internal firewall),
as shown in the figure below. Some organizations might prefer to install the network tap before
the firewall in order to detect all scans or attacks. Placing Bro before the firewall will allow
the organization to better understand attacks, but will produce a much high number of alarms and alerts. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms.
In addition to the connection to the network tap, a separate network connection is required
for management of Bro and access to log files.
For more information on taps and tap placement see the Netoptics White paper titled @emph{Deploying Network Taps with Intrusion Detection Systems} (@uref{http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf}).
@float Figure, tap location
@image{bro-deployment,6.3in}
@caption{Typical location for network tap and Bro system}
@end float
@node Hardware and Software Requirements
@section Hardware and Software Requirements
Bro requires no custom hardware, and runs on low-cost commodity PC-style system.
However, the Bro monitoring host must examine every packet into and out of
your site, so depending on your sites network traffic, you may need a fairly high-end machine.
If you are trying to monitor a link with a large number of connections, we recommend using
a second system for report generation, and run only Bro on the capture host.
@quotation
@multitable @columnfractions .25 .75
@comment only work with texiinfo 4.7 or higher: @headitem Item @tab Requirements
@item @strong{Item} @tab @strong{Requirements}
@item @strong{Processor}
@tab 1 GHz CPU (for 100 BT Ethernet with average packet rate <= 5,000 packets/second)
@* 2 GHz CPU (for 1000 BT Ethernet with average packet rate <= 10,000 packets/second)
@* 3 GHz CPU (for 1000 BT Ethernet with average packet rate <= 20,000 packets/second)
@* 4 GHz CPU (for 1000 BT Ethernet with average packet rate <= 50,000 packets/second)
@* (Note: these are @strong{very} rough estimates, and much depends on the types of
traffic on your network (e.g.: http, ftp, mail, etc.). See the Performance chapter of the Bro User Guide for more information)
@item @strong{Operating System}
@tab FreeBSD 4.10 (@uref{http://www.freebsd.org/}) Bro works with Linux
and Solaris as well,
but the performance is best under FreeBSD. In particular there are some performance issues with
packet capture under Linux. See the User Guide chapter on Bro and Linux for more information. FreeBSD 5.x should work, but may have performance issues. For sites with very high traffic loads, contact us for information on a FreeBSD 4.x patch to do @emph{bpf bonding}
@item @strong{Memory}
@tab 1 GB RAM is the minimum needed, but 2-3 GB is recommended
@item @strong{Hard disk}
@tab 10 GByte minimum, 50 GByte or more for log files recommended
@item @strong{User privileges}
@tab @emph{superuser} to install Bro, then Bro runs as user @emph{bro}
@item @strong{Network Interfaces}
@tab 3 interfaces are required: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical.
@item @strong{Other Software}
@* - Perl version 5.6 or higher (@uref{http://www.perl.org})
@* - libpcap version 0.8 or higher (@uref{http://www.tcpdump.org})
@* - tcpdump version 3.8 or higher (@uref{http://www.tcpdump.org})
@* Note: FreeBSD 4.x comes with older versions perl, libpcap, and tcpdump. Bro
requires newer versions of these tools.
@end multitable
@end quotation

Some files were not shown because too many files have changed in this diff Show more