diff --git a/AUTHORS b/AUTHORS deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/COPYING b/COPYING index f4bafa114c..f9bba2b90e 100644 --- a/COPYING +++ b/COPYING @@ -1,4 +1,4 @@ -Copyright (c) 1995-2008, The Regents of the University of California, +Copyright (c) 1995-2010, The Regents of the University of California, through Lawrence Berkeley National Laboratory. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -31,7 +31,7 @@ POSSIBILITY OF SUCH DAMAGE. Note that some files in the Bro distribution carry their own copyright notices. The above applies to the Bro scripts in policy/ (other than as -noted below) and the source files in src/ , other than: +noted below) and the source files in src/, other than: policy/sigs/p0fsyn.osf src/H3.h @@ -44,6 +44,5 @@ noted below) and the source files in src/ , other than: src/patricia.c src/patricia.h -In addition, the build components such as Makefile.in, acinclude.m4, and -others have separate copyrights, as do a number of the elements in the -aux/ subdirectory and in scripts/s2b/snort_rules2.2/ . +In addition, other components, such as the build system, may have +separate copyrights. diff --git a/ChangeLog b/ChangeLog deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/Checklist-for-Release b/Checklist-for-Release index f5f477f766..e0d0572872 100644 --- a/Checklist-for-Release +++ b/Checklist-for-Release @@ -1,3 +1,6 @@ + +TODO: Needs update. -Robin + - Make sure BroV6 works. - Make sure --enable-int64 builds w/o warnings. diff --git a/FILES.bin b/FILES.bin deleted file mode 100644 index f0b07e4bec..0000000000 --- a/FILES.bin +++ /dev/null @@ -1,3 +0,0 @@ -README -VERSION -bro diff --git a/INSTALL b/INSTALL index 9fd880c242..64f87c2049 100644 --- a/INSTALL +++ b/INSTALL @@ -1,3 +1,8 @@ +============== +Installing Bro +============== + + Prerequisites ============= @@ -25,7 +30,7 @@ before you begin: These are usually already installed as well. * OpenSSL headers and libraries - For analysis of SSL certificates by the HTTP analyzer, and + For analysis of SSL certificates by the HTTP analyzer, and for encrypted Bro-to-Bro communication. These are likely installed, though some platforms may require installation of a 'devel' package for the headers. @@ -42,65 +47,41 @@ installation time: * Libmagic For identifying file types (e.g., in FTP transfers). - + * LibGeoIP For geo-locating IP addresses. - + * Libz For decompressing HTTP bodies by the HTTP analyzer, and for compressed Bro-to-Bro communication. + Installation ============ To build and install into /usr/local/bro: > ./configure - > cd build > make > make install -This will perform an out-of-source build into the build directory using the -default build options and then install binaries into /usr/local/bro/bin. +This will perform an out-of-source build into a directory called +build/, using default build options. It then installs the Bro binary +into /usr/local/bro/bin. Depending on the Bro package you +downloaded, there may be auxiliary tools and libraries available in +the aux/ directory. If so, they will be installed by default as well +if not explicitly disabled via configure options. You can specify a different installation directory with > ./configure --prefix= -Run "./configure --help" for more options. +Run "./configure --help" for more options. Running Bro =========== Bro is a complex program and it takes a bit of time to get familiar -with it. In the following we give a few simple examples. See -http://www.bro-ids.org/wiki for more information. - -To run a policy file from /usr/local/share/bro, such as mt.bro, on a -previously captured tcpdump save file named foo: - - bro -r foo mt.bro - -To run from interface le0: - - bro -i le0 mt - -You can alternatively specify interface and scripts to load in your own -policy file: - - @load mt - redef interfaces = "le0"; - -and then run - - bro ./my-policy.bro - -You can see the BPF filter Bro will use (if not overridden) by executing - - bro mt print-filter - -To run interactively (e.g., for playing with expression evaluation): - - bro - -"bro -h" lists the various options. +with it. In the following we give a few simple examples. See the +quickstart guide at http://www.bro-ids.org for more information; you +can the source that in doc/quick-start. diff --git a/Makefile.am b/Makefile.am deleted file mode 100644 index bdbdc25ef5..0000000000 --- a/Makefile.am +++ /dev/null @@ -1,64 +0,0 @@ -## Process this file with automake to produce Makefile.in - -# snag the whole linux-include directory -EXTRA_DIST = CHANGES README VERSION shtool linux-include \ - autogen.sh depcomp ylwrap - -# When running distcheck, make sure we skip building GtkDoc-based -# documentation. This applies to Broccoli only, and needs to be -# duplicated here because DISTCHECK_CONFIGURE_FLAGS isn't otherwise -# noticed. -# -DISTCHECK_CONFIGURE_FLAGS = --disable-gtk-doc - -chown = @CHOWN@ - -# aux before src so we compile the libpcap -SUBDIRS = aux src scripts policy doc - -test: - ( cd ../testing && $(MAKE) test ) - -install-broctl: - $(MAKE) install - ( cd aux/broctl && $(MAKE) install-broctl ) - -# Deprecated. Don't use. -install-brolite: - $(MAKE) install - $(INSTALL) -d $(prefix)/logs - $(INSTALL) -d $(prefix)/archive - $(INSTALL) -d $(prefix)/var - ( cd scripts && $(MAKE) install-brolite ) - ( cd aux && $(MAKE) install-brolite ) - - @CHOWN@ -R `cat scripts/bro_user_id` ${prefix}/ - @echo "*********************************************************" - @echo "Please run \"${prefix}/etc/bro.rc --start\" to start bro" - @echo "*********************************************************" - -docs: - ( cd doc && $(MAKE) doc ) - -doc-install: - ( cd doc && $(MAKE) doc-install ) - -update: - ( cd scripts && $(MAKE) update ) - ( cd policy && $(MAKE) install ) - -update-sigs: - (cd scripts && $(MAKE) update-sigs ) - -reports: - ( cd scripts && $(MAKE) reports ) - -# make sure we don't leak CVS/SVN or private policy files -dist-hook: - rm -rf `find $(distdir) -name CVS` - rm -rf `find $(distdir) -name .svn` - rm -rf $(distdir)/policy/local - -release: - ./autogen.sh - ./configure - $(MAKE) distcheck diff --git a/NEWS b/NEWS deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/README b/README index 160aea36b7..66a580fa19 100644 --- a/README +++ b/README @@ -1,29 +1,24 @@ -This is release 1.5 of Bro, a system for detecting network intruders in +This is release 1.6 of Bro, a system for detecting network intruders in real-time using passive network monitoring. -Please see the file INSTALL for installation instructions and some examples -on how to run Bro. For more documentation, see the Bro Wiki: +Please see the file INSTALL for installation instructions and +pointers for getting started. For more documentation, see the +documentation on Bro's home page: - http://www.bro-ids.org/wiki/index.php/User_Manual + http://www.bro-ids.org/docs -Please note that this documentation is preliminary and still missing pieces. -PDF and HTML versions of older versions of the manuals are also available -in the doc/ directory. - -There's also in doc/misc/conn-logs/ a brief summary of the connection logs -generated by the sample policy scripts (which are in policy/). +The main parts of Bro's documentation are also available in the doc/ +directory of the distribution. (Please note that the documentation +is still a work in progress; there will be more in future releases.) Numerous other Bro-related publications, including a paper describing the system, can be found at - http://www.bro-ids.org/publications.html + http://www.bro-ids.org/publications.html -Some auxiliary scripts and utilities are available in the aux/ directory. -Note that these are not installed by default. - -Send comments, etc., to the Bro mailing list, bro@bro-ids.org. However, -please note that you must first subscribe to the list in order to be able -to post to it. +Send comments, etc., to the Bro mailing list, bro@bro-ids.org. +However, please note that you must first subscribe to the list in +order to be able to post to it. - Vern Paxson & Robin Sommer, on behalf of the Bro development team diff --git a/TODO-For-Next-Release b/TODO-For-Next-Release deleted file mode 100644 index e8985b669e..0000000000 --- a/TODO-For-Next-Release +++ /dev/null @@ -1,9 +0,0 @@ -Plan for 1.6: - Originally, with 1.5 we were going to start working with --use-binpac - as the default. However, this has been deferred pending development - of BinPAC++. We might however turn on BinPAC for the SSL analyzer, - for which the BinPAC version is more robust. It, though, doesn't - support storing certs to disk, which some folks use operationally. - - Given DPD means we might not filter traffic anyway, we no longer - have such a good excuse for not dealing with IPv6 options. diff --git a/VERSION b/VERSION index dcfb77b1f4..d421eb9c4e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.5.2.7 +1.6.0.1 diff --git a/acinclude.m4 b/acinclude.m4 deleted file mode 100644 index b8554a299b..0000000000 --- a/acinclude.m4 +++ /dev/null @@ -1,1007 +0,0 @@ -dnl @(#) $Id: acinclude.m4 6084 2008-08-27 16:13:23Z vern $ (LBL) -dnl -dnl Copyright (c) 1995, 1996, 1997, 1998, 1999, 2002, 2003 -dnl The Regents of the University of California. All rights reserved. -dnl -dnl Redistribution and use in source and binary forms, with or without -dnl modification, are permitted provided that: (1) source code distributions -dnl retain the above copyright notice and this paragraph in its entirety, (2) -dnl distributions including binary code include the above copyright notice and -dnl this paragraph in its entirety in the documentation or other materials -dnl provided with the distribution, and (3) all advertising materials mentioning -dnl features or use of this software display the following acknowledgement: -dnl ``This product includes software developed by the University of California, -dnl Lawrence Berkeley Laboratory and its contributors.'' Neither the name of -dnl the University nor the names of its contributors may be used to endorse -dnl or promote products derived from this software without specific prior -dnl written permission. -dnl THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED -dnl WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF -dnl MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. -dnl -dnl LBL autoconf macros -dnl - -dnl -dnl Define RETSIGTYPE and RETSIGVAL -dnl -dnl usage: -dnl -dnl AC_LBL_TYPE_SIGNAL -dnl -dnl results: -dnl -dnl RETSIGTYPE (defined) -dnl RETSIGVAL (defined) -dnl -AC_DEFUN([AC_LBL_TYPE_SIGNAL], - [[AC_BEFORE([$0], [AC_LBL_LIBPCAP]) - AC_TYPE_SIGNAL - if test "$ac_cv_type_signal" = void ; then - AC_DEFINE(RETSIGVAL,,[signal function return value]) - else - AC_DEFINE(RETSIGVAL,(0)) - fi - case "$target_os" in - - irix*) - AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals]) - ;; - - *) - dnl prefer sigset() to sigaction() - AC_CHECK_FUNCS(sigset) - if test $ac_cv_func_sigset = yes ; then - AC_DEFINE(signal,sigset,[use sigset() instead of signal()]) - else - AC_CHECK_FUNCS(sigaction) - fi - ;; - esac]]) - -dnl -dnl Determine which compiler we're using (cc or gcc) -dnl If using gcc, determine the version number -dnl If using cc, require that it support ansi prototypes -dnl If using gcc, use -O2 (otherwise use -O) -dnl If using cc, explicitly specify /usr/local/include -dnl -dnl usage: -dnl -dnl AC_LBL_C_INIT(copt, incls) -dnl -dnl results: -dnl -dnl $1 (copt set) -dnl $2 (incls set) -dnl CC -dnl LDFLAGS -dnl LBL_CFLAGS -dnl -AC_DEFUN([AC_LBL_C_INIT], - [AC_PREREQ(2.12) - AC_BEFORE([$0], [AC_PROG_CC]) - AC_BEFORE([$0], [AC_LBL_FIXINCLUDES]) - AC_BEFORE([$0], [AC_LBL_DEVEL]) - AC_ARG_WITH(gcc, [ --without-gcc don't use gcc]) - $1="-O" - $2="" - if test "${srcdir}" != "." ; then - $2='-I$(srcdir)' - fi - if test "${CFLAGS+set}" = set; then - LBL_CFLAGS="$CFLAGS" - fi - if test -z "$CC" ; then - case "$target_os" in - - bsdi*) - AC_CHECK_PROG(SHLICC2, shlicc2, yes, no) - if test $SHLICC2 = yes ; then - CC=shlicc2 - export CC - fi - ;; - esac - fi - if test -z "$CC" -a "$with_gcc" = no ; then - CC=cc - export CC - fi - AC_PROG_CC - if test "$GCC" != yes ; then - AC_MSG_CHECKING(that $CC handles ansi prototypes) - AC_CACHE_VAL(ac_cv_lbl_cc_ansi_prototypes, - AC_TRY_COMPILE( - [#include ], - [int frob(int, char *)], - ac_cv_lbl_cc_ansi_prototypes=yes, - ac_cv_lbl_cc_ansi_prototypes=no)) - AC_MSG_RESULT($ac_cv_lbl_cc_ansi_prototypes) - if test $ac_cv_lbl_cc_ansi_prototypes = no ; then - case "$target_os" in - - hpux*) - AC_MSG_CHECKING(for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)) - savedcflags="$CFLAGS" - CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS" - AC_CACHE_VAL(ac_cv_lbl_cc_hpux_cc_aa, - AC_TRY_COMPILE( - [#include ], - [int frob(int, char *)], - ac_cv_lbl_cc_hpux_cc_aa=yes, - ac_cv_lbl_cc_hpux_cc_aa=no)) - AC_MSG_RESULT($ac_cv_lbl_cc_hpux_cc_aa) - if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then - AC_MSG_ERROR(see the INSTALL doc for more info) - fi - CFLAGS="$savedcflags" - $1="-Aa $$1" - AC_DEFINE(_HPUX_SOURCE,,[HP-UX ansi compiler]) - ;; - - *) - AC_MSG_ERROR(see the INSTALL doc for more info) - ;; - esac - fi - $2="$$2 -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" - - case "$target_os" in - - irix*) - $1="$$1 -xansi -signed -g3" - ;; - - osf*) - $1="$$1 -std1 -g3" - ;; - - ultrix*) - AC_MSG_CHECKING(that Ultrix $CC hacks const in prototypes) - AC_CACHE_VAL(ac_cv_lbl_cc_const_proto, - AC_TRY_COMPILE( - [#include ], - [struct a { int b; }; - void c(const struct a *)], - ac_cv_lbl_cc_const_proto=yes, - ac_cv_lbl_cc_const_proto=no)) - AC_MSG_RESULT($ac_cv_lbl_cc_const_proto) - if test $ac_cv_lbl_cc_const_proto = no ; then - AC_DEFINE(const,,[ultrix can't hack const]) - fi - ;; - esac - fi -]) - -dnl AC_LBL_ENABLE_CHECK(brov6 activemapping expire-dfa-states) -dnl -dnl This allows us to check for bogus configure enable/disable -dnl command line options -dnl -dnl usage: -dnl -dnl AC_LBL_ENABLE_CHECK(opt ...) -dnl -AC_DEFUN([AC_LBL_ENABLE_CHECK], - [set | - sed -n -e 's/^enable_\([[^=]]*\)=[[^=]]*$/\1/p' | - while read var; do - ok=0 - for o in option_checking m4_translit([$1], -, _); do - if test "${o}" = "${var}" ; then - ok=1 - break - fi - done - if test ${ok} -eq 0 ; then - # It's hard to kill configure script from subshell! - AC_MSG_ERROR(unknown enable option: ${var}) - exit 1 - fi - done - if test $? -ne 0 ; then - exit 1 - fi]) - -dnl -dnl Use pfopen.c if available and pfopen() not in standard libraries -dnl Require libpcap -dnl Look for libpcap in .. -dnl Use the installed libpcap if there is no local version -dnl -dnl usage: -dnl -dnl AC_LBL_LIBPCAP(pcapdep, incls) -dnl -dnl results: -dnl -dnl $1 (pcapdep set) -dnl $2 (incls appended) -dnl LIBS -dnl LDFLAGS -dnl LBL_LIBS -dnl -AC_DEFUN([AC_LBL_LIBPCAP], - [AC_REQUIRE([AC_LBL_LIBRARY_NET]) - dnl - dnl save a copy before locating libpcap.a - dnl - LBL_LIBS="$LIBS" - pfopen=/usr/examples/packetfilter/pfopen.c - if test -f $pfopen ; then - AC_CHECK_FUNCS(pfopen) - if test $ac_cv_func_pfopen = "no" ; then - AC_MSG_RESULT(Using $pfopen) - LIBS="$LIBS $pfopen" - fi - fi - AC_MSG_CHECKING(for local pcap library) - libpcap=FAIL - lastdir=FAIL - dnl Since config is at the top level, .. is meaningless for subdirs, get - dnl the full path - oneup=`(cd ..; pwd)` - places=`ls .. | sed -e 's,/$,,' -e "s,^,$oneup/," | \ - egrep '/libpcap-[[0-9]]*\.[[0-9]]*(\.[[0-9]]*)?([[ab]][[0-9]]*)?$'` - for dir in $places $oneup/libpcap libpcap ; do - basedir=`echo $dir | sed -e 's/[[ab]][[0-9]]*$//'` - if test $lastdir = $basedir ; then - dnl skip alphas when an actual release is present - continue; - fi - lastdir=$dir - if test -r $dir/pcap.c ; then - libpcap=$dir/libpcap.a - d=$dir - dnl continue and select the last one that exists - fi - done - if test "x$libpcap" = xFAIL ; then - AC_MSG_RESULT(not found) - AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap") - unset ac_cv_lib_pcap_pcap_open_live - if test "x$libpcap" = xFAIL ; then - CFLAGS="$CFLAGS -I/usr/local/include" - LIBS="$LIBS -L/usr/local/lib" - AC_CHECK_LIB(pcap, pcap_open_live, libpcap="-lpcap") - unset ac_cv_lib_pcap_pcap_open_live - if test "x$libpcap" = xFAIL ; then - AC_MSG_ERROR(see the INSTALL doc for more info) - fi - $2="$$2 -I/usr/local/include" - fi - LIBS="$LIBS -lpcap" - else - $1=$libpcap - $2="-I$d $$2" - AC_MSG_RESULT($libpcap) - fi - if test "x$libpcap" != "x-lpcap" ; then - LIBS="-L$d -lpcap $LIBS" - fi - - dnl check libpcap is modern enough for Bro (>= 0.6.1) - AC_CHECK_LIB(pcap, pcap_freecode) - if test "$ac_cv_lib_pcap_pcap_freecode" = no ; then - AC_DEFINE([DONT_HAVE_LIBPCAP_PCAP_FREECODE],[],[Old libpcap versions (< 0.6.1) need defining pcap_freecode and pcap_compile_nopcap]) - fi - - dnl check pcap headers location - AC_MSG_CHECKING(for pcap headers) - pcap_header_locations="\ - $PWD/../libpcap \ - /usr/include \ - /usr/include/pcap \ - /usr/src/sys \ - /usr/local/include \ - /usr/local/src/libpcap \ - $d" - pcap_includes=FAIL - for dir in $pcap_header_locations; do - if test -r $dir/pcap.h ; then - pcap_includes=$dir - break - fi - done - if test "x$pcap_includes" = xFAIL ; then - AC_MSG_ERROR(couldn't find pcap.h) - fi - if test "x$pcap_includes" != x/usr/include ; then - AC_MSG_RESULT($pcap_includes) - V_INCLS="$V_INCLS -I$pcap_includes" - else - AC_MSG_RESULT($pcap_includes) - fi - - dnl check if pcap_compile_nopcap needs error parameter (NetBSDism) - if test "$ac_cv_lib_pcap_pcap_freecode" = yes ; then - CFLAGS="$CFLAGS -I$pcap_includes" - AC_MSG_CHECKING(if pcap_compile_nopcap needs error parameter) - AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ - #include - ]], [[ - int snaplen; - int linktype; - struct bpf_program fp; - int optimize; - bpf_u_int32 netmask; - char str[10]; - snaplen = 50; - linktype = DLT_EN10MB; - optimize = 1; - netmask = 0L; - str[0] = 'i'; str[1] = 'p'; str[2] = '\0'; - (void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask); - ]])],result="ok",result="wrong") - if test "$result" = "ok" ; then - AC_MSG_RESULT(not needed) - else - AC_LINK_IFELSE( - [AC_LANG_PROGRAM([[ - #include - ]], [[ - int snaplen; - int linktype; - struct bpf_program fp; - int optimize; - bpf_u_int32 netmask; - char str[10]; - char error[1024]; - snaplen = 50; - linktype = DLT_EN10MB; - optimize = 1; - netmask = 0L; - str[0] = 'i'; str[1] = 'p'; str[2] = '\0'; - (void)pcap_compile_nopcap(snaplen, linktype, &fp, str, optimize, netmask, &error); - ]])],result="ok",result="wrong") - if test "$result" = "ok" ; then - AC_DEFINE([LIBPCAP_PCAP_COMPILE_NOPCAP_HAS_ERROR_PARAMETER],[], - [Some libpcap versions use an extra parameter (error) in pcap_compile_nopcap]) - AC_MSG_RESULT(needed) - else - AC_MSG_ERROR(don't know (weird pcap_compile_nopcap)) - fi - fi - fi - - - case "$target_os" in - - aix*) - pseexe="/lib/pse.exp" - AC_MSG_CHECKING(for $pseexe) - if test -f $pseexe ; then - AC_MSG_RESULT(yes) - LIBS="$LIBS -I:$pseexe" - fi - ;; - esac]) - -dnl -dnl Define RETSIGTYPE and RETSIGVAL -dnl -dnl usage: -dnl -dnl AC_LBL_TYPE_SIGNAL -dnl -dnl results: -dnl -dnl RETSIGTYPE (defined) -dnl RETSIGVAL (defined) -dnl -AC_DEFUN([AC_LBL_TYPE_SIGNAL], - [AC_BEFORE([$0], [AC_LBL_LIBPCAP]) - AC_TYPE_SIGNAL - if test "$ac_cv_type_signal" = void ; then - AC_DEFINE(RETSIGVAL,,[signal function return value]) - else - AC_DEFINE(RETSIGVAL,(0)) - fi - case "$target_os" in - - irix*) - AC_DEFINE(_BSD_SIGNALS,,[irix's BSD style signals]) - ;; - - *) - dnl prefer sigset() to sigaction() - AC_CHECK_FUNCS(sigset) - if test $ac_cv_func_sigset = yes ; then - AC_DEFINE(signal,sigset,[use sigset() instead of signal()]) - else - AC_CHECK_FUNCS(sigaction) - fi - ;; - esac]) - -dnl -dnl If using gcc, make sure we have ANSI ioctl definitions -dnl -dnl usage: -dnl -dnl AC_LBL_FIXINCLUDES -dnl -AC_DEFUN([AC_LBL_FIXINCLUDES], - [if test "$GCC" = yes ; then - AC_MSG_CHECKING(for ANSI ioctl definitions) - AC_CACHE_VAL(ac_cv_lbl_gcc_fixincludes, - AC_TRY_COMPILE( - [/* - * This generates a "duplicate case value" when fixincludes - * has not be run. - */ -# include -# include -# include -# ifdef HAVE_SYS_IOCCOM_H -# include -# endif], - [switch (0) { - case _IO('A', 1):; - case _IO('B', 1):; - }], - ac_cv_lbl_gcc_fixincludes=yes, - ac_cv_lbl_gcc_fixincludes=no)) - AC_MSG_RESULT($ac_cv_lbl_gcc_fixincludes) - if test $ac_cv_lbl_gcc_fixincludes = no ; then - # Don't cache failure - unset ac_cv_lbl_gcc_fixincludes - AC_MSG_ERROR(see the INSTALL for more info) - fi - fi]) - -dnl -dnl Check for flex, default to lex -dnl Require flex 2.4 or higher -dnl Check for bison, default to yacc -dnl Default to lex/yacc if both flex and bison are not available -dnl Define the yy prefix string if using flex and bison -dnl -dnl usage: -dnl -dnl AC_LBL_LEX_AND_YACC(lex, yacc, yyprefix) -dnl -dnl results: -dnl -dnl $1 (lex set) -dnl $2 (yacc appended) -dnl $3 (optional flex and bison -P prefix) -dnl -AC_DEFUN([AC_LBL_LEX_AND_YACC], - [AC_ARG_WITH(flex, [ --without-flex don't use flex]) - AC_ARG_WITH(bison, [ --without-bison don't use bison]) - if test "$with_flex" = no ; then - $1=lex - else - AC_CHECK_PROGS($1, flex, lex) - fi - if test "$$1" = flex ; then - # The -V flag was added in 2.4 - AC_MSG_CHECKING(for flex 2.4 or higher) - AC_CACHE_VAL(ac_cv_lbl_flex_v24, - if flex -V >/dev/null 2>&1; then - ac_cv_lbl_flex_v24=yes - else - ac_cv_lbl_flex_v24=no - fi) - AC_MSG_RESULT($ac_cv_lbl_flex_v24) - if test $ac_cv_lbl_flex_v24 = no ; then - s="2.4 or higher required" - AC_MSG_WARN(ignoring obsolete flex executable ($s)) - $1=lex - fi - fi - if test "$with_bison" = no ; then - $2=yacc - else - AC_CHECK_PROGS($2, bison, yacc) - fi - if test "$$2" = bison ; then - $2="$$2 -y" - fi - if test "$$1" != lex -a "$$2" = yacc -o "$$1" = lex -a "$$2" != yacc ; then - AC_MSG_WARN(don't have both flex and bison; reverting to lex/yacc) - $1=lex - $2=yacc - fi - if test "$$1" = flex -a -n "$3" ; then - $1="$$1 -P$3" - $2="$$2 -p $3" - fi]) - -dnl -dnl Checks to see if union wait is used with WEXITSTATUS() -dnl -dnl usage: -dnl -dnl AC_LBL_UNION_WAIT -dnl -dnl results: -dnl -dnl DECLWAITSTATUS (defined) -dnl -AC_DEFUN([AC_LBL_UNION_WAIT], - [AC_MSG_CHECKING(if union wait is used) - AC_CACHE_VAL(ac_cv_lbl_union_wait, - AC_TRY_COMPILE([ -# include -# include ], - [int status; - u_int i = WEXITSTATUS(status); - u_int j = waitpid(0, &status, 0);], - ac_cv_lbl_union_wait=no, - ac_cv_lbl_union_wait=yes)) - AC_MSG_RESULT($ac_cv_lbl_union_wait) - if test $ac_cv_lbl_union_wait = yes ; then - AC_DEFINE(DECLWAITSTATUS,union wait) - else - AC_DEFINE(DECLWAITSTATUS,int) - fi]) - -dnl -dnl Checks to see if the sockaddr struct has the 4.4 BSD sa_len member -dnl -dnl usage: -dnl -dnl AC_LBL_SOCKADDR_SA_LEN -dnl -dnl results: -dnl -dnl HAVE_SOCKADDR_SA_LEN (defined) -dnl -AC_DEFUN([AC_LBL_SOCKADDR_SA_LEN], - [AC_CHECK_MEMBERS(struct sockaddr.sa_len,,,[ -# include -# include ])]) - -dnl -dnl Makes sure socklen_t is defined -dnl -dnl usage: -dnl -dnl AC_LBL_SOCKLEN_T -dnl -dnl results: -dnl -dnl socklen_t (defined if missing) -dnl -AC_DEFUN([AC_LBL_SOCKLEN_T], - [AC_MSG_CHECKING(for socklen_t in sys/socket.h using $CC) - AC_CACHE_VAL(ac_cv_lbl_socklen_t, - AC_TRY_COMPILE([ -# include "confdefs.h" -# include -# include -# if STDC_HEADERS -# include -# include -# endif], - [socklen_t i], - ac_cv_lbl_socklen_t=yes, - ac_cv_lbl_socklen_t=no)) - AC_MSG_RESULT($ac_cv_lbl_socklen_t) - if test $ac_cv_lbl_socklen_t = no ; then - AC_DEFINE(socklen_t, int, [Define socklen_t if missing]) - fi]) - -dnl -dnl Checks to see if the IFF_LOOPBACK exists as a define or enum -dnl -dnl (stupidly some versions of linux use an enum...) -dnl -dnl usage: -dnl -dnl AC_LBL_IFF_LOOPBACK -dnl -dnl results: -dnl -dnl HAVE_IFF_LOOPBACK (defined) -dnl -AC_DEFUN([AC_LBL_IFF_LOOPBACK], - [AC_MSG_CHECKING(for IFF_LOOPBACK define/enum) - AC_CACHE_VAL(ac_cv_lbl_have_iff_loopback, - AC_TRY_COMPILE([ -# include -# include -# include -# include -# ifdef HAVE_SYS_SOCKIO_H -# include -# endif -# include -# include -# include ], - [int i = IFF_LOOPBACK], - ac_cv_lbl_have_iff_loopback=yes, - ac_cv_lbl_have_iff_loopback=no)) - AC_MSG_RESULT($ac_cv_lbl_have_iff_loopback) - if test $ac_cv_lbl_have_iff_loopback = yes ; then - AC_DEFINE(HAVE_IFF_LOOPBACK,, [Have IFF_LOOPBACK define/enum]) - fi]) - -dnl -dnl Checks to see if -R is used -dnl -dnl usage: -dnl -dnl AC_LBL_HAVE_RUN_PATH -dnl -dnl results: -dnl -dnl ac_cv_lbl_have_run_path (yes or no) -dnl -AC_DEFUN([AC_LBL_HAVE_RUN_PATH], - [AC_MSG_CHECKING(for ${CC-cc} -R) - AC_CACHE_VAL(ac_cv_lbl_have_run_path, - [echo 'main(){}' > conftest.c - ${CC-cc} -o conftest conftest.c -R/a1/b2/c3 >conftest.out 2>&1 - if test ! -s conftest.out ; then - ac_cv_lbl_have_run_path=yes - else - ac_cv_lbl_have_run_path=no - fi - rm -f conftest*]) - AC_MSG_RESULT($ac_cv_lbl_have_run_path) - ]) - -dnl -dnl Due to the stupid way it's implemented, AC_CHECK_TYPE is nearly useless. -dnl -dnl usage: -dnl -dnl AC_LBL_CHECK_TYPE -dnl -dnl results: -dnl -dnl int32_t (defined) -dnl u_int32_t (defined) -dnl -AC_DEFUN([AC_LBL_CHECK_TYPE], - [AC_MSG_CHECKING(for $1 using $CC) - AC_CACHE_VAL(ac_cv_lbl_have_$1, - AC_TRY_COMPILE([ -# include "confdefs.h" -# include -# if STDC_HEADERS -# include -# include -# endif], - [$1 i], - ac_cv_lbl_have_$1=yes, - ac_cv_lbl_have_$1=no)) - AC_MSG_RESULT($ac_cv_lbl_have_$1) - if test $ac_cv_lbl_have_$1 = no ; then - AC_DEFINE($1, $2, Define $1) - fi]) - -dnl -dnl Checks to see if unaligned memory accesses fail -dnl -dnl usage: -dnl -dnl AC_LBL_UNALIGNED_ACCESS -dnl -dnl results: -dnl -dnl LBL_ALIGN (DEFINED) -dnl -AC_DEFUN([AC_LBL_UNALIGNED_ACCESS], - [AC_MSG_CHECKING(if unaligned accesses fail) - AC_CACHE_VAL(ac_cv_lbl_unaligned_fail, - [case "$target_cpu" in - - alpha|hp*|mips|sparc) - ac_cv_lbl_unaligned_fail=yes - ;; - - *) - cat >conftest.c < -# include -# include - unsigned char a[[5]] = { 1, 2, 3, 4, 5 }; - main() { - unsigned int i; - pid_t pid; - int status; - /* avoid "core dumped" message */ - pid = fork(); - if (pid < 0) - exit(2); - if (pid > 0) { - /* parent */ - pid = waitpid(pid, &status, 0); - if (pid < 0) - exit(3); - exit(!WIFEXITED(status)); - } - /* child */ - i = *(unsigned int *)&a[[1]]; - printf("%d\n", i); - exit(0); - } -EOF - ${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \ - conftest.c $LIBS >/dev/null 2>&1 - if test ! -x conftest ; then - dnl failed to compile for some reason - ac_cv_lbl_unaligned_fail=yes - else - ./conftest >conftest.out - if test ! -s conftest.out ; then - ac_cv_lbl_unaligned_fail=yes - else - ac_cv_lbl_unaligned_fail=no - fi - fi - rm -f conftest* core core.conftest - ;; - esac]) - AC_MSG_RESULT($ac_cv_lbl_unaligned_fail) - if test $ac_cv_lbl_unaligned_fail = yes ; then - AC_DEFINE(LBL_ALIGN) - fi]) - -dnl -dnl add all warning option to CFLAGS -dnl -dnl usage: -dnl -dnl AC_LBL_CHECK_WALL(copt) -dnl -dnl results: -dnl -dnl $1 (copt appended) -dnl ac_cv_lbl_gcc_vers -dnl -AC_DEFUN([AC_LBL_CHECK_WALL], - [ if test "$GCC" = yes ; then - if test "$SHLICC2" = yes ; then - ac_cv_lbl_gcc_vers=2 - $1="`echo $$1 | sed -e 's/-O/-O2/'`" - else - AC_MSG_CHECKING(gcc version) - AC_CACHE_VAL(ac_cv_lbl_gcc_vers, - # Gag, the gcc folks keep changing the output... - ac_cv_lbl_gcc_vers=`$CC --version 2>&1 | \ - sed -e '1!d' -e 's/.* //' -e 's/\..*//'`) - AC_MSG_RESULT($ac_cv_lbl_gcc_vers) - if test $ac_cv_lbl_gcc_vers -gt 1 ; then - $1="`echo $$1 | sed -e 's/-O/-O2/'`" - fi - fi - if test "${LBL_CFLAGS+set}" != set; then - if test "$ac_cv_prog_cc_g" = yes ; then - $1="-g $$1" - fi - $1="$$1 -Wall" - if test $ac_cv_lbl_gcc_vers -gt 1 ; then - $1="$$1 -Wmissing-prototypes -Wstrict-prototypes" - fi - fi - else - case "$target_os" in - - irix6*) - $1="$$1 -fullwarn -n32" - ;; - - *) - ;; - esac - fi]) - -dnl -dnl If using gcc and the file .devel exists: -dnl Compile with -g (if supported) and -Wall -dnl If using gcc 2, do extra prototype checking -dnl If an os prototype include exists, symlink os-proto.h to it -dnl -dnl usage: -dnl -dnl AC_LBL_DEVEL(copt) -dnl -dnl results: -dnl -dnl $1 (copt appended) -dnl HAVE_OS_PROTO_H (defined) -dnl os-proto.h (symlinked) -dnl -AC_DEFUN([AC_LBL_DEVEL], - [rm -f os-proto.h - if test "${LBL_CFLAGS+set}" = set; then - $1="$$1 ${LBL_CFLAGS}" - fi - if test -f .devel ; then - AC_LBL_CHECK_WALL($1) - os=`echo $target_os | sed -e 's/\([[0-9]][[0-9]]*\)[[^0-9]].*$/\1/'` - name="lbl/os-$os.h" - if test -f $name ; then - ln -s $name os-proto.h - AC_DEFINE(HAVE_OS_PROTO_H,,[have os-proto.h]) - else - AC_MSG_WARN(can't find $name) - fi - fi]) - -dnl -dnl Improved version of AC_CHECK_LIB -dnl -dnl Thanks to John Hawkinson (jhawk@mit.edu) -dnl -dnl usage: -dnl -dnl AC_LBL_CHECK_LIB(LIBRARY, FUNCTION [, ACTION-IF-FOUND [, -dnl ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]]) -dnl -dnl results: -dnl -dnl LIBS -dnl - -define(AC_LBL_CHECK_LIB, -[AC_MSG_CHECKING([for $2 in -l$1]) -dnl Use a cache variable name containing both the library and function name, -dnl because the test really is for library $1 defining function $2, not -dnl just for library $1. Separate tests with the same $1 and different $2's -dnl may have different results. -ac_lib_var=`echo $1['_']$2['_']$5 | sed 'y%./+- %__p__%'` -AC_CACHE_VAL(ac_cv_lbl_lib_$ac_lib_var, -[ac_save_LIBS="$LIBS" -LIBS="-l$1 $5 $LIBS" -AC_TRY_LINK(dnl -ifelse([$2], [main], , dnl Avoid conflicting decl of main. -[/* Override any gcc2 internal prototype to avoid an error. */ -]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus -extern "C" -#endif -])dnl -[/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $2(); -]), - [$2()], - eval "ac_cv_lbl_lib_$ac_lib_var=yes", - eval "ac_cv_lbl_lib_$ac_lib_var=no") -LIBS="$ac_save_LIBS" -])dnl -if eval "test \"`echo '$ac_cv_lbl_lib_'$ac_lib_var`\" = yes"; then - AC_MSG_RESULT(yes) - ifelse([$3], , -[changequote(, )dnl - ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` -changequote([, ])dnl - AC_DEFINE_UNQUOTED($ac_tr_lib) - LIBS="-l$1 $LIBS" -], [$3]) -else - AC_MSG_RESULT(no) -ifelse([$4], , , [$4 -])dnl -fi -]) - -dnl -dnl AC_LBL_LIBRARY_NET -dnl -dnl This test is for network applications that need socket() and -dnl gethostbyname() -ish functions. Under Solaris, those applications -dnl need to link with "-lsocket -lnsl". Under IRIX, they need to link -dnl with "-lnsl" but should *not* link with "-lsocket" because -dnl libsocket.a breaks a number of things (for instance: -dnl gethostbyname() under IRIX 5.2, and snoop sockets under most -dnl versions of IRIX). -dnl -dnl Unfortunately, many application developers are not aware of this, -dnl and mistakenly write tests that cause -lsocket to be used under -dnl IRIX. It is also easy to write tests that cause -lnsl to be used -dnl under operating systems where neither are necessary (or useful), -dnl such as SunOS 4.1.4, which uses -lnsl for TLI. -dnl -dnl This test exists so that every application developer does not test -dnl this in a different, and subtly broken fashion. - -dnl It has been argued that this test should be broken up into two -dnl seperate tests, one for the resolver libraries, and one for the -dnl libraries necessary for using Sockets API. Unfortunately, the two -dnl are carefully intertwined and allowing the autoconf user to use -dnl them independantly potentially results in unfortunate ordering -dnl dependancies -- as such, such component macros would have to -dnl carefully use indirection and be aware if the other components were -dnl executed. Since other autoconf macros do not go to this trouble, -dnl and almost no applications use sockets without the resolver, this -dnl complexity has not been implemented. -dnl -dnl The check for libresolv is in case you are attempting to link -dnl statically and happen to have a libresolv.a lying around (and no -dnl libnsl.a). -dnl -AC_DEFUN([AC_LBL_LIBRARY_NET], [ - # Most operating systems have gethostbyname() in the default searched - # libraries (i.e. libc): - AC_CHECK_FUNC(gethostbyname, , - # Some OSes (eg. Solaris) place it in libnsl: - AC_CHECK_LIB(nsl, gethostbyname, , - # Some strange OSes (SINIX) have it in libsocket: - AC_CHECK_LIB(socket, gethostbyname, , - # Unfortunately libsocket sometimes depends on libnsl. - # AC_CHECK_LIB's API is essentially broken so the - # following ugliness is necessary: - AC_CHECK_LIB(socket, gethostbyname, - LIBS="-lsocket -lnsl $LIBS", - AC_CHECK_LIB(resolv, gethostbyname), - -lnsl)))) - AC_CHECK_FUNC(socket, , AC_CHECK_LIB(socket, socket, , - AC_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", , - -lnsl))) - # DLPI needs putmsg under HPUX so test for -lstr while we're at it - AC_CHECK_LIB(str, putmsg) - ]) - - -dnl -dnl Checks to see if declaring syslog() and openlog() as returning int -dnl is compatible with and , or if we should not -dnl declare them explicitly. -dnl -dnl usage: -dnl -dnl AC_BRO_SYSLOG_INT -dnl -dnl results: -dnl -dnl SYSLOG_INT (either defined or not defined) -dnl -AC_DEFUN([AC_BRO_SYSLOG_INT], - [AC_LANG_CPLUSPLUS - AC_MSG_CHECKING(if syslog returns int) - AC_CACHE_VAL(ac_cv_bro_syslog_int, - AC_TRY_COMPILE([ -# include -# include - extern "C" { - int openlog(const char* ident, int logopt, int facility); - int syslog(int priority, const char* message_fmt, ...); - int closelog(); - }],, - ac_cv_bro_syslog_int=yes, - ac_cv_bro_syslog_int=no)) - AC_MSG_RESULT($ac_cv_bro_syslog_int) - if test $ac_cv_bro_syslog_int = yes ; then - AC_DEFINE(SYSLOG_INT,,[should we declare syslog() and openlog()]) - fi]) - -dnl -dnl Checks to see if we should explicitly declare socket() and friends. -dnl -dnl usage: -dnl -dnl AC_BRO_SOCK_DECL -dnl -dnl results: -dnl -dnl DO_SOCK_DECL (either defined or not defined) -dnl -AC_DEFUN([AC_BRO_SOCK_DECL], - [AC_LANG_C - AC_MSG_CHECKING(if we should declare socket and friends) - AC_CACHE_VAL(ac_cv_bro_sock_decl, - AC_TRY_COMPILE([ -# include -# include - extern int socket(int, int, int); - extern int connect(int, const struct sockaddr *, int); - extern int send(int, const void *, int, int); - extern int recvfrom(int, void *, int, int, struct sockaddr *, int *); - ],, - ac_cv_bro_sock_decl=yes, - ac_cv_bro_sock_decl=no)) - AC_MSG_RESULT($ac_cv_bro_sock_decl) - if test $ac_cv_bro_sock_decl = yes ; then - AC_DEFINE(DO_SOCK_DECL,,[should explicitly declare socket() and friends]) - fi]) diff --git a/autogen.sh b/autogen.sh deleted file mode 100755 index 817498c141..0000000000 --- a/autogen.sh +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh - -# Initialization script to set up the initial configuration files etc. -# shtool usage inspired by the autogen script of the ferite scripting -# language -- cheers Chris :) -# -# This is 'borrowed' from netdude, with minor changes for bro - -BLD_ON=`./shtool echo -n -e %B` -BLD_OFF=`./shtool echo -n -e %b` - -srcdir=`dirname $0` -NAME=bro - -DIE=0 - -echo -echo " "${BLD_ON}"BRO Build Tools Setup"${BLD_OFF} -echo "====================================================" -echo -echo "Checking whether we have all tools available ..." - -(autoconf --version) < /dev/null > /dev/null 2>&1 || { - echo - echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to." - echo "Download the appropriate package for your distribution," - echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/" - DIE=1 -} - -(automake --version) < /dev/null > /dev/null 2>&1 || { - echo - echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed." - echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz" - echo "(or a newer version if it is available)" - DIE=1 - NO_AUTOMAKE=yes -} - -# if no automake, don't bother testing for aclocal -test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || { - echo - echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'. The version of \`automake'" - echo "installed doesn't appear recent enough." - echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz" - echo "(or a newer version if it is available)" - DIE=1 -} - -if test "$DIE" -eq 1; then - exit 1 -fi - -echo "All necessary tools found." -echo - -if [ -d autom4te.cache ] ; then - echo "Removing autom4te.cache ..." - rm -rf autom4te.cache - #echo - #echo ${BLD_ON}"Error"${BLD_OFF}": autom4te.cache directory exists" - #echo "please remove it, and rerun this script" - #echo - #exit 1 -fi - -echo -echo "running "${BLD_ON}"aclocal"${BLD_OFF} -echo "----------------------------------------------------" -aclocal -I . $ACLOCAL_FLAGS -if [ $? -ne 0 ]; then - echo "*** ERROR($NAME), aborting." - exit 1 -fi - -echo -echo "running "${BLD_ON}"autoheader"${BLD_OFF} -echo "----------------------------------------------------" -autoheader -if [ $? -ne 0 ]; then - echo "*** ERROR($NAME), aborting." - exit 1 -fi - -echo -echo "running "${BLD_ON}"automake"${BLD_OFF} -echo "----------------------------------------------------" -automake -a -c -if [ $? -ne 0 ]; then - echo "*** ERROR($NAME), aborting." - exit 1 -fi - -echo -echo "running "${BLD_ON}"autoconf"${BLD_OFF} -echo "----------------------------------------------------" -autoconf -if [ $? -ne 0 ]; then - echo "*** ERROR($NAME), aborting." - exit 1 -fi - -echo -echo -echo "Running aux/binpac/autogen.sh" -echo "----------------------------------------------------" -(cd aux/binpac/ && BROBUILD=yes ./autogen.sh) -if [ $? -ne 0 ]; then - echo "*** ERROR($NAME), aborting." - exit 1 -fi - -echo -echo -echo "Running aux/broccoli/autogen.sh" -echo "----------------------------------------------------" -(cd aux/broccoli/ && BROBUILD=yes ./autogen.sh) -if [ $? -ne 0 ]; then - echo "*** ERROR($NAME), aborting." - exit 1 -fi - -echo -echo -echo "Running aux/broctl/aux/capstats/autogen.sh" -echo "----------------------------------------------------" -(cd aux/broctl/aux/capstats && ./autogen.sh) -if [ $? -ne 0 ]; then - echo "*** ERROR($NAME), aborting." - exit 1 -fi - -echo -echo -echo "Setup finished. Now run:" -echo -echo " $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)" -echo -echo "and then" -echo -echo " $ "${BLD_ON}"make"${BLD_OFF} -echo " # "${BLD_ON}"make install"${BLD_OFF} -echo diff --git a/compile b/compile deleted file mode 100755 index a81e000ae1..0000000000 --- a/compile +++ /dev/null @@ -1,136 +0,0 @@ -#! /bin/sh -# Wrapper for compilers which do not understand `-c -o'. - -scriptversion=2003-11-09.00 - -# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc. -# Written by Tom Tromey . -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# This file is maintained in Automake, please report -# bugs to or send patches to -# . - -case $1 in - '') - echo "$0: No command. Try \`$0 --help' for more information." 1>&2 - exit 1; - ;; - -h | --h*) - cat <<\EOF -Usage: compile [--help] [--version] PROGRAM [ARGS] - -Wrapper for compilers which do not understand `-c -o'. -Remove `-o dest.o' from ARGS, run PROGRAM with the remaining -arguments, and rename the output as expected. - -If you are trying to build a whole package this is not the -right script to run: please start by reading the file `INSTALL'. - -Report bugs to . -EOF - exit 0 - ;; - -v | --v*) - echo "compile $scriptversion" - exit 0 - ;; -esac - - -prog=$1 -shift - -ofile= -cfile= -args= -while test $# -gt 0; do - case "$1" in - -o) - # configure might choose to run compile as `compile cc -o foo foo.c'. - # So we do something ugly here. - ofile=$2 - shift - case "$ofile" in - *.o | *.obj) - ;; - *) - args="$args -o $ofile" - ofile= - ;; - esac - ;; - *.c) - cfile=$1 - args="$args $1" - ;; - *) - args="$args $1" - ;; - esac - shift -done - -if test -z "$ofile" || test -z "$cfile"; then - # If no `-o' option was seen then we might have been invoked from a - # pattern rule where we don't need one. That is ok -- this is a - # normal compilation that the losing compiler can handle. If no - # `.c' file was seen then we are probably linking. That is also - # ok. - exec "$prog" $args -fi - -# Name of file we expect compiler to create. -cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'` - -# Create the lock directory. -# Note: use `[/.-]' here to ensure that we don't use the same name -# that we are using for the .o file. Also, base the name on the expected -# object file name, since that is what matters with a parallel build. -lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d -while true; do - if mkdir $lockdir > /dev/null 2>&1; then - break - fi - sleep 1 -done -# FIXME: race condition here if user kills between mkdir and trap. -trap "rmdir $lockdir; exit 1" 1 2 15 - -# Run the compile. -"$prog" $args -status=$? - -if test -f "$cofile"; then - mv "$cofile" "$ofile" -fi - -rmdir $lockdir -exit $status - -# Local Variables: -# mode: shell-script -# sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" -# End: diff --git a/config.guess b/config.guess deleted file mode 100755 index 6bdac8d7b6..0000000000 --- a/config.guess +++ /dev/null @@ -1,1388 +0,0 @@ -#! /bin/sh -# Attempt to guess a canonical system name. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003 Free Software Foundation, Inc. - -timestamp='2003-05-09' - -# This file is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Originally written by Per Bothner . -# Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. -# -# This script attempts to guess a canonical system name similar to -# config.sub. If it succeeds, it prints the system name on stdout, and -# exits with 0. Otherwise, it exits with 1. -# -# The plan is that this can be called by configure scripts if you -# don't specify an explicit build system type. - -me=`echo "$0" | sed -e 's,.*/,,'` - -usage="\ -Usage: $0 [OPTION] - -Output the configuration name of the system \`$me' is run on. - -Operation modes: - -h, --help print this help, then exit - -t, --time-stamp print date of last modification, then exit - -v, --version print version number, then exit - -Report bugs and patches to ." - -version="\ -GNU config.guess ($timestamp) - -Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. - -This is free software; see the source for copying conditions. There is NO -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." - -help=" -Try \`$me --help' for more information." - -# Parse command line -while test $# -gt 0 ; do - case $1 in - --time-stamp | --time* | -t ) - echo "$timestamp" ; exit 0 ;; - --version | -v ) - echo "$version" ; exit 0 ;; - --help | --h* | -h ) - echo "$usage"; exit 0 ;; - -- ) # Stop option processing - shift; break ;; - - ) # Use stdin as input. - break ;; - -* ) - echo "$me: invalid option $1$help" >&2 - exit 1 ;; - * ) - break ;; - esac -done - -if test $# != 0; then - echo "$me: too many arguments$help" >&2 - exit 1 -fi - -trap 'exit 1' 1 2 15 - -# CC_FOR_BUILD -- compiler used by this script. Note that the use of a -# compiler to aid in system detection is discouraged as it requires -# temporary files to be created and, as you can see below, it is a -# headache to deal with in a portable fashion. - -# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still -# use `HOST_CC' if defined, but it is deprecated. - -# Portable tmp directory creation inspired by the Autoconf team. - -set_cc_for_build=' -trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; -trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; -: ${TMPDIR=/tmp} ; - { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || - { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || - { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; -dummy=$tmp/dummy ; -tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; -case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int x;" > $dummy.c ; - for c in cc gcc c89 c99 ; do - if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then - CC_FOR_BUILD="$c"; break ; - fi ; - done ; - if test x"$CC_FOR_BUILD" = x ; then - CC_FOR_BUILD=no_compiler_found ; - fi - ;; - ,,*) CC_FOR_BUILD=$CC ;; - ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac ;' - -# This is needed to find uname on a Pyramid OSx when run in the BSD universe. -# (ghazi@noc.rutgers.edu 1994-08-24) -if (test -f /.attbin/uname) >/dev/null 2>&1 ; then - PATH=$PATH:/.attbin ; export PATH -fi - -UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown -UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown -UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown -UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown - -# Note: order is significant - the case branches are not exclusive. - -case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - *:NetBSD:*:*) - # NetBSD (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, - # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently - # switched to ELF, *-*-netbsd* would select the old - # object file format. This provides both forward - # compatibility and a consistent mechanism for selecting the - # object file format. - # - # Note: NetBSD doesn't particularly care about the vendor - # portion of the name. We always set it to "unknown". - sysctl="sysctl -n hw.machine_arch" - UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || echo unknown)` - case "${UNAME_MACHINE_ARCH}" in - armeb) machine=armeb-unknown ;; - arm*) machine=arm-unknown ;; - sh3el) machine=shl-unknown ;; - sh3eb) machine=sh-unknown ;; - *) machine=${UNAME_MACHINE_ARCH}-unknown ;; - esac - # The Operating System including object format, if it has switched - # to ELF recently, or will in the future. - case "${UNAME_MACHINE_ARCH}" in - arm*|i386|m68k|ns32k|sh3*|sparc|vax) - eval $set_cc_for_build - if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ - | grep __ELF__ >/dev/null - then - # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). - # Return netbsd for either. FIX? - os=netbsd - else - os=netbsdelf - fi - ;; - *) - os=netbsd - ;; - esac - # The OS release - # Debian GNU/NetBSD machines have a different userland, and - # thus, need a distinct triplet. However, they do not need - # kernel version information, so it can be replaced with a - # suitable tag, in the style of linux-gnu. - case "${UNAME_VERSION}" in - Debian*) - release='-gnu' - ;; - *) - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` - ;; - esac - # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: - # contains redundant information, the shorter form: - # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}" - exit 0 ;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - arc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - macppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvmeppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - pmax:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sgi:OpenBSD:*:*) - echo mipseb-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sun3:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - wgrisc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - alpha:OSF1:*:*) - if test $UNAME_RELEASE = "V4.0"; then - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` - fi - # According to Compaq, /usr/sbin/psrinfo has been available on - # OSF/1 and Tru64 systems produced since 1995. I hope that - # covers most systems running today. This code pipes the CPU - # types through head -n 1, so we only detect the type of CPU 0. - ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` - case "$ALPHA_CPU_TYPE" in - "EV4 (21064)") - UNAME_MACHINE="alpha" ;; - "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; - "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; - "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; - "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; - "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; - "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; - "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; - "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; - "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; - "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; - "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; - "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; - "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; - "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; - esac - # A Vn.n version is a released version. - # A Tn.n version is a released field test version. - # A Xn.n version is an unreleased experimental baselevel. - # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - exit 0 ;; - Alpha\ *:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # Should we change UNAME_MACHINE based on the output of uname instead - # of the specific Alpha model? - echo alpha-pc-interix - exit 0 ;; - 21064:Windows_NT:50:3) - echo alpha-dec-winnt3.5 - exit 0 ;; - Amiga*:UNIX_System_V:4.0:*) - echo m68k-unknown-sysv4 - exit 0;; - *:[Aa]miga[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-amigaos - exit 0 ;; - *:[Mm]orph[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-morphos - exit 0 ;; - *:OS/390:*:*) - echo i370-ibm-openedition - exit 0 ;; - arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} - exit 0;; - SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) - echo hppa1.1-hitachi-hiuxmpp - exit 0;; - Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) - # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. - if test "`(/bin/universe) 2>/dev/null`" = att ; then - echo pyramid-pyramid-sysv3 - else - echo pyramid-pyramid-bsd - fi - exit 0 ;; - NILE*:*:*:dcosx) - echo pyramid-pyramid-svr4 - exit 0 ;; - DRS?6000:UNIX_SV:4.2*:7*) - case `/usr/bin/uname -p` in - sparc) echo sparc-icl-nx7 && exit 0 ;; - esac ;; - sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - i86pc:SunOS:5.*:*) - echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:6*:*) - # According to config.sub, this is the proper way to canonicalize - # SunOS6. Hard to guess exactly what SunOS6 will be like, but - # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:*:*) - case "`/usr/bin/arch -k`" in - Series*|S4*) - UNAME_RELEASE=`uname -v` - ;; - esac - # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` - exit 0 ;; - sun3*:SunOS:*:*) - echo m68k-sun-sunos${UNAME_RELEASE} - exit 0 ;; - sun*:*:4.2BSD:*) - UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 - case "`/bin/arch`" in - sun3) - echo m68k-sun-sunos${UNAME_RELEASE} - ;; - sun4) - echo sparc-sun-sunos${UNAME_RELEASE} - ;; - esac - exit 0 ;; - aushp:SunOS:*:*) - echo sparc-auspex-sunos${UNAME_RELEASE} - exit 0 ;; - # The situation for MiNT is a little confusing. The machine name - # can be virtually everything (everything which is not - # "atarist" or "atariste" at least should have a processor - # > m68000). The system name ranges from "MiNT" over "FreeMiNT" - # to the lowercase version "mint" (or "freemint"). Finally - # the system name "TOS" denotes a system which is actually not - # MiNT. But MiNT is downward compatible to TOS, so this should - # be no problem. - atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; - atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; - *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; - milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} - exit 0 ;; - hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} - exit 0 ;; - *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} - exit 0 ;; - powerpc:machten:*:*) - echo powerpc-apple-machten${UNAME_RELEASE} - exit 0 ;; - RISC*:Mach:*:*) - echo mips-dec-mach_bsd4.3 - exit 0 ;; - RISC*:ULTRIX:*:*) - echo mips-dec-ultrix${UNAME_RELEASE} - exit 0 ;; - VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix${UNAME_RELEASE} - exit 0 ;; - 2020:CLIX:*:* | 2430:CLIX:*:*) - echo clipper-intergraph-clix${UNAME_RELEASE} - exit 0 ;; - mips:*:*:UMIPS | mips:*:*:RISCos) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c -#ifdef __cplusplus -#include /* for printf() prototype */ - int main (int argc, char *argv[]) { -#else - int main (argc, argv) int argc; char *argv[]; { -#endif - #if defined (host_mips) && defined (MIPSEB) - #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); - #endif - #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); - #endif - #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); - #endif - #endif - exit (-1); - } -EOF - $CC_FOR_BUILD -o $dummy $dummy.c \ - && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ - && exit 0 - echo mips-mips-riscos${UNAME_RELEASE} - exit 0 ;; - Motorola:PowerMAX_OS:*:*) - echo powerpc-motorola-powermax - exit 0 ;; - Motorola:*:4.3:PL8-*) - echo powerpc-harris-powermax - exit 0 ;; - Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) - echo powerpc-harris-powermax - exit 0 ;; - Night_Hawk:Power_UNIX:*:*) - echo powerpc-harris-powerunix - exit 0 ;; - m88k:CX/UX:7*:*) - echo m88k-harris-cxux7 - exit 0 ;; - m88k:*:4*:R4*) - echo m88k-motorola-sysv4 - exit 0 ;; - m88k:*:3*:R3*) - echo m88k-motorola-sysv3 - exit 0 ;; - AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] - then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ - [ ${TARGET_BINARY_INTERFACE}x = x ] - then - echo m88k-dg-dgux${UNAME_RELEASE} - else - echo m88k-dg-dguxbcs${UNAME_RELEASE} - fi - else - echo i586-dg-dgux${UNAME_RELEASE} - fi - exit 0 ;; - M88*:DolphinOS:*:*) # DolphinOS (SVR3) - echo m88k-dolphin-sysv3 - exit 0 ;; - M88*:*:R3*:*) - # Delta 88k system running SVR3 - echo m88k-motorola-sysv3 - exit 0 ;; - XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) - echo m88k-tektronix-sysv3 - exit 0 ;; - Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) - echo m68k-tektronix-bsd - exit 0 ;; - *:IRIX*:*:*) - echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` - exit 0 ;; - ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. - echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id - exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' - i*86:AIX:*:*) - echo i386-ibm-aix - exit 0 ;; - ia64:AIX:*:*) - if [ -x /usr/bin/oslevel ] ; then - IBM_REV=`/usr/bin/oslevel` - else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} - fi - echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} - exit 0 ;; - *:AIX:2:3) - if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - - main() - { - if (!__power_pc()) - exit(1); - puts("powerpc-ibm-aix3.2.5"); - exit(0); - } -EOF - $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 - echo rs6000-ibm-aix3.2.5 - elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then - echo rs6000-ibm-aix3.2.4 - else - echo rs6000-ibm-aix3.2 - fi - exit 0 ;; - *:AIX:*:[45]) - IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` - if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then - IBM_ARCH=rs6000 - else - IBM_ARCH=powerpc - fi - if [ -x /usr/bin/oslevel ] ; then - IBM_REV=`/usr/bin/oslevel` - else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} - fi - echo ${IBM_ARCH}-ibm-aix${IBM_REV} - exit 0 ;; - *:AIX:*:*) - echo rs6000-ibm-aix - exit 0 ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) - echo romp-ibm-bsd4.4 - exit 0 ;; - ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and - echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to - exit 0 ;; # report: romp-ibm BSD 4.3 - *:BOSX:*:*) - echo rs6000-bull-bosx - exit 0 ;; - DPX/2?00:B.O.S.:*:*) - echo m68k-bull-sysv3 - exit 0 ;; - 9000/[34]??:4.3bsd:1.*:*) - echo m68k-hp-bsd - exit 0 ;; - hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) - echo m68k-hp-bsd4.4 - exit 0 ;; - 9000/[34678]??:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; - 9000/[678][0-9][0-9]) - if [ -x /usr/bin/getconf ]; then - sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` - sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 - 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 - esac ;; - esac - fi - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - - #define _HPUX_SOURCE - #include - #include - - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); - - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } -EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` - test -z "$HP_ARCH" && HP_ARCH=hppa - fi ;; - esac - if [ ${HP_ARCH} = "hppa2.0w" ] - then - # avoid double evaluation of $set_cc_for_build - test -n "$CC_FOR_BUILD" || eval $set_cc_for_build - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null - then - HP_ARCH="hppa2.0w" - else - HP_ARCH="hppa64" - fi - fi - echo ${HP_ARCH}-hp-hpux${HPUX_REV} - exit 0 ;; - ia64:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - echo ia64-hp-hpux${HPUX_REV} - exit 0 ;; - 3050*:HI-UX:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - int - main () - { - long cpu = sysconf (_SC_CPU_VERSION); - /* The order matters, because CPU_IS_HP_MC68K erroneously returns - true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct - results, however. */ - if (CPU_IS_PA_RISC (cpu)) - { - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; - case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; - default: puts ("hppa-hitachi-hiuxwe2"); break; - } - } - else if (CPU_IS_HP_MC68K (cpu)) - puts ("m68k-hitachi-hiuxwe2"); - else puts ("unknown-hitachi-hiuxwe2"); - exit (0); - } -EOF - $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 - echo unknown-hitachi-hiuxwe2 - exit 0 ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) - echo hppa1.1-hp-bsd - exit 0 ;; - 9000/8??:4.3bsd:*:*) - echo hppa1.0-hp-bsd - exit 0 ;; - *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) - echo hppa1.0-hp-mpeix - exit 0 ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) - echo hppa1.1-hp-osf - exit 0 ;; - hp8??:OSF1:*:*) - echo hppa1.0-hp-osf - exit 0 ;; - i*86:OSF1:*:*) - if [ -x /usr/sbin/sysversion ] ; then - echo ${UNAME_MACHINE}-unknown-osf1mk - else - echo ${UNAME_MACHINE}-unknown-osf1 - fi - exit 0 ;; - parisc*:Lites*:*:*) - echo hppa1.1-hp-lites - exit 0 ;; - C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) - echo c1-convex-bsd - exit 0 ;; - C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit 0 ;; - C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) - echo c34-convex-bsd - exit 0 ;; - C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) - echo c38-convex-bsd - exit 0 ;; - C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) - echo c4-convex-bsd - exit 0 ;; - CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*[A-Z]90:*:*:*) - echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ - | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ - -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ - -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*TS:*:*:*) - echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*T3E:*:*:*) - echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*SV1:*:*:*) - echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - *:UNICOS/mp:*:*) - echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit 0 ;; - i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} - exit 0 ;; - sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi${UNAME_RELEASE} - exit 0 ;; - *:BSD/OS:*:*) - echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} - exit 0 ;; - *:FreeBSD:*:*|*:GNU/FreeBSD:*:*) - # Determine whether the default compiler uses glibc. - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - #if __GLIBC__ >= 2 - LIBC=gnu - #else - LIBC= - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC} - exit 0 ;; - i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin - exit 0 ;; - i*:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 - exit 0 ;; - i*:PW*:*) - echo ${UNAME_MACHINE}-pc-pw32 - exit 0 ;; - x86:Interix*:3*) - echo i586-pc-interix3 - exit 0 ;; - [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) - echo i${UNAME_MACHINE}-pc-mks - exit 0 ;; - i*:Windows_NT*:* | Pentium*:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we - # UNAME_MACHINE based on the output of uname instead of i386? - echo i586-pc-interix - exit 0 ;; - i*:UWIN*:*) - echo ${UNAME_MACHINE}-pc-uwin - exit 0 ;; - p*:CYGWIN*:*) - echo powerpcle-unknown-cygwin - exit 0 ;; - prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - *:GNU:*:*) - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` - exit 0 ;; - i*86:Minix:*:*) - echo ${UNAME_MACHINE}-pc-minix - exit 0 ;; - arm*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - mips:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips - #undef mipsel - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mipsel - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips - #else - CPU= - #endif - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` - test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 - ;; - mips64:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips64 - #undef mips64el - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mips64el - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips64 - #else - CPU= - #endif - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` - test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 - ;; - ppc:Linux:*:*) - echo powerpc-unknown-linux-gnu - exit 0 ;; - ppc64:Linux:*:*) - echo powerpc64-unknown-linux-gnu - exit 0 ;; - alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in - EV5) UNAME_MACHINE=alphaev5 ;; - EV56) UNAME_MACHINE=alphaev56 ;; - PCA56) UNAME_MACHINE=alphapca56 ;; - PCA57) UNAME_MACHINE=alphapca56 ;; - EV6) UNAME_MACHINE=alphaev6 ;; - EV67) UNAME_MACHINE=alphaev67 ;; - EV68*) UNAME_MACHINE=alphaev68 ;; - esac - objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null - if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} - exit 0 ;; - parisc:Linux:*:* | hppa:Linux:*:*) - # Look for CPU level - case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-gnu ;; - PA8*) echo hppa2.0-unknown-linux-gnu ;; - *) echo hppa-unknown-linux-gnu ;; - esac - exit 0 ;; - parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-gnu - exit 0 ;; - s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux - exit 0 ;; - sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; - x86_64:Linux:*:*) - echo x86_64-unknown-linux-gnu - exit 0 ;; - i*86:Linux:*:*) - # The BFD linker knows what the default object file format is, so - # first see if it will tell us. cd to the root directory to prevent - # problems with other programs or directories called `ld' in the path. - # Set LC_ALL=C to ensure ld outputs messages in English. - ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ - | sed -ne '/supported targets:/!d - s/[ ][ ]*/ /g - s/.*supported targets: *// - s/ .*// - p'` - case "$ld_supported_targets" in - elf32-i386) - TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" - ;; - a.out-i386-linux) - echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit 0 ;; - coff-i386) - echo "${UNAME_MACHINE}-pc-linux-gnucoff" - exit 0 ;; - "") - # Either a pre-BFD a.out linker (linux-gnuoldld) or - # one that does not give us useful --help. - echo "${UNAME_MACHINE}-pc-linux-gnuoldld" - exit 0 ;; - esac - # Determine whether the default compiler is a.out or elf - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #include - #ifdef __ELF__ - # ifdef __GLIBC__ - # if __GLIBC__ >= 2 - LIBC=gnu - # else - LIBC=gnulibc1 - # endif - # else - LIBC=gnulibc1 - # endif - #else - #ifdef __INTEL_COMPILER - LIBC=gnu - #else - LIBC=gnuaout - #endif - #endif -EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` - test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0 - test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0 - ;; - i*86:DYNIX/ptx:4*:*) - # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. - # earlier versions are messed up and put the nodename in both - # sysname and nodename. - echo i386-sequent-sysv4 - exit 0 ;; - i*86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, - # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} - exit 0 ;; - i*86:OS/2:*:*) - # If we were able to find `uname', then EMX Unix compatibility - # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx - exit 0 ;; - i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop - exit 0 ;; - i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos - exit 0 ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp - exit 0 ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) - UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` - if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} - else - echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} - fi - exit 0 ;; - i*86:*:5:[78]*) - case `/bin/uname -X | grep "^Machine"` in - *486*) UNAME_MACHINE=i486 ;; - *Pentium) UNAME_MACHINE=i586 ;; - *Pent*|*Celeron) UNAME_MACHINE=i686 ;; - esac - echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} - exit 0 ;; - i*86:*:3.2:*) - if test -f /usr/options/cb.name; then - UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then - UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` - (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 - (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ - && UNAME_MACHINE=i586 - (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ - && UNAME_MACHINE=i686 - (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ - && UNAME_MACHINE=i686 - echo ${UNAME_MACHINE}-pc-sco$UNAME_REL - else - echo ${UNAME_MACHINE}-pc-sysv32 - fi - exit 0 ;; - pc:*:*:*) - # Left here for compatibility: - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i386. - echo i386-pc-msdosdjgpp - exit 0 ;; - Intel:Mach:3*:*) - echo i386-pc-mach3 - exit 0 ;; - paragon:*:*:*) - echo i860-intel-osf1 - exit 0 ;; - i860:*:4.*:*) # i860-SVR4 - if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 - else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 - fi - exit 0 ;; - mini*:CTIX:SYS*5:*) - # "miniframe" - echo m68010-convergent-sysv - exit 0 ;; - mc68k:UNIX:SYSTEM5:3.51m) - echo m68k-convergent-sysv - exit 0 ;; - M680?0:D-NIX:5.3:*) - echo m68k-diab-dnix - exit 0 ;; - M68*:*:R3V[567]*:*) - test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; - 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0) - OS_REL='' - test -r /etc/.relid \ - && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4.3${OS_REL} && exit 0 - /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; - 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4 && exit 0 ;; - m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) - echo m68k-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - mc68030:UNIX_System_V:4.*:*) - echo m68k-atari-sysv4 - exit 0 ;; - TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - rs6000:LynxOS:2.*:*) - echo rs6000-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) - echo powerpc-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv${UNAME_RELEASE} - exit 0 ;; - RM*:ReliantUNIX-*:*:*) - echo mips-sni-sysv4 - exit 0 ;; - RM*:SINIX-*:*:*) - echo mips-sni-sysv4 - exit 0 ;; - *:SINIX-*:*:*) - if uname -p 2>/dev/null >/dev/null ; then - UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo ${UNAME_MACHINE}-sni-sysv4 - else - echo ns32k-sni-sysv - fi - exit 0 ;; - PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit 0 ;; - *:UNIX_System_V:4*:FTX*) - # From Gerald Hewes . - # How about differentiating between stratus architectures? -djm - echo hppa1.1-stratus-sysv4 - exit 0 ;; - *:*:*:FTX*) - # From seanf@swdc.stratus.com. - echo i860-stratus-sysv4 - exit 0 ;; - *:VOS:*:*) - # From Paul.Green@stratus.com. - echo hppa1.1-stratus-vos - exit 0 ;; - mc68*:A/UX:*:*) - echo m68k-apple-aux${UNAME_RELEASE} - exit 0 ;; - news*:NEWS-OS:6*:*) - echo mips-sony-newsos6 - exit 0 ;; - R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) - if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} - else - echo mips-unknown-sysv${UNAME_RELEASE} - fi - exit 0 ;; - BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. - echo powerpc-be-beos - exit 0 ;; - BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. - echo powerpc-apple-beos - exit 0 ;; - BePC:BeOS:*:*) # BeOS running on Intel PC compatible. - echo i586-pc-beos - exit 0 ;; - SX-4:SUPER-UX:*:*) - echo sx4-nec-superux${UNAME_RELEASE} - exit 0 ;; - SX-5:SUPER-UX:*:*) - echo sx5-nec-superux${UNAME_RELEASE} - exit 0 ;; - SX-6:SUPER-UX:*:*) - echo sx6-nec-superux${UNAME_RELEASE} - exit 0 ;; - Power*:Rhapsody:*:*) - echo powerpc-apple-rhapsody${UNAME_RELEASE} - exit 0 ;; - *:Rhapsody:*:*) - echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} - exit 0 ;; - *:Darwin:*:*) - case `uname -p` in - *86) UNAME_PROCESSOR=i686 ;; - powerpc) UNAME_PROCESSOR=powerpc ;; - esac - echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} - exit 0 ;; - *:procnto*:*:* | *:QNX:[0123456789]*:*) - UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then - UNAME_PROCESSOR=i386 - UNAME_MACHINE=pc - fi - echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} - exit 0 ;; - *:QNX:*:4*) - echo i386-pc-qnx - exit 0 ;; - NSR-[DGKLNPTVW]:NONSTOP_KERNEL:*:*) - echo nsr-tandem-nsk${UNAME_RELEASE} - exit 0 ;; - *:NonStop-UX:*:*) - echo mips-compaq-nonstopux - exit 0 ;; - BS2000:POSIX*:*:*) - echo bs2000-siemens-sysv - exit 0 ;; - DS/*:UNIX_System_V:*:*) - echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} - exit 0 ;; - *:Plan9:*:*) - # "uname -m" is not consistent, so use $cputype instead. 386 - # is converted to i386 for consistency with other x86 - # operating systems. - if test "$cputype" = "386"; then - UNAME_MACHINE=i386 - else - UNAME_MACHINE="$cputype" - fi - echo ${UNAME_MACHINE}-unknown-plan9 - exit 0 ;; - *:TOPS-10:*:*) - echo pdp10-unknown-tops10 - exit 0 ;; - *:TENEX:*:*) - echo pdp10-unknown-tenex - exit 0 ;; - KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) - echo pdp10-dec-tops20 - exit 0 ;; - XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) - echo pdp10-xkl-tops20 - exit 0 ;; - *:TOPS-20:*:*) - echo pdp10-unknown-tops20 - exit 0 ;; - *:ITS:*:*) - echo pdp10-unknown-its - exit 0 ;; -esac - -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - -eval $set_cc_for_build -cat >$dummy.c < -# include -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - if (version < 4) - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - else - printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -# if !defined (ultrix) -# include -# if defined (BSD) -# if BSD == 43 - printf ("vax-dec-bsd4.3\n"); exit (0); -# else -# if BSD == 199006 - printf ("vax-dec-bsd4.3reno\n"); exit (0); -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# endif -# else - printf ("vax-dec-bsd\n"); exit (0); -# endif -# else - printf ("vax-dec-ultrix\n"); exit (0); -# endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0 - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit 0 ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit 0 ;; - c34*) - echo c34-convex-bsd - exit 0 ;; - c38*) - echo c38-convex-bsd - exit 0 ;; - c4*) - echo c4-convex-bsd - exit 0 ;; - esac -fi - -cat >&2 < in order to provide the needed -information to handle your system. - -config.guess timestamp = $timestamp - -uname -m = `(uname -m) 2>/dev/null || echo unknown` -uname -r = `(uname -r) 2>/dev/null || echo unknown` -uname -s = `(uname -s) 2>/dev/null || echo unknown` -uname -v = `(uname -v) 2>/dev/null || echo unknown` - -/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` -/bin/uname -X = `(/bin/uname -X) 2>/dev/null` - -hostinfo = `(hostinfo) 2>/dev/null` -/bin/universe = `(/bin/universe) 2>/dev/null` -/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` -/bin/arch = `(/bin/arch) 2>/dev/null` -/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` -/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` - -UNAME_MACHINE = ${UNAME_MACHINE} -UNAME_RELEASE = ${UNAME_RELEASE} -UNAME_SYSTEM = ${UNAME_SYSTEM} -UNAME_VERSION = ${UNAME_VERSION} -EOF - -exit 1 - -# Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "timestamp='" -# time-stamp-format: "%:y-%02m-%02d" -# time-stamp-end: "'" -# End: diff --git a/config.sub b/config.sub deleted file mode 100755 index fe4f1edf3c..0000000000 --- a/config.sub +++ /dev/null @@ -1,1492 +0,0 @@ -#! /bin/sh -# Configuration validation subroutine script. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003 Free Software Foundation, Inc. - -timestamp='2003-05-09' - -# This file is (in principle) common to ALL GNU software. -# The presence of a machine in this file suggests that SOME GNU software -# can handle that machine. It does not imply ALL GNU software can. -# -# This file is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, -# Boston, MA 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Please send patches to . Submit a context -# diff and a properly formatted ChangeLog entry. -# -# Configuration subroutine to validate and canonicalize a configuration type. -# Supply the specified configuration type as an argument. -# If it is invalid, we print an error message on stderr and exit with code 1. -# Otherwise, we print the canonical config type on stdout and succeed. - -# This file is supposed to be the same for all GNU packages -# and recognize all the CPU types, system types and aliases -# that are meaningful with *any* GNU software. -# Each package is responsible for reporting which valid configurations -# it does not support. The user should be able to distinguish -# a failure to support a valid configuration from a meaningless -# configuration. - -# The goal of this file is to map all the various variations of a given -# machine specification into a single specification in the form: -# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM -# or in some cases, the newer four-part form: -# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM -# It is wrong to echo any other type of specification. - -me=`echo "$0" | sed -e 's,.*/,,'` - -usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS - -Canonicalize a configuration name. - -Operation modes: - -h, --help print this help, then exit - -t, --time-stamp print date of last modification, then exit - -v, --version print version number, then exit - -Report bugs and patches to ." - -version="\ -GNU config.sub ($timestamp) - -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. - -This is free software; see the source for copying conditions. There is NO -warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." - -help=" -Try \`$me --help' for more information." - -# Parse command line -while test $# -gt 0 ; do - case $1 in - --time-stamp | --time* | -t ) - echo "$timestamp" ; exit 0 ;; - --version | -v ) - echo "$version" ; exit 0 ;; - --help | --h* | -h ) - echo "$usage"; exit 0 ;; - -- ) # Stop option processing - shift; break ;; - - ) # Use stdin as input. - break ;; - -* ) - echo "$me: invalid option $1$help" - exit 1 ;; - - *local*) - # First pass through any local machine types. - echo $1 - exit 0;; - - * ) - break ;; - esac -done - -case $# in - 0) echo "$me: missing argument$help" >&2 - exit 1;; - 1) ;; - *) echo "$me: too many arguments$help" >&2 - exit 1;; -esac - -# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). -# Here we must recognize all the valid KERNEL-OS combinations. -maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` -case $maybe_os in - nto-qnx* | linux-gnu* | freebsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) - os=-$maybe_os - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; - *) - basic_machine=`echo $1 | sed 's/-[^-]*$//'` - if [ $basic_machine != $1 ] - then os=`echo $1 | sed 's/.*-/-/'` - else os=; fi - ;; -esac - -### Let's recognize common machines as not being operating systems so -### that things like config.sub decstation-3100 work. We also -### recognize some manufacturers as not being operating systems, so we -### can provide default operating systems below. -case $os in - -sun*os*) - # Prevent following clause from handling this invalid input. - ;; - -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ - -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ - -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ - -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ - -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ - -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis) - os= - basic_machine=$1 - ;; - -sim | -cisco | -oki | -wec | -winbond) - os= - basic_machine=$1 - ;; - -scout) - ;; - -wrs) - os=-vxworks - basic_machine=$1 - ;; - -chorusos*) - os=-chorusos - basic_machine=$1 - ;; - -chorusrdb) - os=-chorusrdb - basic_machine=$1 - ;; - -hiux*) - os=-hiuxwe2 - ;; - -sco5) - os=-sco3.2v5 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco4) - os=-sco3.2v4 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2.[4-9]*) - os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2v[4-9]*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco*) - os=-sco3.2v2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -udk*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -isc) - os=-isc2.2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -clix*) - basic_machine=clipper-intergraph - ;; - -isc*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -lynx*) - os=-lynxos - ;; - -ptx*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` - ;; - -windowsnt*) - os=`echo $os | sed -e 's/windowsnt/winnt/'` - ;; - -psos*) - os=-psos - ;; - -mint | -mint[0-9]*) - basic_machine=m68k-atari - os=-mint - ;; -esac - -# Decode aliases for certain CPU-COMPANY combinations. -case $basic_machine in - # Recognize the basic CPU types without company name. - # Some are omitted here because they have special meanings below. - 1750a | 580 \ - | a29k \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ - | clipper \ - | d10v | d30v | dlx | dsp16xx \ - | fr30 | frv \ - | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ - | i370 | i860 | i960 | ia64 \ - | ip2k \ - | m32r | m68000 | m68k | m88k | mcore \ - | mips | mipsbe | mipseb | mipsel | mipsle \ - | mips16 \ - | mips64 | mips64el \ - | mips64vr | mips64vrel \ - | mips64orion | mips64orionel \ - | mips64vr4100 | mips64vr4100el \ - | mips64vr4300 | mips64vr4300el \ - | mips64vr5000 | mips64vr5000el \ - | mipsisa32 | mipsisa32el \ - | mipsisa32r2 | mipsisa32r2el \ - | mipsisa64 | mipsisa64el \ - | mipsisa64sb1 | mipsisa64sb1el \ - | mipsisa64sr71k | mipsisa64sr71kel \ - | mipstx39 | mipstx39el \ - | mn10200 | mn10300 \ - | msp430 \ - | ns16k | ns32k \ - | openrisc | or32 \ - | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ - | pyramid \ - | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ - | sh64 | sh64le \ - | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \ - | strongarm \ - | tahoe | thumb | tic80 | tron \ - | v850 | v850e \ - | we32k \ - | x86 | xscale | xstormy16 | xtensa \ - | z8k) - basic_machine=$basic_machine-unknown - ;; - m6811 | m68hc11 | m6812 | m68hc12) - # Motorola 68HC11/12. - basic_machine=$basic_machine-unknown - os=-none - ;; - m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) - ;; - - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. - i*86 | x86_64) - basic_machine=$basic_machine-pc - ;; - # Object if more than one company name word. - *-*-*) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; - # Recognize the basic CPU types with company name. - 580-* \ - | a29k-* \ - | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ - | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ - | avr-* \ - | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ - | clipper-* | cydra-* \ - | d10v-* | d30v-* | dlx-* \ - | elxsi-* \ - | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ - | h8300-* | h8500-* \ - | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ - | i*86-* | i860-* | i960-* | ia64-* \ - | ip2k-* \ - | m32r-* \ - | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | mcore-* \ - | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ - | mips16-* \ - | mips64-* | mips64el-* \ - | mips64vr-* | mips64vrel-* \ - | mips64orion-* | mips64orionel-* \ - | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* \ - | mips64vr5000-* | mips64vr5000el-* \ - | mipsisa32-* | mipsisa32el-* \ - | mipsisa32r2-* | mipsisa32r2el-* \ - | mipsisa64-* | mipsisa64el-* \ - | mipsisa64sb1-* | mipsisa64sb1el-* \ - | mipsisa64sr71k-* | mipsisa64sr71kel-* \ - | mipstx39-* | mipstx39el-* \ - | msp430-* \ - | none-* | np1-* | nv1-* | ns16k-* | ns32k-* \ - | orion-* \ - | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ - | pyramid-* \ - | romp-* | rs6000-* \ - | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ - | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ - | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ - | tahoe-* | thumb-* \ - | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tron-* \ - | v850-* | v850e-* | vax-* \ - | we32k-* \ - | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \ - | xtensa-* \ - | ymp-* \ - | z8k-*) - ;; - # Recognize the various machine names and aliases which stand - # for a CPU type and a company and sometimes even an OS. - 386bsd) - basic_machine=i386-unknown - os=-bsd - ;; - 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) - basic_machine=m68000-att - ;; - 3b*) - basic_machine=we32k-att - ;; - a29khif) - basic_machine=a29k-amd - os=-udi - ;; - adobe68k) - basic_machine=m68010-adobe - os=-scout - ;; - alliant | fx80) - basic_machine=fx80-alliant - ;; - altos | altos3068) - basic_machine=m68k-altos - ;; - am29k) - basic_machine=a29k-none - os=-bsd - ;; - amd64) - basic_machine=x86_64-pc - ;; - amdahl) - basic_machine=580-amdahl - os=-sysv - ;; - amiga | amiga-*) - basic_machine=m68k-unknown - ;; - amigaos | amigados) - basic_machine=m68k-unknown - os=-amigaos - ;; - amigaunix | amix) - basic_machine=m68k-unknown - os=-sysv4 - ;; - apollo68) - basic_machine=m68k-apollo - os=-sysv - ;; - apollo68bsd) - basic_machine=m68k-apollo - os=-bsd - ;; - aux) - basic_machine=m68k-apple - os=-aux - ;; - balance) - basic_machine=ns32k-sequent - os=-dynix - ;; - c90) - basic_machine=c90-cray - os=-unicos - ;; - convex-c1) - basic_machine=c1-convex - os=-bsd - ;; - convex-c2) - basic_machine=c2-convex - os=-bsd - ;; - convex-c32) - basic_machine=c32-convex - os=-bsd - ;; - convex-c34) - basic_machine=c34-convex - os=-bsd - ;; - convex-c38) - basic_machine=c38-convex - os=-bsd - ;; - cray | j90) - basic_machine=j90-cray - os=-unicos - ;; - crds | unos) - basic_machine=m68k-crds - ;; - cris | cris-* | etrax*) - basic_machine=cris-axis - ;; - da30 | da30-*) - basic_machine=m68k-da30 - ;; - decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) - basic_machine=mips-dec - ;; - decsystem10* | dec10*) - basic_machine=pdp10-dec - os=-tops10 - ;; - decsystem20* | dec20*) - basic_machine=pdp10-dec - os=-tops20 - ;; - delta | 3300 | motorola-3300 | motorola-delta \ - | 3300-motorola | delta-motorola) - basic_machine=m68k-motorola - ;; - delta88) - basic_machine=m88k-motorola - os=-sysv3 - ;; - dpx20 | dpx20-*) - basic_machine=rs6000-bull - os=-bosx - ;; - dpx2* | dpx2*-bull) - basic_machine=m68k-bull - os=-sysv3 - ;; - ebmon29k) - basic_machine=a29k-amd - os=-ebmon - ;; - elxsi) - basic_machine=elxsi-elxsi - os=-bsd - ;; - encore | umax | mmax) - basic_machine=ns32k-encore - ;; - es1800 | OSE68k | ose68k | ose | OSE) - basic_machine=m68k-ericsson - os=-ose - ;; - fx2800) - basic_machine=i860-alliant - ;; - genix) - basic_machine=ns32k-ns - ;; - gmicro) - basic_machine=tron-gmicro - os=-sysv - ;; - go32) - basic_machine=i386-pc - os=-go32 - ;; - h3050r* | hiux*) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - h8300hms) - basic_machine=h8300-hitachi - os=-hms - ;; - h8300xray) - basic_machine=h8300-hitachi - os=-xray - ;; - h8500hms) - basic_machine=h8500-hitachi - os=-hms - ;; - harris) - basic_machine=m88k-harris - os=-sysv3 - ;; - hp300-*) - basic_machine=m68k-hp - ;; - hp300bsd) - basic_machine=m68k-hp - os=-bsd - ;; - hp300hpux) - basic_machine=m68k-hp - os=-hpux - ;; - hp3k9[0-9][0-9] | hp9[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hp9k2[0-9][0-9] | hp9k31[0-9]) - basic_machine=m68000-hp - ;; - hp9k3[2-9][0-9]) - basic_machine=m68k-hp - ;; - hp9k6[0-9][0-9] | hp6[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hp9k7[0-79][0-9] | hp7[0-79][0-9]) - basic_machine=hppa1.1-hp - ;; - hp9k78[0-9] | hp78[0-9]) - # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp - ;; - hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) - # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp - ;; - hp9k8[0-9][13679] | hp8[0-9][13679]) - basic_machine=hppa1.1-hp - ;; - hp9k8[0-9][0-9] | hp8[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hppa-next) - os=-nextstep3 - ;; - hppaosf) - basic_machine=hppa1.1-hp - os=-osf - ;; - hppro) - basic_machine=hppa1.1-hp - os=-proelf - ;; - i370-ibm* | ibm*) - basic_machine=i370-ibm - ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? - i*86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv32 - ;; - i*86v4*) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv4 - ;; - i*86v) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv - ;; - i*86sol2) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-solaris2 - ;; - i386mach) - basic_machine=i386-mach - os=-mach - ;; - i386-vsta | vsta) - basic_machine=i386-unknown - os=-vsta - ;; - iris | iris4d) - basic_machine=mips-sgi - case $os in - -irix*) - ;; - *) - os=-irix4 - ;; - esac - ;; - isi68 | isi) - basic_machine=m68k-isi - os=-sysv - ;; - m88k-omron*) - basic_machine=m88k-omron - ;; - magnum | m3230) - basic_machine=mips-mips - os=-sysv - ;; - merlin) - basic_machine=ns32k-utek - os=-sysv - ;; - mingw32) - basic_machine=i386-pc - os=-mingw32 - ;; - miniframe) - basic_machine=m68000-convergent - ;; - *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) - basic_machine=m68k-atari - os=-mint - ;; - mips3*-*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` - ;; - mips3*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown - ;; - mmix*) - basic_machine=mmix-knuth - os=-mmixware - ;; - monitor) - basic_machine=m68k-rom68k - os=-coff - ;; - morphos) - basic_machine=powerpc-unknown - os=-morphos - ;; - msdos) - basic_machine=i386-pc - os=-msdos - ;; - mvs) - basic_machine=i370-ibm - os=-mvs - ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 - ;; - netbsd386) - basic_machine=i386-unknown - os=-netbsd - ;; - netwinder) - basic_machine=armv4l-rebel - os=-linux - ;; - news | news700 | news800 | news900) - basic_machine=m68k-sony - os=-newsos - ;; - news1000) - basic_machine=m68030-sony - os=-newsos - ;; - news-3600 | risc-news) - basic_machine=mips-sony - os=-newsos - ;; - necv70) - basic_machine=v70-nec - os=-sysv - ;; - next | m*-next ) - basic_machine=m68k-next - case $os in - -nextstep* ) - ;; - -ns2*) - os=-nextstep2 - ;; - *) - os=-nextstep3 - ;; - esac - ;; - nh3000) - basic_machine=m68k-harris - os=-cxux - ;; - nh[45]000) - basic_machine=m88k-harris - os=-cxux - ;; - nindy960) - basic_machine=i960-intel - os=-nindy - ;; - mon960) - basic_machine=i960-intel - os=-mon960 - ;; - nonstopux) - basic_machine=mips-compaq - os=-nonstopux - ;; - np1) - basic_machine=np1-gould - ;; - nv1) - basic_machine=nv1-cray - os=-unicosmp - ;; - nsr-tandem) - basic_machine=nsr-tandem - ;; - op50n-* | op60c-*) - basic_machine=hppa1.1-oki - os=-proelf - ;; - or32 | or32-*) - basic_machine=or32-unknown - os=-coff - ;; - OSE68000 | ose68000) - basic_machine=m68000-ericsson - os=-ose - ;; - os68k) - basic_machine=m68k-none - os=-os68k - ;; - pa-hitachi) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - paragon) - basic_machine=i860-intel - os=-osf - ;; - pbd) - basic_machine=sparc-tti - ;; - pbb) - basic_machine=m68k-tti - ;; - pc532 | pc532-*) - basic_machine=ns32k-pc532 - ;; - pentium | p5 | k5 | k6 | nexgen | viac3) - basic_machine=i586-pc - ;; - pentiumpro | p6 | 6x86 | athlon | athlon_*) - basic_machine=i686-pc - ;; - pentiumii | pentium2) - basic_machine=i686-pc - ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) - basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumpro-* | p6-* | 6x86-* | athlon-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumii-* | pentium2-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pn) - basic_machine=pn-gould - ;; - power) basic_machine=power-ibm - ;; - ppc) basic_machine=powerpc-unknown - ;; - ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppcle | powerpclittle | ppc-le | powerpc-little) - basic_machine=powerpcle-unknown - ;; - ppcle-* | powerpclittle-*) - basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64) basic_machine=powerpc64-unknown - ;; - ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64le | powerpc64little | ppc64-le | powerpc64-little) - basic_machine=powerpc64le-unknown - ;; - ppc64le-* | powerpc64little-*) - basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ps2) - basic_machine=i386-ibm - ;; - pw32) - basic_machine=i586-unknown - os=-pw32 - ;; - rom68k) - basic_machine=m68k-rom68k - os=-coff - ;; - rm[46]00) - basic_machine=mips-siemens - ;; - rtpc | rtpc-*) - basic_machine=romp-ibm - ;; - s390 | s390-*) - basic_machine=s390-ibm - ;; - s390x | s390x-*) - basic_machine=s390x-ibm - ;; - sa29200) - basic_machine=a29k-amd - os=-udi - ;; - sb1) - basic_machine=mipsisa64sb1-unknown - ;; - sb1el) - basic_machine=mipsisa64sb1el-unknown - ;; - sequent) - basic_machine=i386-sequent - ;; - sh) - basic_machine=sh-hitachi - os=-hms - ;; - sparclite-wrs | simso-wrs) - basic_machine=sparclite-wrs - os=-vxworks - ;; - sps7) - basic_machine=m68k-bull - os=-sysv2 - ;; - spur) - basic_machine=spur-unknown - ;; - st2000) - basic_machine=m68k-tandem - ;; - stratus) - basic_machine=i860-stratus - os=-sysv4 - ;; - sun2) - basic_machine=m68000-sun - ;; - sun2os3) - basic_machine=m68000-sun - os=-sunos3 - ;; - sun2os4) - basic_machine=m68000-sun - os=-sunos4 - ;; - sun3os3) - basic_machine=m68k-sun - os=-sunos3 - ;; - sun3os4) - basic_machine=m68k-sun - os=-sunos4 - ;; - sun4os3) - basic_machine=sparc-sun - os=-sunos3 - ;; - sun4os4) - basic_machine=sparc-sun - os=-sunos4 - ;; - sun4sol2) - basic_machine=sparc-sun - os=-solaris2 - ;; - sun3 | sun3-*) - basic_machine=m68k-sun - ;; - sun4) - basic_machine=sparc-sun - ;; - sun386 | sun386i | roadrunner) - basic_machine=i386-sun - ;; - sv1) - basic_machine=sv1-cray - os=-unicos - ;; - symmetry) - basic_machine=i386-sequent - os=-dynix - ;; - t3e) - basic_machine=alphaev5-cray - os=-unicos - ;; - t90) - basic_machine=t90-cray - os=-unicos - ;; - tic4x | c4x*) - basic_machine=tic4x-unknown - os=-coff - ;; - tic54x | c54x*) - basic_machine=tic54x-unknown - os=-coff - ;; - tic55x | c55x*) - basic_machine=tic55x-unknown - os=-coff - ;; - tic6x | c6x*) - basic_machine=tic6x-unknown - os=-coff - ;; - tx39) - basic_machine=mipstx39-unknown - ;; - tx39el) - basic_machine=mipstx39el-unknown - ;; - toad1) - basic_machine=pdp10-xkl - os=-tops20 - ;; - tower | tower-32) - basic_machine=m68k-ncr - ;; - udi29k) - basic_machine=a29k-amd - os=-udi - ;; - ultra3) - basic_machine=a29k-nyu - os=-sym1 - ;; - v810 | necv810) - basic_machine=v810-nec - os=-none - ;; - vaxv) - basic_machine=vax-dec - os=-sysv - ;; - vms) - basic_machine=vax-dec - os=-vms - ;; - vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; - vxworks960) - basic_machine=i960-wrs - os=-vxworks - ;; - vxworks68) - basic_machine=m68k-wrs - os=-vxworks - ;; - vxworks29k) - basic_machine=a29k-wrs - os=-vxworks - ;; - w65*) - basic_machine=w65-wdc - os=-none - ;; - w89k-*) - basic_machine=hppa1.1-winbond - os=-proelf - ;; - xps | xps100) - basic_machine=xps100-honeywell - ;; - ymp) - basic_machine=ymp-cray - os=-unicos - ;; - z8k-*-coff) - basic_machine=z8k-unknown - os=-sim - ;; - none) - basic_machine=none-none - os=-none - ;; - -# Here we handle the default manufacturer of certain CPU types. It is in -# some cases the only manufacturer, in others, it is the most popular. - w89k) - basic_machine=hppa1.1-winbond - ;; - op50n) - basic_machine=hppa1.1-oki - ;; - op60c) - basic_machine=hppa1.1-oki - ;; - romp) - basic_machine=romp-ibm - ;; - rs6000) - basic_machine=rs6000-ibm - ;; - vax) - basic_machine=vax-dec - ;; - pdp10) - # there are many clones, so DEC is not a safe bet - basic_machine=pdp10-unknown - ;; - pdp11) - basic_machine=pdp11-dec - ;; - we32k) - basic_machine=we32k-att - ;; - sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele) - basic_machine=sh-unknown - ;; - sh64) - basic_machine=sh64-unknown - ;; - sparc | sparcv9 | sparcv9b) - basic_machine=sparc-sun - ;; - cydra) - basic_machine=cydra-cydrome - ;; - orion) - basic_machine=orion-highlevel - ;; - orion105) - basic_machine=clipper-highlevel - ;; - mac | mpw | mac-mpw) - basic_machine=m68k-apple - ;; - pmac | pmac-mpw) - basic_machine=powerpc-apple - ;; - *-unknown) - # Make sure to match an already-canonicalized machine name. - ;; - *) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; -esac - -# Here we canonicalize certain aliases for manufacturers. -case $basic_machine in - *-digital*) - basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` - ;; - *-commodore*) - basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` - ;; - *) - ;; -esac - -# Decode manufacturer-specific aliases for certain operating systems. - -if [ x"$os" != x"" ] -then -case $os in - # First match some system type aliases - # that might get confused with valid system types. - # -solaris* is a basic system type, with this one exception. - -solaris1 | -solaris1.*) - os=`echo $os | sed -e 's|solaris1|sunos4|'` - ;; - -solaris) - os=-solaris2 - ;; - -svr4*) - os=-sysv4 - ;; - -unixware*) - os=-sysv4.2uw - ;; - -gnu/linux*) - os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` - ;; - # First accept the basic system types. - # The portable systems comes first. - # Each alternative MUST END IN A *, to match a version number. - # -sysv* is not here because it comes later, after sysvr4. - -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ - | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* \ - | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ - | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ - | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ - | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ - | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* \ - | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ - | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ - | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ - | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ - | -powermax* | -dnix*) - # Remember, each alternative MUST END IN *, to match a version number. - ;; - -qnx*) - case $basic_machine in - x86-* | i*86-*) - ;; - *) - os=-nto$os - ;; - esac - ;; - -nto-qnx*) - ;; - -nto*) - os=`echo $os | sed -e 's|nto|nto-qnx|'` - ;; - -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ - | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) - ;; - -mac*) - os=`echo $os | sed -e 's|mac|macos|'` - ;; - -linux*) - os=`echo $os | sed -e 's|linux|linux-gnu|'` - ;; - -sunos5*) - os=`echo $os | sed -e 's|sunos5|solaris2|'` - ;; - -sunos6*) - os=`echo $os | sed -e 's|sunos6|solaris3|'` - ;; - -opened*) - os=-openedition - ;; - -wince*) - os=-wince - ;; - -osfrose*) - os=-osfrose - ;; - -osf*) - os=-osf - ;; - -utek*) - os=-bsd - ;; - -dynix*) - os=-bsd - ;; - -acis*) - os=-aos - ;; - -atheos*) - os=-atheos - ;; - -386bsd) - os=-bsd - ;; - -ctix* | -uts*) - os=-sysv - ;; - -nova*) - os=-rtmk-nova - ;; - -ns2 ) - os=-nextstep2 - ;; - -nsk*) - os=-nsk - ;; - # Preserve the version number of sinix5. - -sinix5.*) - os=`echo $os | sed -e 's|sinix|sysv|'` - ;; - -sinix*) - os=-sysv4 - ;; - -triton*) - os=-sysv3 - ;; - -oss*) - os=-sysv3 - ;; - -svr4) - os=-sysv4 - ;; - -svr3) - os=-sysv3 - ;; - -sysvr4) - os=-sysv4 - ;; - # This must come after -sysvr4. - -sysv*) - ;; - -ose*) - os=-ose - ;; - -es1800*) - os=-ose - ;; - -xenix) - os=-xenix - ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint - ;; - -aros*) - os=-aros - ;; - -kaos*) - os=-kaos - ;; - -none) - ;; - *) - # Get rid of the `-' at the beginning of $os. - os=`echo $os | sed 's/[^-]*-//'` - echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 - exit 1 - ;; -esac -else - -# Here we handle the default operating systems that come with various machines. -# The value should be what the vendor currently ships out the door with their -# machine or put another way, the most popular os provided with the machine. - -# Note that if you're going to try to match "-MANUFACTURER" here (say, -# "-sun"), then you have to tell the case statement up towards the top -# that MANUFACTURER isn't an operating system. Otherwise, code above -# will signal an error saying that MANUFACTURER isn't an operating -# system, and we'll never get to this point. - -case $basic_machine in - *-acorn) - os=-riscix1.2 - ;; - arm*-rebel) - os=-linux - ;; - arm*-semi) - os=-aout - ;; - # This must come before the *-dec entry. - pdp10-*) - os=-tops20 - ;; - pdp11-*) - os=-none - ;; - *-dec | vax-*) - os=-ultrix4.2 - ;; - m68*-apollo) - os=-domain - ;; - i386-sun) - os=-sunos4.0.2 - ;; - m68000-sun) - os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 - ;; - m68*-cisco) - os=-aout - ;; - mips*-cisco) - os=-elf - ;; - mips*-*) - os=-elf - ;; - or32-*) - os=-coff - ;; - *-tti) # must be before sparc entry or we get the wrong os. - os=-sysv3 - ;; - sparc-* | *-sun) - os=-sunos4.1.1 - ;; - *-be) - os=-beos - ;; - *-ibm) - os=-aix - ;; - *-wec) - os=-proelf - ;; - *-winbond) - os=-proelf - ;; - *-oki) - os=-proelf - ;; - *-hp) - os=-hpux - ;; - *-hitachi) - os=-hiux - ;; - i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) - os=-sysv - ;; - *-cbm) - os=-amigaos - ;; - *-dg) - os=-dgux - ;; - *-dolphin) - os=-sysv3 - ;; - m68k-ccur) - os=-rtu - ;; - m88k-omron*) - os=-luna - ;; - *-next ) - os=-nextstep - ;; - *-sequent) - os=-ptx - ;; - *-crds) - os=-unos - ;; - *-ns) - os=-genix - ;; - i370-*) - os=-mvs - ;; - *-next) - os=-nextstep3 - ;; - *-gould) - os=-sysv - ;; - *-highlevel) - os=-bsd - ;; - *-encore) - os=-bsd - ;; - *-sgi) - os=-irix - ;; - *-siemens) - os=-sysv4 - ;; - *-masscomp) - os=-rtu - ;; - f30[01]-fujitsu | f700-fujitsu) - os=-uxpv - ;; - *-rom68k) - os=-coff - ;; - *-*bug) - os=-coff - ;; - *-apple) - os=-macos - ;; - *-atari*) - os=-mint - ;; - *) - os=-none - ;; -esac -fi - -# Here we handle the case where we know the os, and the CPU type, but not the -# manufacturer. We pick the logical manufacturer. -vendor=unknown -case $basic_machine in - *-unknown) - case $os in - -riscix*) - vendor=acorn - ;; - -sunos*) - vendor=sun - ;; - -aix*) - vendor=ibm - ;; - -beos*) - vendor=be - ;; - -hpux*) - vendor=hp - ;; - -mpeix*) - vendor=hp - ;; - -hiux*) - vendor=hitachi - ;; - -unos*) - vendor=crds - ;; - -dgux*) - vendor=dg - ;; - -luna*) - vendor=omron - ;; - -genix*) - vendor=ns - ;; - -mvs* | -opened*) - vendor=ibm - ;; - -ptx*) - vendor=sequent - ;; - -vxsim* | -vxworks* | -windiss*) - vendor=wrs - ;; - -aux*) - vendor=apple - ;; - -hms*) - vendor=hitachi - ;; - -mpw* | -macos*) - vendor=apple - ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - vendor=atari - ;; - -vos*) - vendor=stratus - ;; - esac - basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` - ;; -esac - -echo $basic_machine$os -exit 0 - -# Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "timestamp='" -# time-stamp-format: "%:y-%02m-%02d" -# time-stamp-end: "'" -# End: diff --git a/configure.in b/configure.in deleted file mode 100644 index 16c1113a3a..0000000000 --- a/configure.in +++ /dev/null @@ -1,964 +0,0 @@ -dnl @(#) $Id: configure.in 6960 2009-12-19 06:22:16Z vern $ (LBL) -dnl -dnl Copyright (c) 1997, 1998, 2001, 2002 -dnl The Regents of the University of California. All rights reserved. -dnl -dnl Process this file with autoconf to produce a configure script. -dnl - -## broken versioning stuff -##m4_include([version.m4]) -##AC_INIT([bro], VERSION_NUMBER) - -## NOTICE: this sets the version at the autoconf time, not -## at configure time, so it may be out of date! - -## start of changes for different versions of automake/conf - -# this will work with automake 1.8.5 -dnl AC_INIT(bro, esyscmd([tr -d '\n' < VERSION])) -dnl AC_CONFIG_SRCDIR(src/Active.cc) -dnl AC_CANONICAL_SYSTEM -dnl AM_INIT_AUTOMAKE -dnl AC_CONFIG_HEADER(config.h) -dnl AC_LBL_C_INIT(V_CCOPT, V_INCLS) -dnl AC_PROG_LEX - -## This should work with automake 1.6 -AC_INIT(src/Active.cc) -AC_CANONICAL_SYSTEM -#AM_INIT_AUTOMAKE(bro, 0.1.0) -AM_INIT_AUTOMAKE(bro, esyscmd([tr -d '\n' < VERSION])) -AM_CONFIG_HEADER(config.h) -AC_LBL_C_INIT(V_CCOPT, V_INCLS) -AM_PROG_LEX - -## end of changes for versions of automake/conf - -dnl Commands for funkier shell output: -BLD_ON=`./shtool echo -n -e %B` -BLD_OFF=`./shtool echo -n -e %b` - -# We should install everything in /usr/local/bro{bin,lib,policy,etc} -AC_PREFIX_DEFAULT(/usr/local/bro) - -dnl ################################################ -dnl # Checks for programs -dnl ################################################ -AC_PROG_YACC -AC_PROG_CXX -AC_PROG_INSTALL -AC_PROG_MAKE_SET -AC_PROG_RANLIB -AC_CHECK_PROGS(COMPRESS, gzip, compress) - -AM_CONDITIONAL(USEV6, false) - -AC_ARG_ENABLE(brov6, - [ --enable-brov6 enable IPV6 processing], - AC_DEFINE(BROv6,,[enable IPV6 processing]) - AM_CONDITIONAL(USEV6,true)) -AC_ARG_ENABLE(int64, - [ --enable-int64 enable use of int64 (long long) for integers], - AC_DEFINE(USE_INT64,1,[enable use of 64-bit integers])) -AC_ARG_ENABLE(activemapping, - [ --enable-activemapping enable active mapping processing], - AC_DEFINE(ACTIVE_MAPPING,,[Enable active mapping processing])) -AC_ARG_ENABLE(expire-dfa-states, - [ --enable-expire-dfa-states enable DFA state expiration], - AC_DEFINE(EXPIRE_DFA_STATES,,[Enable DFA state expiration])) - -AC_ARG_ENABLE(debug, - [ --enable-debug no compiler optimizations], - debug="yes" - V_CCOPT="-g -DDEBUG" - CFLAGS="-DDEBUG `echo $CFLAGS | sed -e 's/-O2//'`" - CPPFLAGS="-DDEBUG `echo $CPPFLAGS | sed -e 's/-O2//'`" - CXXFLAGS="-DDEBUG `echo $CXXFLAGS | sed -e 's/-O2//'`", - debug="no") - -AC_ARG_ENABLE(select-loop, - [ --disable-select-loop disable select-based main loop], - check_select_loop=no, - check_select_loop=yes) - -AC_ARG_ENABLE(perftools, - [ --enable-perftools use Google's perftools], - use_perftools=yes, - use_perftools=no) - -AC_ARG_WITH(openssl, - [ --with-openssl=PATH path to OpenSSL (needed for SSL analyzer and secure communication)], - if test "$withval" != "no" -a "$withval" != "NO"; then - use_openssl=yes - OPENSSL="$withval" - LDFLAGS="${LDFLAGS} -L${OPENSSL}/lib " - V_INCLS="${V_INCLS} -I${OPENSSL}/include" - CXXFLAGS="${CXXFLAGS} -I${OPENSSL}/include" - else - use_openssl=no - fi - ) - -AC_ARG_ENABLE(shippedpcap, - [ --enable-shippedpcap use the shipped version of libpcap ], - [ if test "$enableval" = yes; then - use_shippedpcap=yes - else - use_shippedpcap=no - fi ], - [ use_shippedpcap=no ]) - -AC_ARG_WITH(perl, [ --with-perl=PATH path/name of the Perl interpreter], - PERL=$withval, PERL=${PERL:-}) - -AC_ARG_WITH(dag, - [ --with-dag=PATH path to the DAG library (for native support for Endace Tech.'s DAG monitoring cards)], - if test "$withval" != "no" -a "$withval" != "NO"; then - use_dag=yes - DAGPATH="$withval" - LDFLAGS="${LDFLAGS} -L${DAGPATH}/lib " - V_INCLS="${V_INCLS} -I${DAGPATH}/include" - else - use_dag=no - fi - ) - -AC_ARG_WITH(binpac, - [ --with-binpac=PATH path to a binpac executable for compiling analyzer code], - BINPAC="$withval") - -AC_ARG_ENABLE(nbdns, - AC_HELP_STRING([--disable-nbdns], [Disable non-blocking DNS support]), - nbdns="no", nbdns="yes") - -AC_LBL_ENABLE_CHECK([activemapping binpac broccoli brov6 debug \ - expire-dfa-states gtk-doc int64 openssl perftools perl \ - select-loop shippedpcap broctl cluster nbdns]) - -dnl ################################################ -dnl # OpenSSL -dnl ################################################ - -if test "$use_openssl" != "no" -a "$use_openssl" != "NO"; then - saved_libs="${LIBS}" - AC_CHECK_LIB(crypto, OPENSSL_add_all_algorithms_conf, - LIBS="${LDFLAGS} -lcrypto" - AC_CHECK_LIB(ssl, SSL_new,, AC_MSG_ERROR([Can't find SSL library])) - LIBS="${LDFLAGS} -lssl" - use_openssl=yes, - use_openssl=no - ) - LIBS="${saved_libs}" -else - use_openssl=no -fi - -if test "$use_openssl" != "no"; then - saved_cflags="${CFLAGS}" - CFLAGS="${CFLAGS} -I${OPENSSL}/include" - AC_CHECK_DECL(OPENSSL_add_all_algorithms_conf,, - use_openssl=no, - [#include ]) - CFLAGS="${saved_cflags}" -fi - -if test "$use_openssl" = "yes"; then - # On Red Hat we may need to include Kerberos header. - # (CHECK_HEADER doesn't work here) - saved_cflags="${CFLAGS}" - CFLAGS="${CFLAGS} -I${OPENSSL}/include" - AC_COMPILE_IFELSE([#include ],, - CFLAGS="${CFLAGS} -I/usr/kerberos/include" - AC_CHECK_HEADER(krb5.h, - V_INCLS="${V_INCLS} -I/usr/kerberos/include" - AC_DEFINE(NEED_KRB5_H,,[Include krb5.h]), - use_openssl=no - AC_MSG_WARN([Can't compile OpenSSL test; disabling OpenSSL.]); - , - [#include - #include ] - ) - CFLAGS="${saved_cflags}" - ) -fi - -# Check for version >= 0.9.7 -if test "$use_openssl" = "yes"; then - saved_libs="${LIBS}" - LIBS="${LIBS} -lssl -lcrypto" - AC_MSG_CHECKING([for OpenSSL >= 0.9.7]) - AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include ]], [[OPENSSL_add_all_algorithms_conf();]]), - AC_MSG_RESULT(yes) - use_openssl=yes, - AC_MSG_RESULT(no) - use_openssl=no) - LIBS="${saved_libs}" -fi - -AM_CONDITIONAL(USE_OPENSSL, false) -if test "$use_openssl" = "yes"; then - AM_CONDITIONAL(USE_OPENSSL, true) - AC_DEFINE(USE_OPENSSL,,[Use OpenSSL]) - LIBS="${LIBS} -lssl -lcrypto" -fi - -# A test to see whether d2i_X509() uses const for the u_char** -# argument. Since one cannot just cast a u_char** to a const one -# (http://parashift.com/c++-faq-lite/const-correctness.html#faq-18.17) -# we test and then force a u_char** cast only when needed. -# -if test "$use_openssl" = "yes"; then - AC_MSG_CHECKING([whether d2i_X509() uses a const unsigned char**]) - AC_LANG_PUSH([C++]) - AC_COMPILE_IFELSE( - AC_LANG_PROGRAM([[#include ]], - [[const unsigned char** cpp = 0; - X509** x = 0; d2i_X509(x, cpp, 0);]]), - AC_DEFINE(OPENSSL_D2I_X509_USES_CONST_CHAR,,[d2i_x509 uses const char**]) - AC_MSG_RESULT(yes), - AC_MSG_RESULT(no)) - AC_LANG_POP([C++]) -fi - -# do we use ssl? -AM_CONDITIONAL(USE_SSL, test "$use_openssl" = "yes") - - -dnl ################################################ -dnl # Check for Perl executable -dnl ################################################ -if test -n "$PERL"; then - if echo "$PERL" | grep '^/' >/dev/null; then - AC_MSG_CHECKING(for $PERL) - if test -s "$PERL"; then - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no) - PERL='none' - fi - else - find_perl="$PERL" - PERL='' - fi -fi - -dnl if there is no perl, go find one! -if test -z "$PERL"; then - AC_PATH_PROGS(PERL,perl5 perl,,/usr/local/bin:/opt/local/bin:/usr/bin::.) -fi - -dnl if we still can't find it, warn them -if test -z "$PERL"; then - AC_MSG_WARN([Cannot find perl; please use --with-perl=/path/to/perl option.]) -else - dnl this seems backwards to me .....? but works - if ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then - AC_MSG_WARN([Bad perl version, need perl 5.6.1 or higher.; please use --with-perl=/path/to/perl option.]) - fi -fi - -AC_SUBST(PERL) - -dnl ################################################ -dnl # Check for chown binary -dnl ################################################ -AC_PATH_PROG(CHOWN, chown, , - [/usr/sbin:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin]) -AC_SUBST(CHOWN) - -dnl ################################################ -dnl # OS-specific hacks and tweaks -dnl ################################################ - -AC_LBL_DEVEL(V_CCOPT) -AM_CONDITIONAL(USE_NMALLOC, false) - -dnl Our resolver tests below include an absolute libray location. -dnl This is its default, it may be changed for some OSs. -bro_absolute_libresolv="/usr/lib/libresolv.a" - -case "$target_os" in - -freebsd*) - # alternate malloc is faster for FreeBSD, but needs more testing - # need to add way to set this from the command line - AM_CONDITIONAL(USE_NMALLOC, true) - ;; - -darwin*) - AC_MSG_CHECKING([if we need to include arpa/nameser_compat.h]) - AC_COMPILE_IFELSE(AC_LANG_PROGRAM([[#include ]], [[HEADER *hdr; int d = NS_IN6ADDRSZ;]]), bro_ns_header_defined=yes, bro_ns_header_defined=no) - # if the header is found, we don't need compatibility - if test "x$bro_ns_header_defined" = xyes; then - AC_MSG_RESULT(no) - else - AC_DEFINE(NEED_NAMESER_COMPAT_H,,[Compatibility for Darwin]) - AC_MSG_RESULT(yes) - fi - # Support for MacPorts and Fink package-management. - test -d /opt/local/lib && LDFLAGS="${LDFLAGS} -L/opt/local/lib" - test -d /sw/lib && LDFLAGS="${LDFLAGS} -L/sw/lib" - V_INCLS="${V_INCLS} -I/opt/local/include -I/sw/include" - CXXFLAGS="${CXXFLAGS} -I/opt/local/include -I/sw/include" - ;; - -openbsd*) - AM_CONDITIONAL(USE_NMALLOC, true) - AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system]) - LDFLAGS="${LDFLAGS} -L/usr/local/lib" - V_INCLS="${V_INCLS} -I/usr/local/include" - CXXFLAGS="${CXXFLAGS} -I/usr/local/include" - ;; - -linux*) - V_INCLS="$V_INCLS -I\${top_srcdir}/linux-include" - AC_DEFINE(HAVE_LINUX,,[We are on a Linux system]) - AC_MSG_CHECKING(Linux kernel version) - AC_CACHE_VAL(ac_cv_linux_vers, - ac_cv_linux_vers=`uname -r 2>&1 | \ - sed -n -e '$s/.* //' -e '$s/\..*//p'`) - AC_MSG_RESULT($ac_cv_linux_vers) - if test $ac_cv_linux_vers -lt 2 ; then - AC_MSG_ERROR(version 2 or higher required; see the INSTALL doc for more info) - fi - if test "a$build_cpu" = "ax86_64"; then - bro_absolute_libresolv="/usr/lib64/libresolv.a" - fi - ;; - -solaris*) - LIBS="${LIBS} -lnsl -lsocket" - ;; - -osf*) - dnl Workaround around ip_hl vs. ip_vhl problem in netinet/ip.h - V_CCOPT="$V_CCOPT -D__STDC__=2" -esac - -dnl ################################################ -dnl # Enable large file support for all platforms. -dnl # Can be disabled with --disable-largefile -dnl ################################################ -AC_SYS_LARGEFILE - -dnl ################################################ -dnl # Checks for types and header files. -dnl ################################################ -AC_HEADER_STDC -AC_LBL_TYPE_SIGNAL -AC_LBL_CHECK_TYPE(int32_t, int) -AC_LBL_CHECK_TYPE(u_int32_t, u_int) -AC_LBL_CHECK_TYPE(u_int16_t, u_short) -AC_LBL_CHECK_TYPE(u_int8_t, u_char) -AC_HEADER_TIME - -AC_CHECK_HEADERS(memory.h netinet/in.h socket.h getopt.h) -AC_CHECK_HEADERS(net/ethernet.h netinet/ether.h netinet/if_ether.h sys/ethernet.h,,, - [#include - #include - #include - #include ]) - -AC_CHECK_HEADERS(netinet/ip6.h,,, - [#include - #include - #include - #include ]) - -AC_DEFUN([AC_C_SOCKLEN_T], -[AC_CACHE_CHECK(for socklen_t, ac_cv_c_socklen_t, -[ - AC_TRY_COMPILE([ - #include - #include - ],[ - socklen_t foo; - ],[ - ac_cv_c_socklen_t=yes - ],[ - ac_cv_c_socklen_t=no - ]) -]) -if test $ac_cv_c_socklen_t = no; then - AC_DEFINE(socklen_t, int, [define to int if socklen_t not available]) -fi -]) - -AC_C_SOCKLEN_T - -AC_BRO_SYSLOG_INT -AC_BRO_SOCK_DECL - -dnl ################################################ -dnl # PCAP stuff. -dnl ################################################ - -# ensure we are either YES or NO -if test "$use_shippedpcap" = "no" ; then - pcap_local="NO" - pcapmsg="system-provided" - AM_CONDITIONAL(USE_LOCALPCAP, false) -else - pcap_local="YES" - pcapmsg="shipped with Bro" - AM_CONDITIONAL(USE_LOCALPCAP, true) -fi - -# if not using local version, find one on the system -if test "$pcap_local" = "NO"; then - AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS) - CPPFLAGS="$CPPFLAGS $V_INCLS" - AC_CHECK_HEADERS(pcap-int.h) - AC_CHECK_FUNCS(bpf_set_bufsize) - dnl ################################################ - dnl # Check whether pcap provides pcap_version - dnl ################################################ - AC_MSG_CHECKING([for pcap_version in libpcap]) - AC_LINK_IFELSE( - AC_LANG_PROGRAM([extern char pcap_version[];], [puts(pcap_version);]), - AC_MSG_RESULT(yes) - AC_DEFINE(PCAP_VERSION_STRING,,[Have a version string in libpcap]), - AC_MSG_RESULT(no)) - dnl ################################################ - dnl # Check whether linking to pcap works - dnl ################################################ - AC_CHECK_LIB(pcap, main, , AC_MSG_ERROR([Bro requires pcap - install from aux/ if necessary.])) -else - # we have to define the abilites of the local pcap - # as it hasn't been unpacked/configured/installed - # yet and we can't query it. - AC_DEFINE(HAVE_PCAP_INT_H, 1, [Define to 1 if you have the header file.]) - AC_DEFINE(HAVE_BPF_SET_BUFSIZE, 0, [Define to 1 if you have the bpf_set_bufsize function.]) - AC_DEFINE(PCAP_VERSION_STRING, 1, [Have a version string in libpcap]) - AC_DEFINE(HAVE_LIBPCAP, 1, [Define to 1 if you have the pcap library (-lpcap).]) -fi - -dnl AC_CHECK_HEADERS(pcap-int.h) -dnl AC_CHECK_FUNCS(bpf_set_bufsize) - -dnl ################################################ -dnl # STL compatibility tests. -dnl ################################################ - -dnl # Whether basic_string<> requires additional -dnl # definitions for char_traits. In that case, we -dnl # fall back to vector. -dnl # -AC_MSG_CHECKING([if char_traits defines all methods]) -AC_LANG_PUSH([C++]) -AC_LINK_IFELSE( - AC_LANG_PROGRAM([[ -#include -using namespace std; -class Foo { }; -]], [[ -char_traits foo; -Foo f; -Foo *fp; -foo.assign(&fp, 10, &f);]]), - AC_MSG_RESULT([yes]) - basic_string_works=yes, - AC_MSG_RESULT([no]) - basic_string_works=no - AC_DEFINE(BASIC_STRING_BROKEN,,[basic_string not usable with non-char template arg])) -AC_LANG_POP([C++]) - -dnl ################################################ -dnl # Include the Broccoli tree in aux/broccoli in -dnl # the setup, unless specifically disabled. -dnl ################################################ -AC_ARG_ENABLE(broccoli, - AC_HELP_STRING([--disable-broccoli], [Do not build/package Broccoli]), - broccoli="no", broccoli="yes") - -AM_CONDITIONAL(USE_BROCCOLI, test "x$broccoli" = xyes) -if test "x$broccoli" = xyes; then - AC_CONFIG_SUBDIRS(aux/broccoli) -fi - -dnl ################################################ -dnl # Include the broctl tree in aux/broctl into -dnl # the setup, unless specifically disabled. -dnl # Per default, we configure it in standalone mode; -dnl # if --enable-cluster is given, we switch to -dnl # cluster mode. -dnl ################################################ -AC_ARG_ENABLE(broctl, - AC_HELP_STRING([--disable-broctl], [Do not build/package broctl framework]), - broctl=$enableval, broctl="yes") - -AC_ARG_ENABLE(cluster, - AC_HELP_STRING([--enable-cluster], [Configure broctl for cluster usage]), - cluster=$enableval, cluster="no") - -dnl ################################################ -dnl # Include the Binpac tree in aux/binpac in the -dnl # build, unless the user selected another binpac -dnl # via --with-binpac=. -dnl ################################################ -if test "$BINPAC" = ""; then - AC_CONFIG_SUBDIRS(aux/binpac) - BINPAC="\${top_builddir}/aux/binpac/src/binpac" - binpacmsg="shipped with Bro" -else # Check (somewhat) whether the binpac given is valid - AC_MSG_CHECKING([whether given binpac is executable]) - if test -x "$BINPAC"; then - AC_MSG_RESULT(yes) - else - AC_MSG_RESULT(no) - echo "Please check whether $BINPAC is correct." - exit 1 - fi - binpacmsg="$BINPAC" -fi - -AC_SUBST(BINPAC) - -dnl ################################################ -dnl # DNS resolver checks. -dnl ################################################ -dnl -dnl Check whether our arpa/nameser.h provides type ns_msg. -dnl If not, we disable nonblocking DNS lookups. -dnl We assume worst case first and improve on it below. -AM_CONDITIONAL(USE_NBDNS, false) - -dnl Add potential header locations to path -if test -d /usr/local/include/bind; then - CFLAGS="$CFLAGS -I/usr/local/include/bind" -fi - -AC_CHECK_TYPE(ns_msg, bro_check_nb_dns=yes, bro_check_nb_dns=no, [#include ]) - -if test $bro_check_nb_dns = no; then - AC_MSG_NOTICE([Nonblocking DNS disabled.]) - use_nb_dns=no -else - dnl We will check for ns_initparse and res_mkquery using a number - dnl of resolver library variations, a list of which we build up now. - bro_resolver_options="none -lresolv ${bro_absolute_libresolv} -lbind" - - save_cflags="$CFLAGS" - save_ldflags="$LDFLAGS" - save_libs="$LIBS" - - dnl Okay now try to link both symbols with each of the resolver - dnl location variants. As soon as one works, we're happy. - for res in $bro_resolver_options; do - - AC_MSG_CHECKING([for ns_inittab/res_mkquery with resolver '$res']) - - dnl "none" just means "try without any additional flags". - if test "$res" = "none"; then - res="" - fi - - CFLAGS="${save_cflags}" - LDFLAGS="${save_ldflags}" - LIBS="${save_libs} $res" - - dnl In the generic -lbind case, we check for the existence - dnl of a number of directories and add them to the relevant - dnl paths. - dnl - if test "$res" = "-lbind"; then - if test -d /usr/local/bind/lib; then - LDFLAGS="$LDFLAGS -L/usr/local/bind/lib" - fi - - if test -d /usr/local/lib; then - LDFLAGS="$LDFLAGS -L/usr/local/lib" - fi - fi - - bro_ns_initparse_works=no - bro_res_mkquery_works=no - - AC_LINK_IFELSE(AC_LANG_PROGRAM([[#include ]], - [[ns_initparse(0,0,0);]]), - bro_ns_initparse_works=yes) - - AC_LINK_IFELSE(AC_LANG_PROGRAM([[ -#include -#include -#include -#include -#include ]], -[[int (*p)() = res_mkquery]]), bro_res_mkquery_works=yes) - - if test $bro_ns_initparse_works = yes && test $bro_res_mkquery_works = yes && test $nbdns = yes; then - AC_MSG_RESULT(yes) - AC_MSG_NOTICE([Nonblocking DNS enabled.]) - - dnl Make sure that nb_dns.o is linked in. - NBDNS="nb_dns.o" - AC_SUBST(NBDNS) - - AM_CONDITIONAL(USE_NBDNS, true) - AC_DEFINE(HAVE_NB_DNS,,[async dns support]) - use_nb_dns=yes - break - else - AC_MSG_RESULT(no) - fi - done - - if test "x$NBDNS" != "xnb_dns.o"; then - AC_MSG_NOTICE([Nonblocking DNS disabled.]) - use_nb_dns=no - CFLAGS="${save_cflags}" - LDFLAGS="${save_ldflags}" - LIBS="${save_libs}" - fi -fi - -dnl ################################################ -dnl # Checks for library functions. -dnl ################################################ - -AC_FUNC_MEMCMP -AC_FUNC_STRFTIME -AC_CHECK_FUNCS(strerror strsep strcasestr mallinfo getopt_long) -AC_SEARCH_LIBS(inet_aton, resolv) - -# We use deflatePrime() to make sure that zlib is recent enough. -AC_CHECK_LIB(z, deflatePrime) - -# Libmagic -have_libmagic=yes -AC_CHECK_HEADERS([magic.h],,have_libmagic=no) -AC_CHECK_LIB(magic,magic_open,,have_libmagic=no) - -# Libclamav -# have_libclamav=yes -# AC_CHECK_HEADERS([clamav.h],,have_libclamav=no) -# AC_CHECK_LIB(clamav,cl_retdbdir,,have_libclamav=no) - -# Libclamav is broken because of changed API. -have_libclamav=no - -if test "$have_libclamav" = "yes"; then - AC_DEFINE(USE_LIBCLAMAV,,[Use libclamav]) -fi - -# LibGeoIP -have_libgeoip=yes -AC_CHECK_HEADERS([GeoIPCity.h],,have_libgeoip=no) -if test "$have_libgeoip" = "yes"; then - AC_CHECK_LIB(GeoIP,GeoIP_open_type,,have_libgeoip=no) -fi -if test "$have_libgeoip" = "yes"; then - AC_DEFINE(USE_GEOIP,,[GeoIP geographic lookup functionality]) -fi - -dnl ################################################ -dnl # Terminal library support -dnl ################################################ - -bro_have_termlibrary=no - -dnl 1) Check if termcap is available -AC_CHECK_LIB(termcap, tgetnum, - [AC_CHECK_HEADERS([termcap.h term.h], - LIBS="${LIBS} -ltermcap" - bro_have_termlibrary=yes)]) - -dnl 2) Check if curses is available instaed -if test "$bro_have_termlibrary" = no; then - AC_CHECK_LIB(curses, tgetnum, - [AC_CHECK_HEADERS([curses.h term.h], - LIBS="${LIBS} -lcurses" - bro_have_termlibrary=yes)]) -fi - -dnl 3) Check for ncurses as a final resort -if test "$bro_have_termlibrary" = no; then - AC_CHECK_LIB(ncurses, tgetnum, - [AC_CHECK_HEADERS([ncurses.h curses.h term.h], - LIBS="${LIBS} -lncurses" - bro_have_termlibrary=yes)]) -fi - -if test "$bro_have_termlibrary" != yes; then - AC_MSG_RESULT(no) - AC_MSG_ERROR([No terminal emulation library found! Consider installing termcap, curses, or ncurses.]) -else - AC_MSG_RESULT(yes) -fi - -dnl Check whether we have readline and history libraries -AC_CHECK_HEADER([readline/readline.h], bro_readline=yes) -AC_CHECK_HEADER([readline/history.h], bro_history=yes) -AC_CHECK_LIB(readline, using_history,, bro_libreadline=no) - -if test "$bro_history" = yes; then - AC_CHECK_MEMBER([HISTORY_STATE.entries], - [bro_history_entries=yes], [], - [#include - #include ]) -fi - -if test "$bro_readline" = yes -a \ - "$bro_history" = yes -a \ - "$bro_libreadline" != no -a \ - "$bro_history_entries" = yes; then - AC_DEFINE(HAVE_READLINE,1,[line editing & history powers]) -fi - -AC_C_BIGENDIAN( - AC_DEFINE(WORDS_BIGENDIAN,1,[whether words are stored with the most significant byte first]) - dnl This is intentionally named differently so as to not collide with WORDS_BIGENDIAN - HOST_BIGENDIAN="#define HOST_BIGENDIAN 1" - AC_SUBST(HOST_BIGENDIAN)) - -AC_CHECK_TYPES([union semun, struct sembuf],[],[], -[#include -#include -]) - -# see if we have sin_len -AC_CHECK_MEMBER(struct sockaddr_in.sin_len, - [AC_DEFINE(SIN_LEN,,[have sin_len field in sockaddr_in])],, - [ -#if HAVE_SYS_TYPES_H -# include -#endif -#if HAVE_SYS_SOCKET_H -# include -#endif -#if HAVE_NETINET_IN_H -# include -#endif -]) - -AC_CHECK_SIZEOF(long long) -AC_CHECK_SIZEOF(long int) -AC_CHECK_SIZEOF(void *) - -# Per default we do not use the select-based main loop. We activate it only if -# (i) the user requests it -# (ii) we know the OS to support selectable pcap fds -use_select_loop=no - -if test $check_select_loop = yes; then - case "$target_os" in - - linux*) - # Linux should support selectable at least since 2.2 (not sure - # about earlier versions) - AC_MSG_CHECKING(Linux kernel version support selectable fds) - AC_CACHE_VAL(ac_cv_linux_major_vers, - ac_cv_linux_major_vers=`uname -r 2>&1 | \ - sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`) - AC_CACHE_VAL(ac_cv_linux_minor_vers, - ac_cv_linux_minor_vers=`uname -r 2>&1 | \ - sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`) - - linux_version=`expr $ac_cv_linux_major_vers '*' 10 '+' $ac_cv_linux_minor_vers` - if test $linux_version -gt 21; then - use_select_loop=yes - AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is ok) - else - AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is too old) - fi - ;; - - freebsd*) - # FreeBSD supports selectable fds correctly since 4.6. - AC_MSG_CHECKING(FreeBSD kernel version support selectable fds) - AC_CACHE_VAL(ac_cv_freebsd_major_vers, - ac_cv_freebsd_major_vers=`uname -r 2>&1 | \ - sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`) - AC_CACHE_VAL(ac_cv_freebsd_minor_vers, - ac_cv_freebsd_minor_vers=`uname -r 2>&1 | \ - sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`) - - freebsd_version=`expr $ac_cv_freebsd_major_vers '*' 10 '+' $ac_cv_freebsd_minor_vers` - if test $freebsd_version -gt 45; then - use_select_loop=yes - AC_MSG_RESULT($ac_cv_freebsd_major_vers.$ac_cv_freebsd_minor_vers is ok) - else - AC_MSG_RESULT($ac_cv_freebsd_major_vers X $ac_cv_freebsd_minor_vers is too old) - fi - ;; - - esac -fi - -if test "$use_select_loop" = "yes"; then - AC_DEFINE(USE_SELECT_LOOP,,[Use select-based main loop]) -fi - -dnl ################################################ -dnl # Endace DAG support -dnl ################################################ - -if test "$use_dag" != "no" -a "$use_dag" != "NO"; then - AC_CHECK_LIB(dag, dag_open, use_dag=yes, use_dag=no) - AC_CHECK_HEADER(pcap.h,,use_dag=no) - - if test "$use_dag" = "yes"; then - AC_DEFINE(USE_DAG,,[Include Endace DAG support]) - LIBS="${LIBS} -ldag" - AC_SUBST(WANT_DAG_OBJ, "\$(DAG_OBJ)") - else - AC_SUBST(WANT_DAG_OBJ, "") - fi -else - use_dag=no -fi - -dnl ################################################ -dnl # If configured with --enable-perftools, look for -dnl # Google's perftools to do heap checking. -dnl ################################################ - -if test "$use_perftools" != "no" -a "$use_perftools" != "NO"; then - AC_LANG_PUSH(C++) - saved_libs="${LIBS}" - LIBS="${LIBS} -ltcmalloc -lpthread" - AC_TRY_LINK([#include ], - [HeapLeakChecker heap_checker("test");], - [use_perftools="yes"],[use_perftools="no"]) - LIBS="${saved_libs}" - AC_LANG_POP([C++]) - - if test "$use_perftools" = "yes"; then - AC_DEFINE(USE_PERFTOOLS,,[Use Google's perftools]) - LIBS="${LIBS} -ltcmalloc -lpthread" - fi -fi - -############################### -# Configure broctl. -############################### - -# Need Python >= 2.4. -have_python=no -AC_PATH_TOOL(pybin, python, "") -if test "x$pybin" != x -a "x$broctl" = xyes; then - AC_MSG_CHECKING([for Python >= 2.4]) - AC_CACHE_VAL(ac_cv_python_major_vers, - ac_cv_python_major_vers=`python -V 2>&1 | \ - sed 's/^Python //g' | awk -v FS='.' '{print $1}'`) - AC_CACHE_VAL(ac_cv_python_minor_vers, - ac_cv_python_minor_vers=`python -V 2>&1 | \ - sed 's/^Python //g' | awk -v FS='.' '{print $2}'`) - - pyversion=`expr $ac_cv_python_major_vers '*' 10 '+' $ac_cv_python_minor_vers` - if test $pyversion -ge 24; then - AC_MSG_RESULT([yes]) - have_python=yes - fi - - AC_CHECK_PROG(have_python, python-config, $have_python, no) - - if test "x$have_python" != xyes; then - AC_MSG_RESULT([no, disabling broctl]) - fi -fi - -if test "x$have_python" != xyes; then - broctl=no -fi - -AM_CONDITIONAL(USE_BROCTL, test "x$broctl" = xyes) - -if test "x$broctl" = xyes; then - if test "x$cluster" = xno; then - standalone="--standalone" - fi - echo "=== configuring in aux/broctl" - - test -d aux || mkdir aux - test -d aux/broctl || mkdir aux/broctl - - ${srcdir}/aux/broctl/configure --prefix=${prefix} --builddir=`pwd`/aux/broctl --brodist=${srcdir} ${standalone} - - AC_CONFIG_SUBDIRS([aux/broctl/aux/capstats]) -fi - -if test "$use_xqilla" = "yes"; then - LIBS="${LIBS} -lxqilla" -fi - -# grab the hostname -BROHOST=`hostname 2>/dev/null` || `uname -n 2>/dev/null` -AC_SUBST(BROHOST) - -dnl Setup pcap path just before creating files, this way tests won't fail -dnl with 'can't find libpcap' when we use the local pcap which hasn't -dnl been unpacked yet - -if test "$pcap_local" = "YES"; then - LIBS="-L\${top_srcdir}/aux/libpcap-0.9.8 -lpcap $LIBS" - V_INCLS="$V_INCLS -I\${top_builddir}/aux/libpcap-0.9.8" -fi - -AC_SUBST(V_CCOPT) -AC_SUBST(V_INCLS) -AC_SUBST(LDFLAGS) - - -dnl AC_SUBST(V_PCAPDEP) dnl (libpcap dependancies -- not used) -AC_OUTPUT([Makefile - src/Makefile - doc/Makefile - doc/ref-manual/Makefile - doc/quick-start/Makefile - doc/user-manual/Makefile - aux/adtrace/Makefile - aux/cf/Makefile - aux/hf/Makefile - aux/nftools/Makefile - aux/scripts/Makefile - aux/bdcat/Makefile - aux/rst/Makefile - aux/Makefile - policy/Makefile - policy/sigs/Makefile - policy/time-machine/Makefile - scripts/Makefile - scripts/bro_config - scripts/bro.rc - scripts/localnetMAC.pl - scripts/s2b/Makefile - scripts/s2b/bro-include/Makefile - scripts/s2b/example_bro_files/Makefile - scripts/s2b/etc/Makefile - scripts/s2b/bin/Makefile - scripts/s2b/pm/Makefile - scripts/s2b/snort_rules2.2/Makefile - ], - [chmod +x scripts/bro_config - chmod +x scripts/localnetMAC.pl] - ) - -if test "$use_openssl" != "yes"; then - OPENSSL="" -#else -# AC_OUTPUT(aux/bdcat/Makefile) -fi - -echo -echo " "${BLD_ON}"Bro Configuration Summary"${BLD_OFF} -echo "==========================================================" -echo -echo " - Debugging enabled: "${BLD_ON}$debug${BLD_OFF} -echo " - OpenSSL support: "${BLD_ON}$use_openssl $OPENSSL${BLD_OFF} -echo " - Non-blocking main loop: "${BLD_ON}$use_select_loop${BLD_OFF} -echo " - Non-blocking resolver: "${BLD_ON}$use_nb_dns${BLD_OFF} -echo " - Installation prefix: "${BLD_ON}$prefix${BLD_OFF} -echo " - Perl interpreter: "${BLD_ON}$PERL${BLD_OFF} -echo " - Using basic_string: "${BLD_ON}$basic_string_works${BLD_OFF} -echo " - Using libmagic: "${BLD_ON}$have_libmagic${BLD_OFF} -# echo " - Using libclamav: "${BLD_ON}$have_libclamav${BLD_OFF} -echo " - Using perftools: "${BLD_ON}$use_perftools${BLD_OFF} -echo " - Binpac used: "${BLD_ON}$binpacmsg${BLD_OFF} -echo " - Using libGeoIP: "${BLD_ON}$have_libgeoip${BLD_OFF} -echo " - Enabled broctl: "${BLD_ON}$broctl${BLD_OFF} -echo " - Enabled cluster: "${BLD_ON}$cluster${BLD_OFF} -echo " - Pcap used: "${BLD_ON}$pcapmsg${BLD_OFF} -echo -exit 0 diff --git a/depcomp b/depcomp deleted file mode 100755 index 25bdb18892..0000000000 --- a/depcomp +++ /dev/null @@ -1,526 +0,0 @@ -#! /bin/sh -# depcomp - compile a program generating dependencies as side-effects - -scriptversion=2004-04-25.13 - -# Copyright (C) 1999, 2000, 2003, 2004 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Originally written by Alexandre Oliva . - -case $1 in - '') - echo "$0: No command. Try \`$0 --help' for more information." 1>&2 - exit 1; - ;; - -h | --h*) - cat <<\EOF -Usage: depcomp [--help] [--version] PROGRAM [ARGS] - -Run PROGRAMS ARGS to compile a file, generating dependencies -as side-effects. - -Environment variables: - depmode Dependency tracking mode. - source Source file read by `PROGRAMS ARGS'. - object Object file output by `PROGRAMS ARGS'. - depfile Dependency file to output. - tmpdepfile Temporary file to use when outputing dependencies. - libtool Whether libtool is used (yes/no). - -Report bugs to . -EOF - exit 0 - ;; - -v | --v*) - echo "depcomp $scriptversion" - exit 0 - ;; -esac - -if test -z "$depmode" || test -z "$source" || test -z "$object"; then - echo "depcomp: Variables source, object and depmode must be set" 1>&2 - exit 1 -fi -# `libtool' can also be set to `yes' or `no'. - -if test -z "$depfile"; then - base=`echo "$object" | sed -e 's,^.*/,,' -e 's,\.\([^.]*\)$,.P\1,'` - dir=`echo "$object" | sed 's,/.*$,/,'` - if test "$dir" = "$object"; then - dir= - fi - # FIXME: should be _deps on DOS. - depfile="$dir.deps/$base" -fi - -tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} - -rm -f "$tmpdepfile" - -# Some modes work just like other modes, but use different flags. We -# parameterize here, but still list the modes in the big case below, -# to make depend.m4 easier to write. Note that we *cannot* use a case -# here, because this file can only contain one case statement. -if test "$depmode" = hp; then - # HP compiler uses -M and no extra arg. - gccflag=-M - depmode=gcc -fi - -if test "$depmode" = dashXmstdout; then - # This is just like dashmstdout with a different argument. - dashmflag=-xM - depmode=dashmstdout -fi - -case "$depmode" in -gcc3) -## gcc 3 implements dependency tracking that does exactly what -## we want. Yay! Note: for some reason libtool 1.4 doesn't like -## it if -MD -MP comes after the -MF stuff. Hmm. - "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" - stat=$? - if test $stat -eq 0; then : - else - rm -f "$tmpdepfile" - exit $stat - fi - mv "$tmpdepfile" "$depfile" - ;; - -gcc) -## There are various ways to get dependency output from gcc. Here's -## why we pick this rather obscure method: -## - Don't want to use -MD because we'd like the dependencies to end -## up in a subdir. Having to rename by hand is ugly. -## (We might end up doing this anyway to support other compilers.) -## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like -## -MM, not -M (despite what the docs say). -## - Using -M directly means running the compiler twice (even worse -## than renaming). - if test -z "$gccflag"; then - gccflag=-MD, - fi - "$@" -Wp,"$gccflag$tmpdepfile" - stat=$? - if test $stat -eq 0; then : - else - rm -f "$tmpdepfile" - exit $stat - fi - rm -f "$depfile" - echo "$object : \\" > "$depfile" - alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz -## The second -e expression handles DOS-style file names with drive letters. - sed -e 's/^[^:]*: / /' \ - -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" -## This next piece of magic avoids the `deleted header file' problem. -## The problem is that when a header file which appears in a .P file -## is deleted, the dependency causes make to die (because there is -## typically no way to rebuild the header). We avoid this by adding -## dummy dependencies for each header file. Too bad gcc doesn't do -## this for us directly. - tr ' ' ' -' < "$tmpdepfile" | -## Some versions of gcc put a space before the `:'. On the theory -## that the space means something, we add a space to the output as -## well. -## Some versions of the HPUX 10.20 sed can't process this invocation -## correctly. Breaking it into two sed invocations is a workaround. - sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" - rm -f "$tmpdepfile" - ;; - -hp) - # This case exists only to let depend.m4 do its work. It works by - # looking at the text of this script. This case will never be run, - # since it is checked for above. - exit 1 - ;; - -sgi) - if test "$libtool" = yes; then - "$@" "-Wp,-MDupdate,$tmpdepfile" - else - "$@" -MDupdate "$tmpdepfile" - fi - stat=$? - if test $stat -eq 0; then : - else - rm -f "$tmpdepfile" - exit $stat - fi - rm -f "$depfile" - - if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files - echo "$object : \\" > "$depfile" - - # Clip off the initial element (the dependent). Don't try to be - # clever and replace this with sed code, as IRIX sed won't handle - # lines with more than a fixed number of characters (4096 in - # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; - # the IRIX cc adds comments like `#:fec' to the end of the - # dependency line. - tr ' ' ' -' < "$tmpdepfile" \ - | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \ - tr ' -' ' ' >> $depfile - echo >> $depfile - - # The second pass generates a dummy entry for each header file. - tr ' ' ' -' < "$tmpdepfile" \ - | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ - >> $depfile - else - # The sourcefile does not contain any dependencies, so just - # store a dummy comment line, to avoid errors with the Makefile - # "include basename.Plo" scheme. - echo "#dummy" > "$depfile" - fi - rm -f "$tmpdepfile" - ;; - -aix) - # The C for AIX Compiler uses -M and outputs the dependencies - # in a .u file. In older versions, this file always lives in the - # current directory. Also, the AIX compiler puts `$object:' at the - # start of each line; $object doesn't have directory information. - # Version 6 uses the directory in both cases. - stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'` - tmpdepfile="$stripped.u" - if test "$libtool" = yes; then - "$@" -Wc,-M - else - "$@" -M - fi - stat=$? - - if test -f "$tmpdepfile"; then : - else - stripped=`echo "$stripped" | sed 's,^.*/,,'` - tmpdepfile="$stripped.u" - fi - - if test $stat -eq 0; then : - else - rm -f "$tmpdepfile" - exit $stat - fi - - if test -f "$tmpdepfile"; then - outname="$stripped.o" - # Each line is of the form `foo.o: dependent.h'. - # Do two passes, one to just change these to - # `$object: dependent.h' and one to simply `dependent.h:'. - sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile" - sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile" - else - # The sourcefile does not contain any dependencies, so just - # store a dummy comment line, to avoid errors with the Makefile - # "include basename.Plo" scheme. - echo "#dummy" > "$depfile" - fi - rm -f "$tmpdepfile" - ;; - -icc) - # Intel's C compiler understands `-MD -MF file'. However on - # icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c - # ICC 7.0 will fill foo.d with something like - # foo.o: sub/foo.c - # foo.o: sub/foo.h - # which is wrong. We want: - # sub/foo.o: sub/foo.c - # sub/foo.o: sub/foo.h - # sub/foo.c: - # sub/foo.h: - # ICC 7.1 will output - # foo.o: sub/foo.c sub/foo.h - # and will wrap long lines using \ : - # foo.o: sub/foo.c ... \ - # sub/foo.h ... \ - # ... - - "$@" -MD -MF "$tmpdepfile" - stat=$? - if test $stat -eq 0; then : - else - rm -f "$tmpdepfile" - exit $stat - fi - rm -f "$depfile" - # Each line is of the form `foo.o: dependent.h', - # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. - # Do two passes, one to just change these to - # `$object: dependent.h' and one to simply `dependent.h:'. - sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" - # Some versions of the HPUX 10.20 sed can't process this invocation - # correctly. Breaking it into two sed invocations is a workaround. - sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" | - sed -e 's/$/ :/' >> "$depfile" - rm -f "$tmpdepfile" - ;; - -tru64) - # The Tru64 compiler uses -MD to generate dependencies as a side - # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. - # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put - # dependencies in `foo.d' instead, so we check for that too. - # Subdirectories are respected. - dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` - test "x$dir" = "x$object" && dir= - base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` - - if test "$libtool" = yes; then - # Dependencies are output in .lo.d with libtool 1.4. - # They are output in .o.d with libtool 1.5. - tmpdepfile1="$dir.libs/$base.lo.d" - tmpdepfile2="$dir.libs/$base.o.d" - tmpdepfile3="$dir.libs/$base.d" - "$@" -Wc,-MD - else - tmpdepfile1="$dir$base.o.d" - tmpdepfile2="$dir$base.d" - tmpdepfile3="$dir$base.d" - "$@" -MD - fi - - stat=$? - if test $stat -eq 0; then : - else - rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" - exit $stat - fi - - if test -f "$tmpdepfile1"; then - tmpdepfile="$tmpdepfile1" - elif test -f "$tmpdepfile2"; then - tmpdepfile="$tmpdepfile2" - else - tmpdepfile="$tmpdepfile3" - fi - if test -f "$tmpdepfile"; then - sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" - # That's a tab and a space in the []. - sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" - else - echo "#dummy" > "$depfile" - fi - rm -f "$tmpdepfile" - ;; - -#nosideeffect) - # This comment above is used by automake to tell side-effect - # dependency tracking mechanisms from slower ones. - -dashmstdout) - # Important note: in order to support this mode, a compiler *must* - # always write the preprocessed file to stdout, regardless of -o. - "$@" || exit $? - - # Remove the call to Libtool. - if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do - shift - done - shift - fi - - # Remove `-o $object'. - IFS=" " - for arg - do - case $arg in - -o) - shift - ;; - $object) - shift - ;; - *) - set fnord "$@" "$arg" - shift # fnord - shift # $arg - ;; - esac - done - - test -z "$dashmflag" && dashmflag=-M - # Require at least two characters before searching for `:' - # in the target name. This is to cope with DOS-style filenames: - # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise. - "$@" $dashmflag | - sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile" - rm -f "$depfile" - cat < "$tmpdepfile" > "$depfile" - tr ' ' ' -' < "$tmpdepfile" | \ -## Some versions of the HPUX 10.20 sed can't process this invocation -## correctly. Breaking it into two sed invocations is a workaround. - sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" - rm -f "$tmpdepfile" - ;; - -dashXmstdout) - # This case only exists to satisfy depend.m4. It is never actually - # run, as this mode is specially recognized in the preamble. - exit 1 - ;; - -makedepend) - "$@" || exit $? - # Remove any Libtool call - if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do - shift - done - shift - fi - # X makedepend - shift - cleared=no - for arg in "$@"; do - case $cleared in - no) - set ""; shift - cleared=yes ;; - esac - case "$arg" in - -D*|-I*) - set fnord "$@" "$arg"; shift ;; - # Strip any option that makedepend may not understand. Remove - # the object too, otherwise makedepend will parse it as a source file. - -*|$object) - ;; - *) - set fnord "$@" "$arg"; shift ;; - esac - done - obj_suffix="`echo $object | sed 's/^.*\././'`" - touch "$tmpdepfile" - ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" - rm -f "$depfile" - cat < "$tmpdepfile" > "$depfile" - sed '1,2d' "$tmpdepfile" | tr ' ' ' -' | \ -## Some versions of the HPUX 10.20 sed can't process this invocation -## correctly. Breaking it into two sed invocations is a workaround. - sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" - rm -f "$tmpdepfile" "$tmpdepfile".bak - ;; - -cpp) - # Important note: in order to support this mode, a compiler *must* - # always write the preprocessed file to stdout. - "$@" || exit $? - - # Remove the call to Libtool. - if test "$libtool" = yes; then - while test $1 != '--mode=compile'; do - shift - done - shift - fi - - # Remove `-o $object'. - IFS=" " - for arg - do - case $arg in - -o) - shift - ;; - $object) - shift - ;; - *) - set fnord "$@" "$arg" - shift # fnord - shift # $arg - ;; - esac - done - - "$@" -E | - sed -n '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' | - sed '$ s: \\$::' > "$tmpdepfile" - rm -f "$depfile" - echo "$object : \\" > "$depfile" - cat < "$tmpdepfile" >> "$depfile" - sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" - rm -f "$tmpdepfile" - ;; - -msvisualcpp) - # Important note: in order to support this mode, a compiler *must* - # always write the preprocessed file to stdout, regardless of -o, - # because we must use -o when running libtool. - "$@" || exit $? - IFS=" " - for arg - do - case "$arg" in - "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") - set fnord "$@" - shift - shift - ;; - *) - set fnord "$@" "$arg" - shift - shift - ;; - esac - done - "$@" -E | - sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile" - rm -f "$depfile" - echo "$object : \\" > "$depfile" - . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" - echo " " >> "$depfile" - . "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile" - rm -f "$tmpdepfile" - ;; - -none) - exec "$@" - ;; - -*) - echo "Unknown depmode $depmode" 1>&2 - exit 1 - ;; -esac - -exit 0 - -# Local Variables: -# mode: shell-script -# sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-end: "$" -# End: diff --git a/doc/Makefile.am b/doc/Makefile.am deleted file mode 100644 index 2842129441..0000000000 --- a/doc/Makefile.am +++ /dev/null @@ -1,9 +0,0 @@ -EXTRA_DIST = README.txt -SUBDIRS = ref-manual quick-start user-manual - -doc: - @echo "Build Bro Documentation (html and pdf)" - for d in $(SUBDIRS); do \ - ( cd $$d && $(MAKE) $@ ); \ - done - diff --git a/doc/README b/doc/README new file mode 100644 index 0000000000..2a34ea6bdf --- /dev/null +++ b/doc/README @@ -0,0 +1 @@ +TODO. diff --git a/doc/README.txt b/doc/README.txt deleted file mode 100644 index 6b0a6b70c7..0000000000 --- a/doc/README.txt +++ /dev/null @@ -1,14 +0,0 @@ - -The current documentation is in the following directories: - -quick-start/ -user-manual/ -ref-manual/ - -To build html and pdf version of the documents, 'makeinfo' and 'texi2dvi', part -of the GNU texinfo package, version 4.7 or higher is required. - -Pre-built (and probably more current) versions of the documentation -are available at: - http://www.bro-ids.org/manuals.html - diff --git a/doc/misc/conn-logs b/doc/misc/conn-logs deleted file mode 100644 index 88c156e261..0000000000 --- a/doc/misc/conn-logs +++ /dev/null @@ -1,82 +0,0 @@ -TCP connection logs are generated by tcp.bro. The summaries are written -to stdout, one line per connection: - - start-time duration protocol orig-bytes resp-bytes \ - local-addr remote-addr state flags additional - - start-time: timestamp of when the connection's first packet was - observed - - duration: time until connection finished, in seconds, or '?' if - not determined - - protocol: TCP protocol, if well-known port; or portmapper request - - orig-bytes: total bytes sent by originator. Computed from difference - between starting and ending sequence numbers, so sometimes - wrong (if wrong, the values tend to be erroneously large) - - resp-bytes: same for bytes sent by connection responder - - local-addr: IP address of local end of connection - remote-addr: IP address of remote end of connection - Note that these would make more sense as originator/responder, - but for historical reasons they're defined in terms of - "local" and "remote", where "local" is specified by the - "local_nets" set in hot.bro. To pull out the originator - and responder addresses requires looking at the "flags" - field to see whether the connection originated locally. - - state: final connection state (see below) - - flags: some characteristics of the connection. The most important is - the 'L' flag, which if present indicates that the connection - was initiated by the local address (see above); otherwise - it was initiated by the remote address. - - additional: protocol-specific additional information, such as the FTP - session identifier, telnet user name, finger request, or - portmapper results. - -The scripts "hot-report" and "mon-report" (in the aux/scripts/ directory) -generate readable versions of these connection summaries. They include -a mnemonic indicating the connection's state. Here is the list of -abbreviations used: - - Symbol Name Meaning - ------ ------- ------------------- - } S0 Initial SYN seen, no reply seen ("unanswered") - > S1 Initial SYN handshake seen ("established") - - > SF Established and normal FIN handshake seen - for termination. Note that this is the same - symbol as for state S1. You can tell the two - apart because for S1 there will not be any - byte counts, while for SF there will be. - - [ REJ Initial SYN elicited RST in reply ("rejected") - - }2 S2 Established and FIN from originator only seen - }3 S3 Established and FIN from responder only seen - - >] RSTO Established, originator sent a RST to terminate - >[ RSTR Established, responder sent a RST to terminate - - }] RSTOS0 Originator sent a SYN followed by a RST, - we never saw a SYN ack from the responder - <[ RSTRH Responder sent a SYN ack followed by a RST, - we never saw a SYN from the originator - - >h SH Originator sent a SYN followed by a FIN, - we never saw a SYN ack from the responder - (so "half" open) - ? OTH No SYN seen, just midstream traffic - -The sundry weird states can arise from broken TCPs, but also from split -routing in which Bro just sees one side of a connection. - -For UDP, if we see a request but no reply, that's state S0 ("}"); a request -followed by a reply is SF (">"); and a reply but no request is SHR (" - cd - mkdir private newcerts cert crl - chmod 700 private - touch index.txt - echo 01 >serial - cp bro/openssl.conf . - - * Create a private CA key: - openssl genrsa -des3 -out private/ca_key.pem - - * Self-sign it: - openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem -days 1095 - -- For each Bro: - - * Create a private key (w/o password): - openssl genrsa -out bro_key.pem - - * Create a certification request: - openssl req -new -key bro_key.pem -out bro.csr - - * Create a certificate using the CA key: - openssl ca -config openssl.cnf -in bro.csr -out bro_cert.pem - - * Verify that the certicate is ok: - openssl verify -CAfile ca_cert.pem bro_cert.pem - - * Concat Bro key and certificate: - cat bro_key.pem bro_cert.pem >bro.pem - - * Copy this and the CA certificate to the IDS machine: - scp bro.pem ca_cert.pem ids:... - - * Redef Bro's variables to point to the files: - redef ssl_ca_certificate = "...../ca_cert.pem"; - redef ssl_private_key = "...../bro.pem"; - - * Remove the unnecessary stuff: - rm bro_key.pem bro.csr bro_cert.pem bro.pem diff --git a/doc/old/manual-src.tar.gz b/doc/old/manual-src.tar.gz deleted file mode 100644 index 0e959c40a9..0000000000 Binary files a/doc/old/manual-src.tar.gz and /dev/null differ diff --git a/doc/old/manual.pdf b/doc/old/manual.pdf deleted file mode 100644 index b2e945acd5..0000000000 Binary files a/doc/old/manual.pdf and /dev/null differ diff --git a/doc/old/manual/WARNINGS b/doc/old/manual/WARNINGS deleted file mode 100644 index 41ac2abf00..0000000000 --- a/doc/old/manual/WARNINGS +++ /dev/null @@ -1,60 +0,0 @@ - -The manual.aux file was not found, so sections will not be numbered -and cross-references will be shown as icons. - -There is no author for this document. - -? brace missing for \emph - -? brace missing for \index -couldn't convert character bb into available encodings - - ...set $ACCENT_IMAGES to get an image -couldn't convert character cring into available encodings -couldn't convert character tt into available encodings - -No number for "Differenttypesofdirectionsforset_contents_file" - -No number for "print-filterprintsoutthetcpdumpfilteryourBroscriptwoulduseandthenexits." - -No number for "Definitionofthenet_statsrecord." - -No number for "Definitionofconn_idandconnectionrecords." - -No number for "TCPandUDPconnectionstates,asstoredinanendpointrecord." - -No number for "Summariesofconnectionstates,asreportedinredfiles." - -No number for "Differentconnectionstatestousewhencallingcheck_hot." - -No number for "Sampledefinitionoflog_hook" - -No number for "Definitionofthedns_mappingrecord." - -No number for "Definitionoftheftp_session_inforecord" - -No number for "ExampleofFTPlogfileentriesforasingleFTPsession." - -No number for "ExampleofHTTPlogfileentriesforasingleHTTPsession." - -No number for "Differenttypesofconfusionthatloginanalyzercanreport." - -No number for "TypesofcallstotheRPCportmapperservice." - -No number for "TypesofRPCstatuscodes." - -No number for "endpoint_statsfieldsforsummarizingconnectionendpointstatistics,alloftypecount." - -No number for "Possibleactionstotakeforsignaturesmatches.signatures-logdefaultstoopen_log_file(;SPMquot;signatures;SPMquot;)." - -No number for "Definitionofthex509record" - -No number for "Definitionofthessl_connection_inforecord" - -No number for "ExampleofSSLlogfilewithasingleSSLsession." - -No number for "Differenttypesofpossibleactionstotakefor``weird''events." - -No number for "Definitionofthesignature_staterecord." - -Failed to convert image /tmp/l2h6233/image052.ps diff --git a/doc/old/manual/images.aux b/doc/old/manual/images.aux deleted file mode 100644 index f23e54680b..0000000000 --- a/doc/old/manual/images.aux +++ /dev/null @@ -1 +0,0 @@ -\relax diff --git a/doc/old/manual/images.idx b/doc/old/manual/images.idx deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/doc/old/manual/images.log b/doc/old/manual/images.log deleted file mode 100644 index b1ffb1e95c..0000000000 --- a/doc/old/manual/images.log +++ /dev/null @@ -1,607 +0,0 @@ -This is TeX, Version 3.14159 (Web2C 7.3.1) (format=latex 2001.8.15) 21 MAR 2004 07:20 -**./images.tex -(./images.tex -LaTeX2e <1999/12/01> patch level 1 -Babel and hyphenation patterns for american, french, german, ngerman, n -ohyphenation, loaded. - -(/usr/local/share/texmf/tex/latex/base/report.cls -Document Class: report 1999/09/10 v1.4a Standard LaTeX document class -(/usr/local/share/texmf/tex/latex/base/size10.clo -File: size10.clo 1999/09/10 v1.4a Standard LaTeX file (size option) -) -\c@part=\count79 -\c@chapter=\count80 -\c@section=\count81 -\c@subsection=\count82 -\c@subsubsection=\count83 -\c@paragraph=\count84 -\c@subparagraph=\count85 -\c@figure=\count86 -\c@table=\count87 -\abovecaptionskip=\skip41 -\belowcaptionskip=\skip42 -\bibindent=\dimen102 -) (/usr/local/share/texmf/tex/latex/base/ifthen.sty -Package: ifthen 1999/09/10 v1.1b Standard LaTeX ifthen package (DPC) -) (/usr/local/share/texmf/tex/latex/base/makeidx.sty -Package: makeidx 1999/09/17 v1.0l Standard LaTeX package -) (/usr/local/share/texmf/tex/latex/psnfss/times.sty -Package: times 1999/03/29 PSNFSS v.7.2 Times font as default roman : S Rahtz -) (/usr/local/share/texmf/tex/generic/misc/psfig.sty -\@unused=\write3 -\ps@stream=\read1 -\p@intvaluex=\dimen103 -\p@intvaluey=\dimen104 -psfig/tex 1.10-dvips -) (/home/jaguar/u0/vern/latex2html/texinputs/html.sty -Package: html 1999/07/19 v1.38 hypertext commands for latex2html (nd, hws, rrm) - -\c@lpart=\count88 -\c@lchapter=\count89 -\c@lsection=\count90 -\c@lsubsection=\count91 -\c@lsubsubsection=\count92 -\c@lparagraph=\count93 -\c@lsubparagraph=\count94 -\c@lsubsubparagraph=\count95 -\ptrfile=\write4 -) -\@indexfile=\write5 -\openout5 = `images.idx'. - -Writing index file images.idx -(/usr/local/share/texmf/tex/latex/graphics/color.sty -Package: color 1999/02/16 v1.0i Standard LaTeX Color (DPC) -(/usr/local/share/texmf/tex/latex/config/color.cfg) -Package color Info: Driver file: dvips.def on input line 125. -(/usr/local/share/texmf/tex/latex/graphics/dvips.def -File: dvips.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR) -) (/usr/local/share/texmf/tex/latex/graphics/dvipsnam.def -File: dvipsnam.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR) -)) (/usr/local/share/texmf/tex/latex/base/inputenc.sty -Package: inputenc 1999/09/17 v0.992 Input encoding file -(/usr/local/share/texmf/tex/latex/base/latin1.def -File: latin1.def 1999/09/17 v0.992 Input encoding file -)) -\sizebox=\box26 -\lthtmlwrite=\write6 -No file images.aux. -\openout1 = `images.aux'. - -LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 334. -LaTeX Font Info: ... okay on input line 334. -LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 334. -LaTeX Font Info: ... okay on input line 334. -LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 334. -LaTeX Font Info: ... okay on input line 334. -LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 334. -LaTeX Font Info: ... okay on input line 334. -LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 334. -LaTeX Font Info: ... okay on input line 334. -LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 334. -LaTeX Font Info: ... okay on input line 334. -LaTeX Font Info: Try loading font information for OT1+ptm on input line 334. - -(/usr/local/share/texmf/tex/latex/psnfss/ot1ptm.fd -File: ot1ptm.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/ptm. -) - -latex2htmlLength hsize=349.0pt - -latex2htmlLength vsize=633.0pt - -latex2htmlLength hoffset=0.0pt - -latex2htmlLength voffset=0.0pt - -latex2htmlLength topmargin=0.0pt - -latex2htmlLength topskip=0.00003pt - -latex2htmlLength headheight=0.0pt - -latex2htmlLength headsep=0.0pt - -latex2htmlLength parskip=0.0pt plus 1.0pt - -latex2htmlLength oddsidemargin=-10.84006pt - -latex2htmlLength evensidemargin=-10.84006pt - -LaTeX Font Info: External font `cmex10' loaded for size -(Font) <7> on input line 399. -LaTeX Font Info: External font `cmex10' loaded for size -(Font) <5> on input line 399. -l2hSize :tex2html_wrap_inline5436:6.74997pt::0.0pt::13.00003pt. -[1 - - - -] -l2hSize :tex2html_wrap_inline5438:6.74997pt::0.0pt::8.00003pt. -[2 - - -] -l2hSize :tex2html_wrap_inline5440:6.83331pt::0.0pt::73.23354pt. -[3 - - -] -l2hSize :tex2html_wrap_inline5442:6.83331pt::0.0pt::15.04518pt. -[4 - - -] -l2hSize :tex2html_wrap_inline5444:8.14003pt::0.0pt::13.9723pt. -[5 - - -] -l2hSize :tex2html_wrap_inline5446:8.14003pt::0.0pt::13.9723pt. -[6 - - -] -l2hSize :tex2html_wrap_inline5448:8.14003pt::0.0pt::9.98618pt. -[7 - - -] -l2hSize :tex2html_wrap_inline5450:6.83331pt::0.0pt::41.50558pt. -[8 - - -] -l2hSize :tex2html_wrap_inline5452:6.83331pt::0.0pt::59.23058pt. -[9 - - -] -l2hSize :tex2html_wrap_inline5454:6.83331pt::0.0pt::16.67014pt. -[10 - - -] -l2hSize :tex2html_wrap_inline5456:7.96227pt::0.0pt::7.13895pt. -[11 - - -] -l2hSize :tex2html_wrap_inline5458:6.88586pt::0.0pt::5.09726pt. -[12 - - -] -l2hSize :tex2html_wrap_inline8536:7.24997pt::7.24997pt::4.98616pt. -[13 - - -] -l2hSize :tex2html_wrap_inline8540:7.24997pt::7.24997pt::4.98616pt. -[14 - - -] -l2hSize :tex2html_wrap_inline8614:7.24997pt::7.24997pt::4.98616pt. -[15 - - -] -l2hSize :tex2html_wrap_inline16373:7.24997pt::7.24997pt::21.05557pt. -[16 - - -] -l2hSize :tex2html_wrap_inline16375:6.74997pt::0.0pt::9.28017pt. -[17 - - -] -l2hSize :tex2html_wrap_inline16379:6.74997pt::0.0pt::6.50238pt. -[18 - - -] -l2hSize :tex2html_wrap_inline16393:6.94444pt::0.0pt::6.26161pt. -[19 - - -] -LaTeX Font Info: Try loading font information for OT1+pcr on input line 614. - -(/usr/local/share/texmf/tex/latex/psnfss/ot1pcr.fd -File: ot1pcr.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/pcr. -) -Overfull \hbox (59.0pt too wide) in paragraph at lines 631--631 -[] \OT1/pcr/m/n/10 print fmt("(%s) and (%s)", capture_filter, restrict_f -ilter);[] - [] - -l2hSize :figure22361:203.09998pt::0.0pt::349.0pt. -[20 - - -] -Overfull \hbox (41.0pt too wide) in paragraph at lines 647--647 -[] \OT1/pcr/m/n/10 pkts_recvd: count; # Number of packets received so -far.[] - [] - - -Overfull \hbox (59.0pt too wide) in paragraph at lines 647--647 -[] \OT1/pcr/m/n/10 pkts_dropped: count; # Number of packets *reported* d -ropped.[] - [] - - -Overfull \hbox (83.0pt too wide) in paragraph at lines 647--647 -[] \OT1/pcr/m/n/10 interface_drops: count; # Number of drops reported by in -terface(s).[] - [] - -l2hSize :figure22485:83.09998pt::0.0pt::349.0pt. -[21 - - -] -Overfull \hbox (29.0pt too wide) in paragraph at lines 680--680 -[] \OT1/pcr/m/n/10 id: conn_id; # Originator/responder addresses/port -s.[] - [] - - -Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680 -[] \OT1/pcr/m/n/10 duration: interval; # How long it was active (or has been - so far).[] - [] - - -Overfull \hbox (95.0pt too wide) in paragraph at lines 680--680 -[] \OT1/pcr/m/n/10 service: string; # The service we associate with it (e -.g., "http").[] - [] - - -Overfull \hbox (59.0pt too wide) in paragraph at lines 680--680 -[] \OT1/pcr/m/n/10 addl: string; # Additional information associated w -ith it.[] - [] - - -Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680 -[] \OT1/pcr/m/n/10 hot: count; # How many times we've marked it as s -ensitive.[] - [] - -l2hSize :figure22528:275.09998pt::0.0pt::349.0pt. -[22 - - -] -l2hSize :tex2html_wrap_inline31877:6.83331pt::0.0pt::8.00005pt. -[23 - - -] -l2hSize :tex2html_wrap_inline31879:6.83331pt::0.0pt::8.58684pt. -[24 - - -] -l2hSize :tex2html_wrap_inline31899:7.33331pt::7.33331pt::12.53233pt. -[25 - - -] -l2hSize :tex2html_wrap_inline31901:7.33331pt::7.33331pt::12.51337pt. -[26 - - -] -l2hSize :tex2html_wrap_inline31903:7.33331pt::7.33331pt::11.0695pt. -[27 - - -] -l2hSize :tex2html_wrap_inline31905:7.33331pt::7.33331pt::12.4283pt. -[28 - - -] -l2hSize :tex2html_wrap_inline31927:7.33331pt::7.33331pt::12.44727pt. -[29 - - -] -l2hSize :tex2html_wrap_inline31937:7.33331pt::7.33331pt::11.0792pt. -[30 - - -] -l2hSize :tex2html_wrap_inline31941:7.33331pt::7.33331pt::11.06023pt. -[31 - - -] -l2hSize :tex2html_wrap_inline31943:6.83331pt::0.0pt::9.05698pt. -[32 - - -] -l2hSize :tex2html_wrap_inline31957:7.33331pt::7.33331pt::11.36739pt. -[33 - - -] -l2hSize :tex2html_wrap_inline31961:7.33331pt::7.33331pt::11.34842pt. -[34 - - -] -l2hSize :tex2html_wrap_inline31971:7.24997pt::7.24997pt::5.53128pt. -[35 - - -] -l2hSize :figure23775:263.09998pt::0.0pt::349.0pt. -[36 - - -] -Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830 -[] \OT1/pcr/m/n/10 req_host: string; # The hostname in the request, if a -ny.[] - [] - - -Overfull \hbox (29.0pt too wide) in paragraph at lines 830--830 -[] \OT1/pcr/m/n/10 req_addr: addr; # The address in the request, if an -y.[] - [] - - -Overfull \hbox (59.0pt too wide) in paragraph at lines 830--830 -[] \OT1/pcr/m/n/10 hostname: string; # The hostname in the answer, or "< -none>".[] - [] - - -Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830 -[] \OT1/pcr/m/n/10 addrs: set[addr]; # The addresses in the answer, if a -ny.[] - [] - -l2hSize :figure23860:131.09998pt::0.0pt::349.0pt. -[37 - - -] -Overfull \hbox (41.0pt too wide) in paragraph at lines 858--858 -[] \OT1/pcr/m/n/10 id: count; # unique number associated w/ ses -sion[] - [] - - -Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858 -[] \OT1/pcr/m/n/10 log_if_not_denied: bool; # unless code 530 on repl -y, log it[] - [] - - -Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858 -[] \OT1/pcr/m/n/10 log_if_not_unavail: bool; # unless code 550 on repl -y, log it[] - [] - -l2hSize :figure24088:131.09998pt::0.0pt::349.0pt. -[38 - - -] -Overfull \hbox (35.0pt too wide) in paragraph at lines 877--877 -[]\OT1/pcr/m/n/10 972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp st -art[] - [] - - -Overfull \hbox (5.0pt too wide) in paragraph at lines 877--877 -[]\OT1/pcr/m/n/10 972499886.685046 #26 response (220 tuvok.ooc.com FTP server[] - - [] - - -Overfull \hbox (23.0pt too wide) in paragraph at lines 877--877 -[] \OT1/pcr/m/n/10 (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready. -)[] - [] - - -Overfull \hbox (41.0pt too wide) in paragraph at lines 877--877 -[]\OT1/pcr/m/n/10 972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675 -597)[] - [] - - -Overfull \hbox (65.0pt too wide) in paragraph at lines 877--877 -[]\OT1/pcr/m/n/10 972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (c -omplete)[] - [] - - -Overfull \hbox (11.0pt too wide) in paragraph at lines 877--877 -[]\OT1/pcr/m/n/10 972500055.491045 #26 response (225 ABOR command successful.)[ -] - [] - -l2hSize :figure24192:119.53992pt::0.0pt::349.0pt. -[39 - - -] -l2hSize :figure24357:83.53992pt::0.0pt::349.0pt. -[40 - - -] -l2hSize :tex2html_wrap_inline31983:7.24997pt::7.24997pt::16.05556pt. -[41 - - -] -l2hSize :tex2html_wrap_inline31987:7.24997pt::7.24997pt::26.05559pt. -[42 - - -] -l2hSize :tex2html_wrap_inline31989:7.24997pt::7.24997pt::31.0556pt. -[43 - - -] -l2hSize :tex2html_wrap_inline31991:7.24997pt::7.24997pt::8.27783pt. -[44 - - -] -l2hSize :figure25695:59.09998pt::0.0pt::349.0pt. -[45 - - -] -Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970 -[] \OT1/pcr/m/n/10 id: count; # the log identifier numb -er[] - [] - - -Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970 -[] \OT1/pcr/m/n/10 connection_id: conn_id; # IP connection informati -on[] - [] - - -Overfull \hbox (83.0pt too wide) in paragraph at lines 970--970 -[] \OT1/pcr/m/n/10 version: count; # version associated with - connection[] - [] - - -Overfull \hbox (59.0pt too wide) in paragraph at lines 970--970 -[] \OT1/pcr/m/n/10 id_index: string; # index for associated se -ssionID[] - [] - - -Overfull \hbox (131.0pt too wide) in paragraph at lines 970--970 -[] \OT1/pcr/m/n/10 handshake_cipher: count; # cipher suite client and - server agreed upon[] - [] - -l2hSize :figure25707:119.09998pt::0.0pt::349.0pt. -[46 - - -] -Overfull \hbox (59.0pt too wide) in paragraph at lines 992--992 -[]\OT1/pcr/m/n/10 1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/http -s start[] - [] - - -Overfull \hbox (2135.0pt too wide) in paragraph at lines 992--992 -[]\OT1/pcr/m/n/10 1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_M -D5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_ -EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_D -ES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPOR -T1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_ -RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),[] - [] - - -Overfull \hbox (65.0pt too wide) in paragraph at lines 992--992 -[]\OT1/pcr/m/n/10 1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD -5 (0x4),[] - [] - - -Overfull \hbox (749.0pt too wide) in paragraph at lines 992--992 -[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L= -Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter C -lass 3 CA/Email=certificate@trustcenter.de,[] - [] - - -Overfull \hbox (521.0pt too wide) in paragraph at lines 992--992 -[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O= -Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehman -ns.de[] - [] - - -Overfull \hbox (257.0pt too wide) in paragraph at lines 992--992 -[]\OT1/pcr/m/n/10 1046778101.894567 #1 handshake finished, version 3.1, cipher -suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)[] - [] - -l2hSize :figure25794:155.25494pt::0.0pt::349.0pt. -[47 - - -] -l2hSize :tex2html_wrap_inline31993:7.31989pt::7.31989pt::51.61522pt. -[48 - - -] -Overfull \hbox (41.0pt too wide) in paragraph at lines 1037--1037 -[] \OT1/pcr/m/n/10 is_orig: bool; # True if current endpoint is origin -ator[] - [] - - -Overfull \hbox (95.0pt too wide) in paragraph at lines 1037--1037 -[] \OT1/pcr/m/n/10 payload_size: count; # Payload size of the first pkt of c -urr. endpoint[] - [] - -l2hSize :figure39539:83.09998pt::0.0pt::349.0pt. -[49 - - -] -l2hSize :tex2html_wrap_inline39988:6.83331pt::0.0pt::9.625pt. -[50 - - -] -l2hSize :tex2html_wrap_inline39992:7.33331pt::7.33331pt::17.4028pt. -[51 - - -] (/home/jaguar/u0/vern/bro/bro-doc/index.tex (/home/jaguar/u0/vern/bro/bro-doc -/doc.ind -LaTeX Font Info: Font shape `OT1/ptm/bx/n' in size <24.88> not available -(Font) Font shape `OT1/ptm/b/n' tried instead on input line 1. -LaTeX Font Info: Font shape `OT1/pcr/m/it' in size <10> not available -(Font) Font shape `OT1/pcr/m/sl' tried instead on input line 1539. - -! TeX capacity exceeded, sorry [main memory size=263001]. -\par ...@m \@noitemerr {\@@par }\fi \else {\@@par - }\fi -l.2843 \subitem - reading, 17 -If you really absolutely need more capacity, -you can ask a wizard to enlarge me. - - -Here is how much of TeX's memory you used: - 1313 strings out of 10901 - 15527 string characters out of 72380 - 263001 words of memory out of 263001 - 4278 multiletter control sequences out of 10000+0 - 6696 words of font info for 23 fonts, out of 400000 for 1000 - 14 hyphenation exceptions out of 1000 - 23i,5n,19p,429b,425s stack positions out of 300i,100n,500p,50000b,4000s -Output written on images.dvi (51 pages, 17976 bytes). diff --git a/doc/old/manual/images.pl b/doc/old/manual/images.pl deleted file mode 100644 index d419b8ea7a..0000000000 --- a/doc/old/manual/images.pl +++ /dev/null @@ -1,332 +0,0 @@ -# LaTeX2HTML 2002-2 (1.70) -# Associate images original text with physical files. - - -$key = q/B;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$B$|; - -$key = q/A_i;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$A\_i$|; - -$key = q/ge1024;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$\ge 1024$|; - -$key = q/2^{24};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$2^{24}$|; - -$key = q/S_{o};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$S_{o}$|; - -$key = q/ge256;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$\ge 256$|; - -$key = q/pmN;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$\pm N$|; - -$key = q/{figure}preform{verbatim312#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}type dns_mapping: record { -creation_time: time;... -... set[addr]; ...|; - -$key = q/_{2};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$_{2}$|; - -$key = q/N_1{{tt{.}N_2{{tt{.};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$N\_1 {\tt .} N\_2 {\tt .}$|; - -$key = q/{figure}preform{verbatim338#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}type ssl_connection_info: record { -id: count; ...|; - -$key = q/A_{l};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$A_{l}$|; - -$key = q/{figure}preform{verbatim345#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}type signature_state: record { -id: string; ...|; - -$key = q/ge;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$\ge$|; - -$key = q/{figure}preform{verbatim298#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}event bro_init() -{ -if ( restrict_filter == '''... -...%s)'', capture_filter, restrict_filter);exit(); -}\end{verbatim} -\end{figure}|; - -$key = q/S_{r};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$S_{r}$|; - -$key = q/P_{o};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$P_{o}$|; - -$key = q/2^8;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$2^8$|; - -$key = q/A_{o};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$A_{o}$|; - -$key = q/p;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$p$|; - -$key = q/D;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$D$|; - -$key = q/_{1};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$_{1}$|; - -$key = q/N;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$N$|; - -$key = q/~tilde{~}~~~;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$ \tilde{ }   $|; - -$key = q/P_{r};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$P_{r}$|; - -$key = q/A_{r};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$A_{r}$|; - -$key = q/N_i;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$N\_i$|; - -$key = q/B_{o};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$B_{o}$|; - -$key = q/2cdotmbox{MSL}=4;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$2 \cdot \mbox{MSL} = 4$|; - -$key = q/{figure}preform{verbatim300#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}type conn_id: record { -orig_h: addr; ...|; - -$key = q/{figure}preform{verbatim319#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}972482763.371224 %1596 start 200.241.229.80 > 13... -...g/movies/off.gif -%1596 GET /vfrog/new.frog.small.gif -\end{verbatim} -\end{figure}|; - -$key = q/{figure}preform{verbatim317#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}972499885.784104 ...|; - -$key = q/{figure}preform{verbatim315#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}type ftp_session_info: record { -id: count; ...|; - -$key = q/{figure}preform{verbatim311#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}global msg_count: table[string] of count &defaul... -... schedule +5 min { log_summary(msg) };return F; -}\end{verbatim} -\end{figure}|; - -$key = q/{figure}preform{verbatim339#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}1046778101.534846 ...|; - -$key = q/{figure}preform{verbatim337#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}type x509: record { -issuer: string; ...|; - -$key = q/^*;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$^*$|; - -$key = q/{figure}preform{verbatim299#preform{{{{figure};FSF=1.6;AAT/; -$cached_env_img{$key} = q|\begin{figure}\begin{verbatim}type net_stats: record { -...|; - -$key = q/h;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$h$|; - -$key = q/B_{r};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$B_{r}$|; - -$key = q/m;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$m$|; - -$key = q/le2;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$\le 2$|; - -$key = q/2^{16};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$2^{16}$|; - -$key = q/le26;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$\le 26$|; - -$key = q/A;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$A$|; - -$key = q/A_1{{tt{.}A_2{{tt{.}A_3{{tt{.}A_4;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$|; - -$key = q/_{3};MSF=1.6;AAT/; -$cached_env_img{$key} = q|$_{3}$|; - -$key = q/^+;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$^+$|; - -$key = q/N_1{{tt{.}N_2{{tt{.}N_3;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$N\_1 {\tt .} N\_2 {\tt .} N\_3 $|; - -$key = q/tilde{~}~~;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$\tilde{ }  $|; - -$key = q/n;MSF=1.6;AAT/; -$cached_env_img{$key} = q|$n$|; - -1; - diff --git a/doc/old/manual/images.tex b/doc/old/manual/images.tex deleted file mode 100644 index ea01ededfa..0000000000 --- a/doc/old/manual/images.tex +++ /dev/null @@ -1,1104 +0,0 @@ -\batchmode - - -\documentclass[twoside]{report} -\RequirePackage{ifthen} - - - - -\frenchspacing - - -\sloppy - - -\usepackage{makeidx} -\usepackage{times} -\usepackage{psfig} -\usepackage{html} - - -\textwidth=6.5in -\oddsidemargin=-0.15in -\evensidemargin=-0.15in - - -\title{ - The {\em Bro} 0.8 User Manual -} - -% -\providecommand{\note}[1]{\emph{Note: #1}}% -\providecommand{\privatenote}[1]{}% -\providecommand{\updateme}[1]{#1}% -\providecommand{\unlikeC}[1]{\emph{Unlike with C,} #1}% -\providecommand{\deficiency}[1]{\emph{Deficiency: #1}}% -\providecommand{\fixme}[1]{\emph{Fix me: #1}} - -% -\providecommand{\xref}[1]{\hyperref{\S~\ref{#1}}{}{}{#1}}% -\providecommand{\pxref}[1]{(\hyperref{\S~\ref{#1}}{}{}{#1})}% -\providecommand{\cxref}[1]{\hyperref{Chapter~\ref{#1}}{}{}{#1}}% -\providecommand{\link}[2]{\hyperref{#1}{}{}{#2}}% -\providecommand{\lab}[2]{\label{#1}{#2}}% -\providecommand{\labsectchapter}[2]{\chapter{#2 #1}}% -\providecommand{\labsectsection}[2]{\section{#2 #1}}% -\providecommand{\labsectsubsection}[2]{\subsection{#2 #1}}% -\providecommand{\labsectsubsubsection}[2]{\subsubsection{#2 #1}}% -\providecommand{\itemwithextra}[3]{\item[{\tt #1#3}]}% -\providecommand{\optsyntax}[1]{{\emph{[} \texttt{#1} \emph{]}}}% -\providecommand{\nl}{} - -% -\providecommand{\itemwithtype}[2]{\item[{\tt #1 : #2}]} - -% -\providecommand{\f}[1]{Figure~\ref{#1}}% -\providecommand{\tbl}[1]{Table~\ref{#1}}% -\providecommand{\percent}{{{\tt \%}}}% -\providecommand{\hash}{{{\tt \#}}}% -\providecommand{\caret}{{{\tt \^}}}% -\providecommand{\load}{{{\tt @load}{ }}}% -\providecommand{\loadx}{{{\tt @load}}}% -\providecommand{\prefix}{{{\tt @prefix}{ }}}% -\providecommand{\prefixx}{{{\tt @prefix}}}% -\providecommand{\void}{void} - -% -\providecommand{\kludge}{{\tt \mbox{\hspace{0.01in}}~}} - -% -\providecommand{\indplain}[2]{\index{#1 #2}\index{#2s!#1}{#1}}% -\providecommand{\indtt}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}{{\tt #1}}}% -\providecommand{\indttbang}[2]{\index{#1@{\tt #1}}\index{#1!#2@#2}{{\tt #1}}}% -\providecommand{\indttparen}[2]{\index{#1 #2@{\protect\tt (#1)} #2}\index{#2s}\index{#2s!#1@{\tt (#1)}}{{\tt (#1)}}}% -\providecommand{\indttnotext}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}}% -\providecommand{\indttnotexttwo}[3]{\index{#1 #2 #3@{\protect\tt #1 #2} #3}\index{#2 #3@{\tt #2} #3}\index{#2 #3!#1@{\tt #1}}}% -\providecommand{\indttzero}[1]{\index{#1@{\protect\tt #1}}{{\tt #1}}}% -\providecommand{\indtttwo}[3]{\index{#2@{\protect\tt #1} #3}\index{#3s}\index{#3s!#2@{\tt #1}}}% -\providecommand{\itemindtt}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{#2s}\index{#2s!#1@{\tt #1}}\item[{\tt #1}]}% -\providecommand{\indttbegin}[2]{\index{#1 #2@{\protect\tt #1} #2|(}\index{#2s}\index{#2s!#1@{\tt #1}|(}{\tt #1}}% -\providecommand{\indttend}[2]{\index{#1 #2@{\protect\tt #1} #2|)}\index{#2s}\index{#2s!#1@{\tt #1}|)}{\tt #1}} - -% -\providecommand{\opind}[1]{\index{#1 operator@{\protect\tt #1} operator}\index{operators!{\protect\tt #1}}}% -\providecommand{\indopone}[2]{\index{#1 #2@{\protect\tt #1} #2}\index{operators!{\protect\tt #1}}}% -\providecommand{\indoponekey}[3]{\index{#3@{\protect\tt #1} #2}\index{operators!{\protect\tt #1}}}% -\providecommand{\indoptwo}[2]{\index{#1 #2@{\protect\tt #1\protect\ } #2}\index{operators!{\protect\tt #1}}} - -% -\providecommand{\keyind}[1]{\index{#1 keyword@{\protect\tt #1} keyword}\index{keywords!{\protect\tt #1}}} - -% -\providecommand{\indevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{{\tt #1}}}% -\providecommand{\itemindevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{\item[{\tt #1}]}}% -\providecommand{\indeventnolabel}[1]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}}% -\providecommand{\indeventtype}[3]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\label{#2-event}{\item[{\tt \tt #1 (#3)}]}}% -\providecommand{\indeventtypenolabel}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\item[{\tt \tt #1 (#2)}]}% -\providecommand{\xrefevent}[2]{\hyperref{\tt #1}{}{}{#2-event}}% -\providecommand{\xrefindevent}[2]{\index{#1 event@{\protect\tt #1} event}\index{events!{\protect\tt #1}}\hyperref{\tt #1}{}{}{#2-event}} - -% -\providecommand{\indenvnotext}[1]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}}% -\providecommand{\indenv}[2]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}\label{#2-env}{{\tt \$#1}}}% -\providecommand{\itemindenv}[2]{\index{#1 environment variable@{\protect\tt \$#1} environment variable}\index{environment variables!#1@{\tt \$#1}}\label{#2-env}{\item[{\tt \$#1}]} }% -\providecommand{\xrefenv}[2]{\hyperref{\tt \$#1}{}{}{#2-env}} - -% -\providecommand{\analyzer}[1]{{\tt #1}}% -\providecommand{\indanalyzer}[2]{\index{#1 analyzer@{\protect\tt #1} analyzer}\index{analyzers!{\protect \tt #1}}\label{#2-analyzer-module}{{\tt #1}}}% -\providecommand{\indanalyzernolabel}[1]{{\index{#1 analyzer@{\protect\tt #1} analyzer}\index{analyzers!{\protect \tt #1}}{\tt #1}}}% -\providecommand{\xrefanalyzer}[2]{\hyperref{\tt #1}{}{}{#2-analyzer-module}} - -% -\providecommand{\module}[1]{{\tt #1}}% -\providecommand{\indmodule}[2]{\index{#1 module@{\protect\tt #1} module}\index{modules!{\protect \tt #1}}\label{#2-analyzer-module}{{\tt #1}}}% -\providecommand{\xrefmodule}[2]{\hyperref{\tt #1}{}{}{#2-analyzer-module}} - -% -\providecommand{\indfunc}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\label{#2-func}{{\tt #1}}}% -\providecommand{\itemindfunc}[3]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\label{#2-func}{\item[{\tt \tt #1\tt #3 }]}}% -\providecommand{\indfuncnolabel}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}{\tt #1}}% -\providecommand{\xreffunc}[2]{\hyperref{\tt #1}{}{}{#2-func}}% -\providecommand{\xrefindfunc}[2]{\index{#1 function@{\protect\tt #1} function}\index{functions!{\protect \tt #1}}\hyperref{\tt #1}{}{}{#2-func}}% -\providecommand{\xreffuncnott}[2]{\hyperref{\S~\ref{#2-func}}{}{}{#2-func}} - -% -\providecommand{\xreflog}[1]{\hyperref{\tt #1}{}{}{#1-log}} - -% -\providecommand{\itemindstmtemph}[1]{\index{#1 statement@{\protect\emph{#1}} statement}\index{statements!{\protect\emph{#1}}}\label{#1-stmt}{\item[{\emph{#1}}]}}% -\providecommand{\itemindstmttt}[1]{\index{#1 statement@{\protect\tt #1} statement}\index{statements!{\protect\tt #1}}\label{#1-stmt}{\item[{\tt #1}]}}% -\providecommand{\itemindstmttttwo}[2]{\index{#1 statement@{\protect\tt #1} statement}\index{#2 statement@{\protect\tt #2} statement}\index{statements!{\protect\tt #1}}\index{statements!{\protect\tt #2}}\label{#1-stmt}\label{#2-stmt}{\item[{\tt #1}, {\tt #2}]}}% -\providecommand{\xrefstmt}[2]{\hyperref{\tt #1}{}{}{#2-stmt}} - -% -\providecommand{\itemindexpremph}[1]{\index{#1 expression@{\protect\emph{#1}} expression}\index{expressions!{\protect\emph{#1}}}\label{#1-expr}{\item[{\emph{#1}}]}}% -\providecommand{\itemindexprtt}[1]{\index{#1 expression@{\protect\tt #1} expression}\index{expressions!{\protect\tt #1}}\label{#1-expr}{\item[{\tt #1}]}}% -\providecommand{\itemindexprtttwo}[2]{\index{#1 expressions@{\protect\tt #1} expressions}\index{#2 expressions@{\protect\tt #2} expressions}\index{expressions!{\protect\tt #1}}\index{expressions!{\protect\tt #2}}\label{#1-expr}\label{#2-expr}{\item[{\tt #1}, {\tt #2}]}}% -\providecommand{\itemindexpremphtwo}[2]{\index{#1 expressions@{\protect\em #1} expressions}\index{#2 expressions@{\protect\em #2} expressions}\index{expressions!{\protect\em #1}}\index{expressions!{\protect\em #2}}\label{#1-expr}\label{#2-expr}{\item[{\em #1}, {\em #2}]}}% -\providecommand{\itemindexprtttwonott}[2]{\index{#1 expressions@{#1} expressions}\index{#2 expressions@{#2} expressions}\index{expressions!{#1}}\index{expressions!{#2}}\label{#1-expr}\label{#2-expr}{\item[{#1}, {#2}]}}% -\providecommand{\xrefexpr}[2]{\hyperref{\tt #1}{}{}{#2-expr}} - -% -\providecommand{\indfield}[4]{\index{#1@{\tt #1}}\index{#1!#3@{\tt #3} field}\index{#3 record@{\tt #3} record}\label{#4-#2-field}{\item[{\tt #1}]}}% -\providecommand{\xreffield}[3]{\hyperref{\tt #1}{}{}{#3-#2-field}}% -\providecommand{\xrefscript}[2]{\hyperref{\tt #1}{}{}{#2-script}} - -% -\providecommand{\indvar}[1]{\index{#1 variable@{\protect\tt #1} variable}\index{variables!{\protect \tt #1}}{\tt #1}}% -\providecommand{\indvartype}[3]{\index{#1 variable@{\protect\tt #1} variable}\index{variables!{\protect \tt #1}}\label{#2-var}{\item[{\tt \tt #1 : #3}]}}% -\providecommand{\indvarbegin}[1]{\index{#1 variable@{\tt #1} variable|(}\index{variables!{\protect \tt #1}|(}}% -\providecommand{\indvarend}[1]{\index{#1 variable@{\tt #1} variable|)}\index{variables!{\protect \tt #1}|)}}% -\providecommand{\xrefvar}[2]{\hyperref{\tt #1}{}{}{#2-var}}% -\providecommand{\xrefvarnott}[2]{\hyperref{\S~\ref{#2-var}}{}{}{#2-var}}% -\providecommand{\pxrefvarnott}[2]{(\hyperref{\S~\ref{#2-var}}{}{}{#2-var})} - -% -\providecommand{\xreftype}[2]{\hyperref{\tt #1}{}{}{#2-type}} - -% -\providecommand{\indattr}[2]{\index{#1 attribute@{\protect\tt \} attribute}\index{attributes!#1@{\tt \}}\label{#2-attr}{{\tt \}}}% -\providecommand{\indattrnotext}[1]{\index{#1 attribute@{\protect\tt \} attribute}\index{attributes!#1@{\tt \}}}% -\providecommand{\itemindattr}[2]{\index{#1 attribute@{\protect\tt \} attribute}\index{attributes!#1@{\tt \}}\label{#2-attr}{\item[{\tt \}]} }% -\providecommand{\xrefattr}[2]{\hyperref{\tt \}{}{}{#2-attr}} - -% -\providecommand{\indintvar}[1]{\index{#1 internal variable@{\protect\tt #1} internal variable}\index{internal variables!{\protect \tt #1}}{\tt #1}} - -% -\providecommand{\indformat}[1]{\index{#1 format@{\protect\tt #1} format}\index{format!#1@{\tt #1}}\item[#1]}% -\providecommand{\indformatnoitem}[1]{\index{#1 format@{\protect\tt #1} format}\index{format!#1@{\tt #1}}} - -% -\providecommand{\indweird}[2]{\index{#1 (``weird'' event)@{\protect\tt #1} (``weird'' event)}\index{weird event@``weird'' event}\index{weird event!#1@{\protect \tt #1}}\label{#2-weird}{\item[{\tt #1}]}} - -% -\providecommand{\indextext}[2]{\index{#1 (#2)@{\protect\tt "#1"} (#2)}\index{#2s}\index{#2s!#1@{\tt "#1"}}{\tt "#1"}}% -\providecommand{\indexmsg}[1]{\index{#1@{\protect\tt "#1"}}\index{message!{\protect \tt "#1"}}} - -% -\providecommand{\indfatal}[1]{\index{#1!fatal run-time error}\index{fatal run-time error!#1}\index{run-time error!#1}}% -\providecommand{\indruntime}[1]{\index{#1!run-time error}\index{run-time error!#1}} - -% -\providecommand{\indglobalnotext}[1]{{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}}% -\providecommand{\indglobal}[1]{{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}{\tt #1}} - -% -\providecommand{\indpredefvar}[3]{\index{#1 variable@{\protect\tt #1} variable}\index{predefined variables!{\protect \tt #1}}\index{variables!{\protect \tt #1}}\label{#2-global}{\item[{\tt \tt #1 : #3}]}} - -% -\providecommand{\xrefglobal}[2]{\hyperref{\tt #1}{}{}{#2-global}}% -\providecommand{\xrefglobalind}[2]{\hyperref{\tt #1}{}{}{#2-global}{\index{#1 global variable@{\protect\tt #1} global variable}}{\index{global variables!{\protect\tt #1}}}} - -% -\providecommand{\indlibrary}[2]{{\index{#1 library@{\protect\em #1} library}}{\index{libraries!{\protect\em #1}}}{\index{libraries!{\protect\em #1}}}\label{#2-library}{{\em #1}}}% -\providecommand{\xreflibrary}[2]{\hyperref{\emph{#1}}{}{}{#2-library}} - -% -\providecommand{\indutility}[2]{{\index{#1 utility program@{\protect\em #1} utility program}}{\index{programs!{\protect\em #1}}}{\index{utility programs!{\protect\em #1}}}\label{#2-utility}{{\em #1}}}% -\providecommand{\xrefutility}[2]{\hyperref{\emph{#1}}{}{}{#2-utility}} - -% -\providecommand{\mkflagind}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}}% -\providecommand{\indflag}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}\label{flag-#1}{\item[{\tt -#1}]}}% -\providecommand{\indflagnoitem}[1]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}{\tt -#1}}% -\providecommand{\indflagtwo}[2]{\index{#1 flag@{\protect\tt -#1} flag}\index{flags!{\protect \tt -#1}}\index{Bro!flags!{\protect \tt -#1}}\label{flag-#1}{\item[{\tt \tt -#1 \emph{#2}}] \\}}% -\providecommand{\xrefflag}[1]{\hyperref{\tt #1}{}{}{flag#1}} - -% -\providecommand{\indpredeffunc}[3]{\index{#1 function@{\tt #1} function}\index{predefined functions!{\protect \tt #1}}\index{functions!{\protect \tt #1}}\label{#2-func}{\item[{\tt \tt #1 #3}]}}% -\providecommand{\indpredeffuncnolab}[2]{\index{#1 predefined function@{\tt #1} predefined function}\index{predefined functions!{\protect \tt #1}}\index{functions!{\protect \tt #1}}\item[{\tt \tt #1 #2}]} - -% -\providecommand{\indtype}[1]{\index{#1@{\protect\tt #1}|see{types, {\protect\tt #1}}}} - -% -\providecommand{\indconfig}[2]{\index{#1 configuration option@{\tt {--}#1} configuration option}\index{configuration options!{\tt {--}#1}}\label{#2-config}{{\tt {--}#1}}}% -\providecommand{\xrefconfig}[2]{\hyperref{\tt {--}#1}{}{}{#2-config}} - -% -\providecommand{\addindextocentry}{\addcontentsline{toc}{chapter}{\protect\numberline{Index}{}}} - -% -\providecommand{\indsigattr}[1]{\item[\tt #1]} - - -\makeindex - - - - -\usepackage[dvips]{color} - - -\pagecolor[gray]{.7} - -\usepackage[latin1]{inputenc} - - - -\makeatletter - -\makeatletter -\count@=\the\catcode`\_ \catcode`\_=8 -\newenvironment{tex2html_wrap}{}{}% -\catcode`\<=12\catcode`\_=\count@ -\newcommand{\providedcommand}[1]{\expandafter\providecommand\csname #1\endcsname}% -\newcommand{\renewedcommand}[1]{\expandafter\providecommand\csname #1\endcsname{}% - \expandafter\renewcommand\csname #1\endcsname}% -\newcommand{\newedenvironment}[1]{\newenvironment{#1}{}{}\renewenvironment{#1}}% -\let\newedcommand\renewedcommand -\let\renewedenvironment\newedenvironment -\makeatother -\let\mathon=$ -\let\mathoff=$ -\ifx\AtBeginDocument\undefined \newcommand{\AtBeginDocument}[1]{}\fi -\newbox\sizebox -\setlength{\hoffset}{0pt}\setlength{\voffset}{0pt} -\addtolength{\textheight}{\footskip}\setlength{\footskip}{0pt} -\addtolength{\textheight}{\topmargin}\setlength{\topmargin}{0pt} -\addtolength{\textheight}{\headheight}\setlength{\headheight}{0pt} -\addtolength{\textheight}{\headsep}\setlength{\headsep}{0pt} -\setlength{\textwidth}{349pt} -\newwrite\lthtmlwrite -\makeatletter -\let\realnormalsize=\normalsize -\global\topskip=2sp -\def\preveqno{}\let\real@float=\@float \let\realend@float=\end@float -\def\@float{\let\@savefreelist\@freelist\real@float} -\def\liih@math{\ifmmode$\else\bad@math\fi} -\def\end@float{\realend@float\global\let\@freelist\@savefreelist} -\let\real@dbflt=\@dbflt \let\end@dblfloat=\end@float -\let\@largefloatcheck=\relax -\let\if@boxedmulticols=\iftrue -\def\@dbflt{\let\@savefreelist\@freelist\real@dbflt} -\def\adjustnormalsize{\def\normalsize{\mathsurround=0pt \realnormalsize - \parindent=0pt\abovedisplayskip=0pt\belowdisplayskip=0pt}% - \def\phantompar{\csname par\endcsname}\normalsize}% -\def\lthtmltypeout#1{{\let\protect\string \immediate\write\lthtmlwrite{#1}}}% -\newcommand\lthtmlhboxmathA{\adjustnormalsize\setbox\sizebox=\hbox\bgroup\kern.05em }% -\newcommand\lthtmlhboxmathB{\adjustnormalsize\setbox\sizebox=\hbox to\hsize\bgroup\hfill }% -\newcommand\lthtmlvboxmathA{\adjustnormalsize\setbox\sizebox=\vbox\bgroup % - \let\ifinner=\iffalse \let\)\liih@math }% -\newcommand\lthtmlboxmathZ{\@next\next\@currlist{}{\def\next{\voidb@x}}% - \expandafter\box\next\egroup}% -\newcommand\lthtmlmathtype[1]{\gdef\lthtmlmathenv{#1}}% -\newcommand\lthtmllogmath{\lthtmltypeout{l2hSize % -:\lthtmlmathenv:\the\ht\sizebox::\the\dp\sizebox::\the\wd\sizebox.\preveqno}}% -\newcommand\lthtmlfigureA[1]{\let\@savefreelist\@freelist - \lthtmlmathtype{#1}\lthtmlvboxmathA}% -\newcommand\lthtmlpictureA{\bgroup\catcode`\_=8 \lthtmlpictureB}% -\newcommand\lthtmlpictureB[1]{\lthtmlmathtype{#1}\egroup - \let\@savefreelist\@freelist \lthtmlhboxmathB}% -\newcommand\lthtmlpictureZ[1]{\hfill\lthtmlfigureZ}% -\newcommand\lthtmlfigureZ{\lthtmlboxmathZ\lthtmllogmath\copy\sizebox - \global\let\@freelist\@savefreelist}% -\newcommand\lthtmldisplayA{\bgroup\catcode`\_=8 \lthtmldisplayAi}% -\newcommand\lthtmldisplayAi[1]{\lthtmlmathtype{#1}\egroup\lthtmlvboxmathA}% -\newcommand\lthtmldisplayB[1]{\edef\preveqno{(\theequation)}% - \lthtmldisplayA{#1}\let\@eqnnum\relax}% -\newcommand\lthtmldisplayZ{\lthtmlboxmathZ\lthtmllogmath\lthtmlsetmath}% -\newcommand\lthtmlinlinemathA{\bgroup\catcode`\_=8 \lthtmlinlinemathB} -\newcommand\lthtmlinlinemathB[1]{\lthtmlmathtype{#1}\egroup\lthtmlhboxmathA - \vrule height1.5ex width0pt }% -\newcommand\lthtmlinlineA{\bgroup\catcode`\_=8 \lthtmlinlineB}% -\newcommand\lthtmlinlineB[1]{\lthtmlmathtype{#1}\egroup\lthtmlhboxmathA}% -\newcommand\lthtmlinlineZ{\egroup\expandafter\ifdim\dp\sizebox>0pt % - \expandafter\centerinlinemath\fi\lthtmllogmath\lthtmlsetinline} -\newcommand\lthtmlinlinemathZ{\egroup\expandafter\ifdim\dp\sizebox>0pt % - \expandafter\centerinlinemath\fi\lthtmllogmath\lthtmlsetmath} -\newcommand\lthtmlindisplaymathZ{\egroup % - \centerinlinemath\lthtmllogmath\lthtmlsetmath} -\def\lthtmlsetinline{\hbox{\vrule width.1em \vtop{\vbox{% - \kern.1em\copy\sizebox}\ifdim\dp\sizebox>0pt\kern.1em\else\kern.3pt\fi - \ifdim\hsize>\wd\sizebox \hrule depth1pt\fi}}} -\def\lthtmlsetmath{\hbox{\vrule width.1em\kern-.05em\vtop{\vbox{% - \kern.1em\kern0.8 pt\hbox{\hglue.17em\copy\sizebox\hglue0.8 pt}}\kern.3pt% - \ifdim\dp\sizebox>0pt\kern.1em\fi \kern0.8 pt% - \ifdim\hsize>\wd\sizebox \hrule depth1pt\fi}}} -\def\centerinlinemath{% - \dimen1=\ifdim\ht\sizebox<\dp\sizebox \dp\sizebox\else\ht\sizebox\fi - \advance\dimen1by.5pt \vrule width0pt height\dimen1 depth\dimen1 - \dp\sizebox=\dimen1\ht\sizebox=\dimen1\relax} - -\def\lthtmlcheckvsize{\ifdim\ht\sizebox<\vsize - \ifdim\wd\sizebox<\hsize\expandafter\hfill\fi \expandafter\vfill - \else\expandafter\vss\fi}% -\providecommand{\selectlanguage}[1]{}% -\makeatletter \tracingstats = 1 - - -\begin{document} -\pagestyle{empty}\thispagestyle{empty}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength hsize=\the\hsize}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength vsize=\the\vsize}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength hoffset=\the\hoffset}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength voffset=\the\voffset}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength topmargin=\the\topmargin}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength topskip=\the\topskip}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength headheight=\the\headheight}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength headsep=\the\headsep}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength parskip=\the\parskip}\lthtmltypeout{}% -\lthtmltypeout{latex2htmlLength oddsidemargin=\the\oddsidemargin}\lthtmltypeout{}% -\makeatletter -\if@twoside\lthtmltypeout{latex2htmlLength evensidemargin=\the\evensidemargin}% -\else\lthtmltypeout{latex2htmlLength evensidemargin=\the\oddsidemargin}\fi% -\lthtmltypeout{}% -\makeatother -\setcounter{page}{1} -\onecolumn - -% !!! IMAGES START HERE !!! - -\stepcounter{chapter} -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsubsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5436}% -$~\tilde{~}~~~$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5438}% -$\tilde{~}~~$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsubsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5440}% -$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5442}% -$A\_i$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{section} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5444}% -$2^{24}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5446}% -$2^{16}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5448}% -$2^8$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5450}% -$N\_1 {\tt .} N\_2 {\tt .}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5452}% -$N\_1 {\tt .} N\_2 {\tt .} N\_3 $% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5454}% -$N\_i$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5456}% -$^+$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline5458}% -$^*$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{chapter} -\stepcounter{section} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline8536}% -$_{2}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline8540}% -$_{1}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{section} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline8614}% -$_{3}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} - -% -\providecommand{\constmsg}{\\NOTE: This variable is {\tt const}, -so may only be changed via {\tt redef}.}% - -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline16373}% -$\le 26$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline16375}% -$m$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline16379}% -$n$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline16393}% -$h$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure22361}% -\begin{figure}\begin{verbatim} - -event bro_init() - { - if ( restrict_filter == "" && capture_filter == "" ) - print "tcp or not tcp"; # Capture everything. - - else if ( restrict_filter == "" ) - print capture_filter; - - else if ( capture_filter == "" ) - print restrict_filter; - - else - print fmt("(%s) and (%s)", capture_filter, restrict_filter); - - exit(); - }\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{section} -{\newpage\clearpage -\lthtmlfigureA{figure22485}% -\begin{figure}\begin{verbatim} - -type net_stats: record { - # All counts are cumulative. - pkts_recvd: count; # Number of packets received so far. - pkts_dropped: count; # Number of packets *reported* dropped. - interface_drops: count; # Number of drops reported by interface(s). -};\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{section} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure22528}% -\begin{figure}\begin{verbatim} - -type conn_id: record { - orig_h: addr; # Address of originating host. - orig_p: port; # Port used by originator. - resp_h: addr; # Address of responding host. - resp_p: port; # Port used by responder. -}; - -type endpoint: record { - size: count; # Bytes sent by this endpoint so far. - state: count; # The endpoint's current state. -}; - -type connection: record { - id: conn_id; # Originator/responder addresses/ports. - orig: endpoint; # Endpoint info for originator. - resp: endpoint; # Endpoint info for responder. - start_time: time; # When the connection began. - duration: interval; # How long it was active (or has been so far). - service: string; # The service we associate with it (e.g., "http"). - addl: string; # Additional information associated with it. - hot: count; # How many times we've marked it as sensitive. -};\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31877}% -$A$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31879}% -$B$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31899}% -$B_{o}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31901}% -$B_{r}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31903}% -$A_{l}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31905}% -$A_{r}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31927}% -$A_{o}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31937}% -$S_{o}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31941}% -$S_{r}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31943}% -$D$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31957}% -$P_{o}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31961}% -$P_{r}$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31971}% -$p$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -{\newpage\clearpage -\lthtmlfigureA{figure23775}% -\begin{figure}\begin{verbatim} - -global msg_count: table[string] of count &default = 0; - -event log_summary(msg: string) - { - log fmt("(%s) %d times", msg, msg_count[msg]); - } - -function log_hook(msg: string): bool - { - if ( ++msg_count[msg] == 1 ) - # First time we've seen this message - log it. - return T; - - if ( msg_count[msg] == 5 ) - # We've seen it five times, enough to be worth - # summarizing. Do so five minutes from now, - # for whatever total we've seen by then. - schedule +5 min { log_summary(msg) }; - - return F; - }\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure23860}% -\begin{figure}\begin{verbatim} - -type dns_mapping: record { - creation_time: time; # When the mapping was created. - - req_host: string; # The hostname in the request, if any. - req_addr: addr; # The address in the request, if any. - - valid: bool; # Whether we received an answer. - hostname: string; # The hostname in the answer, or "". - addrs: set[addr]; # The addresses in the answer, if any. -};\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure24088}% -\begin{figure}\begin{verbatim} - -type ftp_session_info: record { - id: count; # unique number associated w/ session - user: string; # username, if determined - request: string; # pending request or requests - num_requests: count; # count of pending requests - request_t: time; # time of request - log_if_not_denied: bool; # unless code 530 on reply, log it - log_if_not_unavail: bool; # unless code 550 on reply, log it - log_it: bool; # if true, log the request(s) -};\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure24192}% -\begin{figure}\begin{verbatim} - -972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp start -972499886.685046 #26 response (220 tuvok.ooc.com FTP server - (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.) -972499886.686025 #26 USER anonymous/IEUser@ (logged in) -972499887.850621 #26 TYPE I (ok) -972499888.421741 #26 PASV (227 64.55.26.206/2427) -972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675597) -972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (complete) -972500055.491045 #26 response (225 ABOR command successful.)\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure24357}% -\begin{figure}\begin{verbatim} - -972482763.371224 %1596 start 200.241.229.80 > 131.243.2.12 -%1596 GET /ITG.hm.pg.docs/dissect/portuguese/dissect.html -%1596 GET /vfrog/bottom.icon.gif -%1596 GET /vfrog/top.icon.gif -%1596 GET /vfrog/movies/off.gif -%1596 GET /vfrog/new.frog.small.gif -\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31983}% -$\le 2$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31987}% -$\ge 256$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31989}% -$\ge 1024$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31991}% -$\ge$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure25695}% -\begin{figure}\begin{verbatim} - -type x509: record { - issuer: string; # issuer name of the certificate - subject: string; # subject name of the certificate -};\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure25707}% -\begin{figure}\begin{verbatim} - -type ssl_connection_info: record { - id: count; # the log identifier number - connection_id: conn_id; # IP connection information - version: count; # version associated with connection - client_cert: x509; - server_cert: x509; - id_index: string; # index for associated sessionID - handshake_cipher: count; # cipher suite client and server agreed upon -};\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlfigureA{figure25794}% -\begin{figure}\begin{verbatim} - -1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/https start -1046778101.534846 #1 connection attempt version: 3.1 -1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_DES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6), -1046778101.753356 #1 server reply, version: 3.1 -1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4), -1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter Class 3 CA/Email=certificate@trustcenter.de, -1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehmanns.de -1046778101.894567 #1 handshake finished, version 3.1, cipher suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4) -1046778104.877207 #1 finish ---- -Used cipher-suites statistics: -SSLv3x_RSA_WITH_RC4_128_MD5 (0x4): 1\end{verbatim} - -\end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline31993}% -$2 \cdot \mbox{MSL} = 4$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{section} -\stepcounter{subsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -\stepcounter{subsubsection} -{\newpage\clearpage -\lthtmlfigureA{figure39539}% -\begin{figure} \begin{verbatim} - -type signature_state: record { - id: string; # ID of the signature - conn: connection; # Current connection - is_orig: bool; # True if current endpoint is originator - payload_size: count; # Payload size of the first pkt of curr. endpoint - };\end{verbatim} - - - \end{figure}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{subsection} -\stepcounter{section} -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline39988}% -$N$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -{\newpage\clearpage -\lthtmlinlinemathA{tex2html_wrap_inline39992}% -$\pm N$% -\lthtmlinlinemathZ -\lthtmlcheckvsize\clearpage} - -\stepcounter{chapter} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -\stepcounter{section} -{\newpage\clearpage -\lthtmlfigureA{center42103}% -\begin{center}\vbox{\input{index.tex} -}\end{center}% -\lthtmlfigureZ -\lthtmlcheckvsize\clearpage} - - -\end{document} diff --git a/doc/old/manual/img1.gif b/doc/old/manual/img1.gif deleted file mode 100644 index 0223c17338..0000000000 Binary files a/doc/old/manual/img1.gif and /dev/null differ diff --git a/doc/old/manual/img10.gif b/doc/old/manual/img10.gif deleted file mode 100644 index 427749b200..0000000000 Binary files a/doc/old/manual/img10.gif and /dev/null differ diff --git a/doc/old/manual/img11.gif b/doc/old/manual/img11.gif deleted file mode 100644 index 8c06e38f4f..0000000000 Binary files a/doc/old/manual/img11.gif and /dev/null differ diff --git a/doc/old/manual/img12.gif b/doc/old/manual/img12.gif deleted file mode 100644 index 7555544ec5..0000000000 Binary files a/doc/old/manual/img12.gif and /dev/null differ diff --git a/doc/old/manual/img13.gif b/doc/old/manual/img13.gif deleted file mode 100644 index e96a66a481..0000000000 Binary files a/doc/old/manual/img13.gif and /dev/null differ diff --git a/doc/old/manual/img14.gif b/doc/old/manual/img14.gif deleted file mode 100644 index 5a93808349..0000000000 Binary files a/doc/old/manual/img14.gif and /dev/null differ diff --git a/doc/old/manual/img15.gif b/doc/old/manual/img15.gif deleted file mode 100644 index 7a9ad3b96c..0000000000 Binary files a/doc/old/manual/img15.gif and /dev/null differ diff --git a/doc/old/manual/img16.gif b/doc/old/manual/img16.gif deleted file mode 100644 index b52710213a..0000000000 Binary files a/doc/old/manual/img16.gif and /dev/null differ diff --git a/doc/old/manual/img17.gif b/doc/old/manual/img17.gif deleted file mode 100644 index c827cd1997..0000000000 Binary files a/doc/old/manual/img17.gif and /dev/null differ diff --git a/doc/old/manual/img18.gif b/doc/old/manual/img18.gif deleted file mode 100644 index 94fc1b7cbf..0000000000 Binary files a/doc/old/manual/img18.gif and /dev/null differ diff --git a/doc/old/manual/img19.gif b/doc/old/manual/img19.gif deleted file mode 100644 index bfce4a140d..0000000000 Binary files a/doc/old/manual/img19.gif and /dev/null differ diff --git a/doc/old/manual/img2.gif b/doc/old/manual/img2.gif deleted file mode 100644 index a1c67ed462..0000000000 Binary files a/doc/old/manual/img2.gif and /dev/null differ diff --git a/doc/old/manual/img20.gif b/doc/old/manual/img20.gif deleted file mode 100644 index 8f14da3376..0000000000 Binary files a/doc/old/manual/img20.gif and /dev/null differ diff --git a/doc/old/manual/img21.gif b/doc/old/manual/img21.gif deleted file mode 100644 index 0351618325..0000000000 Binary files a/doc/old/manual/img21.gif and /dev/null differ diff --git a/doc/old/manual/img22.gif b/doc/old/manual/img22.gif deleted file mode 100644 index bbd0b4f8a8..0000000000 Binary files a/doc/old/manual/img22.gif and /dev/null differ diff --git a/doc/old/manual/img23.gif b/doc/old/manual/img23.gif deleted file mode 100644 index 280d924c1c..0000000000 Binary files a/doc/old/manual/img23.gif and /dev/null differ diff --git a/doc/old/manual/img24.gif b/doc/old/manual/img24.gif deleted file mode 100644 index 7f4e0e7f12..0000000000 Binary files a/doc/old/manual/img24.gif and /dev/null differ diff --git a/doc/old/manual/img25.gif b/doc/old/manual/img25.gif deleted file mode 100644 index 8aa47363f5..0000000000 Binary files a/doc/old/manual/img25.gif and /dev/null differ diff --git a/doc/old/manual/img26.gif b/doc/old/manual/img26.gif deleted file mode 100644 index f1941a65d2..0000000000 Binary files a/doc/old/manual/img26.gif and /dev/null differ diff --git a/doc/old/manual/img27.gif b/doc/old/manual/img27.gif deleted file mode 100644 index b419999213..0000000000 Binary files a/doc/old/manual/img27.gif and /dev/null differ diff --git a/doc/old/manual/img28.gif b/doc/old/manual/img28.gif deleted file mode 100644 index 3212cf87f0..0000000000 Binary files a/doc/old/manual/img28.gif and /dev/null differ diff --git a/doc/old/manual/img29.gif b/doc/old/manual/img29.gif deleted file mode 100644 index 48c80016d5..0000000000 Binary files a/doc/old/manual/img29.gif and /dev/null differ diff --git a/doc/old/manual/img3.gif b/doc/old/manual/img3.gif deleted file mode 100644 index e620bb6822..0000000000 Binary files a/doc/old/manual/img3.gif and /dev/null differ diff --git a/doc/old/manual/img30.gif b/doc/old/manual/img30.gif deleted file mode 100644 index 33713b6a16..0000000000 Binary files a/doc/old/manual/img30.gif and /dev/null differ diff --git a/doc/old/manual/img31.gif b/doc/old/manual/img31.gif deleted file mode 100644 index 943f8a10bc..0000000000 Binary files a/doc/old/manual/img31.gif and /dev/null differ diff --git a/doc/old/manual/img32.gif b/doc/old/manual/img32.gif deleted file mode 100644 index 3b2228a5b3..0000000000 Binary files a/doc/old/manual/img32.gif and /dev/null differ diff --git a/doc/old/manual/img33.gif b/doc/old/manual/img33.gif deleted file mode 100644 index a6d458dd59..0000000000 Binary files a/doc/old/manual/img33.gif and /dev/null differ diff --git a/doc/old/manual/img34.gif b/doc/old/manual/img34.gif deleted file mode 100644 index 8d1959f6f7..0000000000 Binary files a/doc/old/manual/img34.gif and /dev/null differ diff --git a/doc/old/manual/img35.gif b/doc/old/manual/img35.gif deleted file mode 100644 index ab7db612f9..0000000000 Binary files a/doc/old/manual/img35.gif and /dev/null differ diff --git a/doc/old/manual/img36.gif b/doc/old/manual/img36.gif deleted file mode 100644 index a44fb49895..0000000000 Binary files a/doc/old/manual/img36.gif and /dev/null differ diff --git a/doc/old/manual/img37.gif b/doc/old/manual/img37.gif deleted file mode 100644 index bb04e6c790..0000000000 Binary files a/doc/old/manual/img37.gif and /dev/null differ diff --git a/doc/old/manual/img38.gif b/doc/old/manual/img38.gif deleted file mode 100644 index 802eb22a71..0000000000 Binary files a/doc/old/manual/img38.gif and /dev/null differ diff --git a/doc/old/manual/img39.gif b/doc/old/manual/img39.gif deleted file mode 100644 index 490e8c748c..0000000000 Binary files a/doc/old/manual/img39.gif and /dev/null differ diff --git a/doc/old/manual/img4.gif b/doc/old/manual/img4.gif deleted file mode 100644 index dfd4c3db1f..0000000000 Binary files a/doc/old/manual/img4.gif and /dev/null differ diff --git a/doc/old/manual/img40.gif b/doc/old/manual/img40.gif deleted file mode 100644 index b077d4b603..0000000000 Binary files a/doc/old/manual/img40.gif and /dev/null differ diff --git a/doc/old/manual/img41.gif b/doc/old/manual/img41.gif deleted file mode 100644 index 5e8e4cd56a..0000000000 Binary files a/doc/old/manual/img41.gif and /dev/null differ diff --git a/doc/old/manual/img42.gif b/doc/old/manual/img42.gif deleted file mode 100644 index 2460bbcbc6..0000000000 Binary files a/doc/old/manual/img42.gif and /dev/null differ diff --git a/doc/old/manual/img43.gif b/doc/old/manual/img43.gif deleted file mode 100644 index 9600430261..0000000000 Binary files a/doc/old/manual/img43.gif and /dev/null differ diff --git a/doc/old/manual/img44.gif b/doc/old/manual/img44.gif deleted file mode 100644 index 5a976f9f3f..0000000000 Binary files a/doc/old/manual/img44.gif and /dev/null differ diff --git a/doc/old/manual/img45.gif b/doc/old/manual/img45.gif deleted file mode 100644 index 1473999c89..0000000000 Binary files a/doc/old/manual/img45.gif and /dev/null differ diff --git a/doc/old/manual/img46.gif b/doc/old/manual/img46.gif deleted file mode 100644 index 11d39cbe0c..0000000000 Binary files a/doc/old/manual/img46.gif and /dev/null differ diff --git a/doc/old/manual/img47.gif b/doc/old/manual/img47.gif deleted file mode 100644 index 689f2bfe53..0000000000 Binary files a/doc/old/manual/img47.gif and /dev/null differ diff --git a/doc/old/manual/img48.gif b/doc/old/manual/img48.gif deleted file mode 100644 index 15317ea977..0000000000 Binary files a/doc/old/manual/img48.gif and /dev/null differ diff --git a/doc/old/manual/img49.gif b/doc/old/manual/img49.gif deleted file mode 100644 index 5b41f026ae..0000000000 Binary files a/doc/old/manual/img49.gif and /dev/null differ diff --git a/doc/old/manual/img5.gif b/doc/old/manual/img5.gif deleted file mode 100644 index d6e4587a50..0000000000 Binary files a/doc/old/manual/img5.gif and /dev/null differ diff --git a/doc/old/manual/img50.gif b/doc/old/manual/img50.gif deleted file mode 100644 index 61b654af90..0000000000 Binary files a/doc/old/manual/img50.gif and /dev/null differ diff --git a/doc/old/manual/img51.gif b/doc/old/manual/img51.gif deleted file mode 100644 index 16e570fe0c..0000000000 Binary files a/doc/old/manual/img51.gif and /dev/null differ diff --git a/doc/old/manual/img6.gif b/doc/old/manual/img6.gif deleted file mode 100644 index e92fc18acd..0000000000 Binary files a/doc/old/manual/img6.gif and /dev/null differ diff --git a/doc/old/manual/img7.gif b/doc/old/manual/img7.gif deleted file mode 100644 index 424994a0c6..0000000000 Binary files a/doc/old/manual/img7.gif and /dev/null differ diff --git a/doc/old/manual/img8.gif b/doc/old/manual/img8.gif deleted file mode 100644 index 95e3b29fc0..0000000000 Binary files a/doc/old/manual/img8.gif and /dev/null differ diff --git a/doc/old/manual/img9.gif b/doc/old/manual/img9.gif deleted file mode 100644 index b5af385015..0000000000 Binary files a/doc/old/manual/img9.gif and /dev/null differ diff --git a/doc/old/manual/internals.pl b/doc/old/manual/internals.pl deleted file mode 100644 index 1e5e6add77..0000000000 --- a/doc/old/manual/internals.pl +++ /dev/null @@ -1,3978 +0,0 @@ -# LaTeX2HTML 2002-2 (1.70) -# Associate internals original text with physical files. - - -$key = q/process-HTTP-data-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-version-field/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/network-interfaces/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/signal-handling/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-ratio-thresh-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-idle-min-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-deps/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-request-event/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-set-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-spoof-services-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-cmds-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/spontaneous-FIN-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/USER-env/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-authentication-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-pairs-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/mask-addr-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-record-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:signature-state/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/for-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-size-inconsistency-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/site-analyzer-module/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/exit-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-id-patterns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-SYN-ack-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/Land-attack-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-nets-16-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-connection-reuse-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-legal-cmds-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-data-expected-session-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-record-packets-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-var/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-login-func/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-redef/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/endpoint-state-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/logical-operators/; -$ref_files{$key} = "$dir".q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-PTR-scans-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/UDP-datagram-length-mismatch-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-login-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-index/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/address-type/; -$ref_files{$key} = "$dir".q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-attempt-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/RST-storm-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/NULs-allowed-in-strings/; -$ref_files{$key} = "$dir".q|node13.html|; -$noresave{$key} = "$nosave"; - -$key = q/cross-product-init/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-portmapper/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-SYN-ack-ok-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/remote-code-red-response-pgm-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-max-keystroke-pkt-size-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-standard-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-func/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-analyzer-module/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/relay-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-partial-close-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-remote-sensitive-URIs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ssl-log/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-overview/; -$ref_files{$key} = "$dir".q|node69.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-do-not-complain-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/print-filter-analyzer-module/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger/; -$ref_files{$key} = "$dir".q|node68.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-example/; -$ref_files{$key} = "$dir".q|node70.html|; -$noresave{$key} = "$nosave"; - -$key = q/get-resp-seq-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/return-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-distinct-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-interface-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/scan-analyzer-module/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-hot-ids/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-TCP-checksum-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-finger-request-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/temporal-types/; -$ref_files{$key} = "$dir".q|node15.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-conn-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ignore-checksums-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-addrs-field/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-service-pairs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-did-summary-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ack-above-hole-event/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/determine-service-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-sigconns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-decl/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-RPC-program-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/relational-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-finished-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-count-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-analyzer-module/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-guest-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-type/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-frag/; -$ref_files{$key} = "$dir".q|node48.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-skip-remote-sensitive-URIs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-after-partial-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-distinct-peers-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-normal-line-ratio-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-stat-backoff-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-log/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/full-input-trouble-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-telnet-orig-ports-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-guest-files-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-relay-4-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-reference/; -$ref_files{$key} = "$dir".q|node73.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-conns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-ident-request-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-content/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/to-lower-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/finger-request-event/; -$ref_files{$key} = "$dir".q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-ident-request-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/mixing-numerics/; -$ref_files{$key} = "$dir".q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-weird-event/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzers/; -$ref_files{$key} = "$dir".q|node34.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-do-not-ignore-repeats-var/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/rule-file-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interfaces-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-established-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/blank-in-HTTP-request-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-session-timer-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_tls-56/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/_-library/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/open-for-append-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-nets-24-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/attrs/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/code-red-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-connection/; -$ref_files{$key} = "$dir".q|node86.html|; -$noresave{$key} = "$nosave"; - -$key = q/input-trouble-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-analyzer-module/; -$ref_files{$key} = "$dir".q|node62.html|; -$noresave{$key} = "$nosave"; - -$key = q/horiz-scan-thresholds-var/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/logical-negation/; -$ref_files{$key} = "$dir".q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-interesting-changes-var/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/constant-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-terminal-types-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/red-log/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/router-prompts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-world-servers-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-snort2bro/; -$ref_files{$key} = "$dir".q|node67.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-mt/; -$ref_files{$key} = "$dir".q|node42.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC-NFS2/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC-NFS3/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-dump-okay-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-UDP-checksum-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/equality-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-constants/; -$ref_files{$key} = "$dir".q|node18.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-seq-jump-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-connection-ok-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-backdoor-prompts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-analyzer-module/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-bytes-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewrite-finger-trace-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/null-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/restrict-filter-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/scan-dropping/; -$ref_files{$key} = "$dir".q|node84.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-forbidden-id-func/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-further-processing-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-request-length-var/; -$ref_files{$key} = "$dir".q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-bad-port-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-id-field/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-name-changed-event/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-type/; -$ref_files{$key} = "$dir".q|node18.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-dns-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/arithmetic-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-alert-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/field-test-op/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/gtld-servers-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-URIs-var/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-getport-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-overview/; -$ref_files{$key} = "$dir".q|node65.html|; -$noresave{$key} = "$nosave"; - -$key = q/address-constants/; -$ref_files{$key} = "$dir".q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ssh-orig-ports-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-conns-reported-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/packet-drops/; -$ref_files{$key} = "$dir".q|node87.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-half-finished-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-log-file/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-service-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-inbound-service-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/temporal-constants/; -$ref_files{$key} = "$dir".q|node15.html|; -$noresave{$key} = "$nosave"; - -$key = q/heartbeat-interval-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-answered-PTR-requests-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/restrict-filter/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/last-stat-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-confused/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/internally-truncated-header-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-stat-backoff-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/byte-len-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-stats-event/; -$ref_files{$key} = "$dir".q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_ssl-aes/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-sources-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-ICMP-checksum-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/baroque-SYN-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-connection-linger-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-request-event/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/unsolicited-SYN-response-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-login-state-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewriting-http-trace-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-dump-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/event-handlers/; -$ref_files{$key} = "$dir".q|node24.html|; -$noresave{$key} = "$nosave"; - -$key = q/authentication-accepted-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/frag-analyzer-module/; -$ref_files{$key} = "$dir".q|node48.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-log/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/edited-input-trouble-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/inappropriate-FIN-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/string-constants/; -$ref_files{$key} = "$dir".q|node13.html|; -$noresave{$key} = "$nosave"; - -$key = q/sub-bytes-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-ASCII-hosts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-handshake-cipher-field/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:portmapper/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-accounts-tried-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-login-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/root-servers-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-req-count-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/patterns/; -$ref_files{$key} = "$dir".q|node14.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/FIN-storm-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-icmp/; -$ref_files{$key} = "$dir".q|node59.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-world-servers-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-del/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/reading-live-traffic-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-contents-file-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-relay-3-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/id-string-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:net-stats/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-var/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/clean-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-weird-event/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-marker/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/T-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-port-scan-thresh-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-prompts-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-pop3/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-port-name/; -$ref_files{$key} = "$dir".q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/write-expire-attr/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-ids-var/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dst-24nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-prompts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-altered-event/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-rexmit-inconsistency-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/timer-management/; -$ref_files{$key} = "$dir".q|node81.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-init/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/event-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-cache/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-rejected-PTR-requests-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-conn-var/; -$ref_files{$key} = "$dir".q|node44.html|; -$noresave{$key} = "$nosave"; - -$key = q/kazaa-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-peers-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/anonymous_function-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-filters/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-port-scan-thresh-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux-analyzer-module/; -$ref_files{$key} = "$dir".q|node45.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-log/; -$ref_files{$key} = "$dir".q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/truncated-header-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/code-red-list2-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-normal-line-ratio-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/capture-filter-var/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-ssh-stepping/; -$ref_files{$key} = "$dir".q|node61.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-established-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-spoof-func/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-file-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record_constructor-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-attempt-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-active/; -$ref_files{$key} = "$dir".q|node44.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-scan-sources-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-max-interarrival-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-verify-certificates-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/router-prompts-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/addl-web-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/account-tried-event/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/portmapper-analyzer-module/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ids-var/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-names-var/; -$ref_files{$key} = "$dir".q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-log-file-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-weird-orig-func/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-demux-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fmt-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/predefineds-string/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-gamma-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-failure-msgs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-clear-ssh-reports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-with-data-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/same-local-net-is-spoof-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-scan-func/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-failure-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/inconsistent-option-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-inconsistency-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/data-before-established-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/inserting-tables-into-tables/; -$ref_files{$key} = "$dir".q|node90.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-stat-period-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/variable-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:http-log-eg/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-unverified-event/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/detected-stones-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC1122/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/if-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/tag-to-conn-map-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/refinement/; -$ref_files{$key} = "$dir".q|node79.html|; -$noresave{$key} = "$nosave"; - -$key = q/gnutella-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/napster-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-analyzer-module/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-compare-cipherspecs-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/functions/; -$ref_files{$key} = "$dir".q|node23.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-functions/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_tlsv1/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-demux-skip-tags-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-ident/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-rejected-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-rlogin-prolog-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-ip-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-null-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-store-certificates-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_pcap/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-log-file/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-backdoor-prompts-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-ignore-src-addrs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-store-cert-path-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/repeated-SYN-with-ack-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:conn-file-states/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/mt-analyzer-module/; -$ref_files{$key} = "$dir".q|node42.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-valid-field/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-confused-text-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/variables/; -$ref_files{$key} = "$dir".q|node29.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-done-event/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/type-conversion/; -$ref_files{$key} = "$dir".q|node9.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-non-failure-msgs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-hot-func/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-new-name-event/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-lost-name-event/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-match-undelivered-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-backscatter-peers-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/software-table-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cf-utility/; -$ref_files{$key} = "$dir".q|node7.html|; -$noresave{$key} = "$nosave"; - -$key = q/simultaneous-open-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-tcp-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/demuxed-conn-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-accounts-tried-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessive-line-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-interarrival-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-sensitive-cmds-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-7bit-ascii-ratio-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-rep-count-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flush-all-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:log-hook/; -$ref_files{$key} = "$dir".q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-storm-thresh-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/split-routing/; -$ref_files{$key} = "$dir".q|node83.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-inbound-service-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-stepping/; -$ref_files{$key} = "$dir".q|node60.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-attr/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-ssh-len-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-activation/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/expression-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-after-close-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/code-red-list1-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-24-nets-var/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/in-operator/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-relay-table-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-callit-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/output-trouble-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/contains-string-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/multiple-RPCs-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/membership-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-abstract-max-length-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/suppress-scan-checks-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-protocol-inconsistency-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/todo/; -$ref_files{$key} = "$dir".q|node74.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-to-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-ASCII-hosts-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-len-conns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/done-with-network-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-num-requests-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/arith-operators/; -$ref_files{$key} = "$dir".q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-scan-triples-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/last-stat-time-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-services-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-connection-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-prompts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/trace-log/; -$ref_files{$key} = "$dir".q|node76.html|; -$noresave{$key} = "$nosave"; - -$key = q/has-signature-matched-func/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/service-name-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-nets-24-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-scope/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ftp-log-eg/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-PTR-requests-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/signature-analyzer-module/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/okay-to-lookup-sensitive-hosts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-lookup-hosts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/getting-started/; -$ref_files{$key} = "$dir".q|node5.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-filters-var/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/statements/; -$ref_files{$key} = "$dir".q|node26.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-constructors/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/BRO-ID-env/; -$ref_files{$key} = "$dir".q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-do-not-ignore-repeats-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/icmp-flows-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-interval-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-events/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-analyzer-module/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-info-expanded-line-field/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-analy/; -$ref_files{$key} = "$dir".q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-stats-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-mod/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/suppress-pm-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/last-type/; -$ref_files{$key} = "$dir".q|node25.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-log/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/hf-utility/; -$ref_files{$key} = "$dir".q|node7.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-hot-id-func/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-and-check-line-func/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/data-after-reset-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/spontaneous-RST-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-post-URIs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/policy-script-events/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-service-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-services-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-alpha-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/repeated-SYN-reply-wo-ack-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dsts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-sources-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-context/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-src-24nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-unset-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/software-ident-by-major-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-log-file-var/; -$ref_files{$key} = "$dir".q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-reply-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/x509-trusted-cert-path-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/never-shut-down-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-request-event/; -$ref_files{$key} = "$dir".q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/BROPATH-env/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/full-id-string-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-16-nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-name-analyzer-module/; -$ref_files{$key} = "$dir".q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-dns/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dsts-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-pm-port-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/shut-down-all-scans-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-language/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/bibliography/; -$ref_files{$key} = "$dir".q|node105.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-addresses/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-services-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-mail-addr-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-analyzer-module/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-proxy-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-HTTP-reply-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-notes/; -$ref_files{$key} = "$dir".q|node72.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-FTP-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/first-type/; -$ref_files{$key} = "$dir".q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/delete-func-attr/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-ssh-version-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-num-lines-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-list-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-16-nets-var/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-storm-interarrival-thresh-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/shallow-copy/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-logins-to-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/site-info/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/any-RPC-okay-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/parse-ftp-port-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/positivation-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-ftp/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/mime-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-scale-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-weird-func/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/hostnames-vs-addresses/; -$ref_files{$key} = "$dir".q|node93.html|; -$noresave{$key} = "$nosave"; - -$key = q/pattern-matching-ops/; -$ref_files{$key} = "$dir".q|node14.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-inside-connection-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/anonymize-ip-addr-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-weird-addl-event/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-if-no-password-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-check-getport-func/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/TCP-christmas-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-attempt-delayv-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-ident/; -$ref_files{$key} = "$dir".q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-analyzer-module/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-option-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-rpc/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/scan-triples-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analy-conn/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux-conn-func/; -$ref_files{$key} = "$dir".q|node45.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-conn/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-analyzed-lifetime-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-login-ids-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_bro-usenix-98/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/suppress-pm-log-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/intro/; -$ref_files{$key} = "$dir".q|node4.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-set-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:login-confusion/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/display-pairs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_sslv30/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-min-ssh-pkts-ratio-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-after-reset-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_bro-comp-networks-99/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-log-if-not-unavail-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-request-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/open-log-file-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-with-DF-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-peer-scan-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-done-event/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-num-lines-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-originator-SYN-ack-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-success-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-terminal-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/tables/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-id-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/signatures/; -$ref_files{$key} = "$dir".q|node64.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-3byte-conns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/default-attr/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-ids/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-tcp-port-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/process-HTTP-replies-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-conditions/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-load/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-RPC-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-excessive-filename-trunc-len-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-hot-conn-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-guest-ids-var/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-backdoor/; -$ref_files{$key} = "$dir".q|node62.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-files-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/root-backdoor-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flow-weird-event/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-double-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/alert-file-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-16-net-pairs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/terminate-connection-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/capture-filter/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dst-24nets-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-net-var/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/NULs-run-time/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/reference/; -$ref_files{$key} = "$dir".q|node73.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-server-map-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-ssh-pkts-ratio-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-skip-hot-var/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-login-conn-func/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-24-nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-ftp/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:sigs-modactions/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-id-patterns-var/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-bytes-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-store-key-material-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/break-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/parenthesized-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/alert-action-filters-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-server-reply-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/global-stmts/; -$ref_files{$key} = "$dir".q|node89.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-orig-h-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/network-time-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-session-timeout-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/mkdir-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-login/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-option-termination-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/decrement-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-ignore-host-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-connection-id-field/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-max-cipherspec-size-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/min-interval-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-type/; -$ref_files{$key} = "$dir".q|node21.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_ssl-fips/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/preserved-net-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-demux-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-valid-event/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-post-URIs-var/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-prompts-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/read-expire-attr/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-var/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-num-pkts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/differences/; -$ref_files{$key} = "$dir".q|node100.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-telnet/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-hot/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-sig-1byte-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-analyzer-module/; -$ref_files{$key} = "$dir".q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-constants/; -$ref_files{$key} = "$dir".q|node16.html|; -$noresave{$key} = "$nosave"; - -$key = q/output-trouble-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-nets-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/keystroke-editing/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-names-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-nets-var/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-programs-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-prog-func/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-16-nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-timer-expires-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:endpoint-stats/; -$ref_files{$key} = "$dir".q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/pattern-constants/; -$ref_files{$key} = "$dir".q|node14.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-16-net-pairs-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-output-line-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/vert-scan-thresholds-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-ops/; -$ref_files{$key} = "$dir".q|node16.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-analyzer-module/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/numeric-constants/; -$ref_files{$key} = "$dir".q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/endpoint-size-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-analyzer-module/; -$ref_files{$key} = "$dir".q|node44.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessively-large-fragment-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-nets-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/assignment-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-unset-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-IP-checksum-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-hot-cmds-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/multiple-HTTP-request-elements-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-URIs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-conns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-creation-time-field/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/icmp-analyzer-module/; -$ref_files{$key} = "$dir".q|node59.html|; -$noresave{$key} = "$nosave"; - -$key = q/negation-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/FIN-after-reset-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-backscatter-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-type/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-annotate-standard-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_ptacek98/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/system-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/length-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/inactivity-timeout-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ftp-session-info/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux/; -$ref_files{$key} = "$dir".q|node91.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/icmp-conn/; -$ref_files{$key} = "$dir".q|node59.html|; -$noresave{$key} = "$nosave"; - -$key = q/include-HTTP-abstract-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_bpf/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-proc-events/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/sig-actions-var/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/get-orig-seq-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-3byte-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-services-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-demux/; -$ref_files{$key} = "$dir".q|node45.html|; -$noresave{$key} = "$nosave"; - -$key = q/horiz-scan-thresholds-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-rejected-service-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-guest-files-var/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/address-ops/; -$ref_files{$key} = "$dir".q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-analyzer-module/; -$ref_files{$key} = "$dir".q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-reply-event/; -$ref_files{$key} = "$dir".q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-accounts-tried-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-attr/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-service-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-weird-conn-func/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_sslv2/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/tftp-alert-count-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-activity-func/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-TCP-header-len-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-services-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/redef/; -$ref_files{$key} = "$dir".q|node79.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-type/; -$ref_files{$key} = "$dir".q|node16.html|; -$noresave{$key} = "$nosave"; - -$key = q/pattern_matching-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-if-no-password-var/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/redef-attr/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-and-check-user-func/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cat-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-nets-var/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-file-name-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-reset-delay-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-connection-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-usage/; -$ref_files{$key} = "$dir".q|node71.html|; -$noresave{$key} = "$nosave"; - -$key = q/create-expire-attr/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-certificate-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-resp-h-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rule-actions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/records/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-report-script/; -$ref_files{$key} = "$dir".q|node94.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-common-host-thresh-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-exceptions-var/; -$ref_files{$key} = "$dir".q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-ftp-request-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessive-ntp-request-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-accounts-tried-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/can-drop-connectivity-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-addl-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/index-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/getenv-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-req-host-field/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/activating-encryption-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-dump-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/truncated-IP-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-func-attr/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/BRO-PREFIXES-env/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-xdr/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-srcs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-user-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-ssh/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/shut-down-thresh-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/unpaired-RPC-response-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-connection-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewrite-ident-trace-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-src-24nets-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux-dir-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:conn-record-states/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-names-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-ignore-dst-addrs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-exceptions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conditional-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-stat-period-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/delete-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/HTTP-version-mismatch-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/get-login-state-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/vert-scan-thresholds-var/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:contents-dir/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/preserved-subnet-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_x509/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/precedence/; -$ref_files{$key} = "$dir".q|node85.html|; -$noresave{$key} = "$nosave"; - -$key = q/close-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-server-cert-field/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/backscatter-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:portmapper-status/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:conn-record/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-signal-event/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/omit-rewrite-place-holder-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-remote-accounts-tried-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-finger-request-len-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-demux-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/RST-with-data-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-reply-event/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/finger-analyzer-module/; -$ref_files{$key} = "$dir".q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/parse-ftp-pasv-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/public-ident-user-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-scan/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:x509/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/hostnames/; -$ref_files{$key} = "$dir".q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/const-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-login-ids-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-backscatter-peers-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/temporal-ops/; -$ref_files{$key} = "$dir".q|node15.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-access/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-req-addr-field/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/scope_of_local_variables/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/account-tried/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-pairs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-rejected-PTR-factor-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-HTTP-version-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-duration-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/compound-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-state-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-id-okay-if-no-password-exposed-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-skip-hot-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:weird-action/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/field-attrs/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-getport-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/public-ident-systems-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/capture-filter-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/finger-reply-event/; -$ref_files{$key} = "$dir".q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-failure-msgs-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/timer-expiration/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-ident-reply-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-dollar/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessively-small-fragment-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-close-delay-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-split-routing-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/stepping-analyzer-module/; -$ref_files{$key} = "$dir".q|node60.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-HTTP-data-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewriting-smtp-trace-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-not-actually-hot-files-var/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-client-cert-field/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-session-by-message-id-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/terminate-successful-inbound-service-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/current-time-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-stone-summary-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-dump-okay-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/function_call-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/incompletely-captured-fragment-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-ssl/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/next-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-addresses/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-interconn/; -$ref_files{$key} = "$dir".q|node63.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/actually-rejected-PTR-anno-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/anon-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/authentication-rejected-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/rel-operators/; -$ref_files{$key} = "$dir".q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/full-output-trouble-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-ignore-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-F/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-text-after-rejected-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-init-file/; -$ref_files{$key} = "$dir".q|node92.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-code-red-response-pgm-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/accounts-tried-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/shut-down-scans-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/open-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/process-smtp-relay-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-O/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-P/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-success-msgs-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/to-upper-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/NUL-in-line-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-random-pair-thresh-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-URIs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pending-data-when-closed-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-tcpdump-filter-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-peer-scan-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-W/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-size-func/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-analyzer-module/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-type-list-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/print-stmt/; -$ref_files{$key} = "$dir".q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-stats-update-event/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-port-scan-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-default-pkt-size-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/filtering/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-record/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-null-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-analyze-certificates-var/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-http-1-0/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-f/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC791/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-http-1-1/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-log-it-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-h/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC793/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-i/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-authentication-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:check-hot-states/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-p/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/terminate-successful-inbound-service-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-ignore-host-var/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ntp-session-timeout-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-r/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-24-nets-var/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-s/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/analy-analyzer-module/; -$ref_files{$key} = "$dir".q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-request-addendum-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-v/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-w/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/originator-RPC-reply-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-error-event/; -$ref_files{$key} = "$dir".q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:print-filter/; -$ref_files{$key} = "$dir".q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-outbound-peer-scan-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-rejected-service-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-actions/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC2373/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC1644/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-programs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-SMTP-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-reassembler-ports-orig-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/values-types-constants/; -$ref_files{$key} = "$dir".q|node8.html|; -$noresave{$key} = "$nosave"; - -$key = q/to-net-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-names-var/; -$ref_files{$key} = "$dir".q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-assign/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-assign/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/notes/; -$ref_files{$key} = "$dir".q|node72.html|; -$noresave{$key} = "$nosave"; - -$key = q/enable-brov6-config/; -$ref_files{$key} = "$dir".q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-RPC-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/rexmit-inconsistency-event/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/software-file-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-terminal-types-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/predefineds-time/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-excessive-filename-len-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-ignore-invalid-PORT-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-reset-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-ftp-data-conn-func/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-header/; -$ref_files{$key} = "$dir".q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-remote-accounts-tried-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-orig-p-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/mime-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ids-analyzer-module/; -$ref_files{$key} = "$dir".q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/event_scheduling-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-excessive-ntp-requests-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarders/; -$ref_files{$key} = "$dir".q|node99.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-id-index-field/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-partial-close-delay-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-request-t-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-hot-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-timeout-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-input-line-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/authentication-skipped-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/load-directive/; -$ref_files{$key} = "$dir".q|node88.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-rlogin/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-expire-interval-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-maxlen-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-session-by-recipient-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/endpoint-id-func/; -$ref_files{$key} = "$dir".q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-log-file/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-ops/; -$ref_files{$key} = "$dir".q|node18.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-start-time-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-udp-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/record_field_access-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-timeouts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/input-wait-for-output-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-outbound-services-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-outbound-services-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-ignore-privileged-PASVs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-success-msgs-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-http/; -$ref_files{$key} = "$dir".q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/HTTP-unknown-method-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/excess-RPC-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/min-double-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-callit-event/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-buf-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/step-log-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-non-failure-msgs-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-icmp-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/edited-input-trouble-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-7bit-ascii-ratio-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-standard-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessive-RPC-len-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-session-by-content-hash-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-func/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ssl-connection-info/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/increment-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-decl/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/direct-login-prompts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/play-back/; -$ref_files{$key} = "$dir".q|node98.html|; -$noresave{$key} = "$nosave"; - -$key = q/signature-match-event/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-finger/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-reassembler-ports-resp-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-hook-func/; -$ref_files{$key} = "$dir".q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-signature/; -$ref_files{$key} = "$dir".q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/predefineds/; -$ref_files{$key} = "$dir".q|node31.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-ignore-standard-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-tag-info-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-data-expected-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-filters-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-files-var/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/FIN-advanced-last-seq-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-x11/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-min-num-pkts-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/addl-web-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-confused-event/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/expire-func-attr/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-hostname-field/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-summaries/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-16-nets-var/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-pairs-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-delta-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-request-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/any-RPC-okay-var/; -$ref_files{$key} = "$dir".q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/responder-RPC-call-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-telnet-options/; -$ref_files{$key} = "$dir".q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-constants/; -$ref_files{$key} = "$dir".q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-init/; -$ref_files{$key} = "$dir".q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-disabled-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-net-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-weak-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/logical-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/new-connection-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-spoof-services-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/direct-login-prompts-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-reused-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/min-count-func/; -$ref_files{$key} = "$dir".q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/type-inference/; -$ref_files{$key} = "$dir".q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/syn-fin-filtering/; -$ref_files{$key} = "$dir".q|node82.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-to-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:dns-mapping/; -$ref_files{$key} = "$dir".q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-logins-to-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-srcs-var/; -$ref_files{$key} = "$dir".q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-accounts-tried-var/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/SSL-analyzer-module/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/root-backdoor-sig-conns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-portmapper-request-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-pending-event/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-PTR-scan-event-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-outbound-peer-scan-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/prefixes/; -$ref_files{$key} = "$dir".q|node75.html|; -$noresave{$key} = "$nosave"; - -$key = q/record_field_test-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/function-call-expr/; -$ref_files{$key} = "$dir".q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-rejected-PTR-thresh-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/premature-connection-reuse-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-conns-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-timeouts-var/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-resp-p-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-log-if-not-denied-field/; -$ref_files{$key} = "$dir".q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-log/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-finger/; -$ref_files{$key} = "$dir".q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-certificate-seen-event/; -$ref_files{$key} = "$dir".q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/watchdog-interval-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/write-file/; -$ref_files{$key} = "$dir".q|node76.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-telnet-orig-ports-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-and-check-password-func/; -$ref_files{$key} = "$dir".q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/boolean-constants/; -$ref_files{$key} = "$dir".q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-overlap-weird/; -$ref_files{$key} = "$dir".q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-local-addr-func/; -$ref_files{$key} = "$dir".q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-ids-var/; -$ref_files{$key} = "$dir".q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/maintain-http-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-sessions-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-SYN-timeout-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-duration-field/; -$ref_files{$key} = "$dir".q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-id-okay-if-no-password-exposed-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/same-local-net-is-spoof-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/input-trouble-global/; -$ref_files{$key} = "$dir".q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/drop-address-func/; -$ref_files{$key} = "$dir".q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-init-event/; -$ref_files{$key} = "$dir".q|node36.html|; -$noresave{$key} = "$nosave"; - -1; - diff --git a/doc/old/manual/labels.pl b/doc/old/manual/labels.pl deleted file mode 100644 index 866938d0e3..0000000000 --- a/doc/old/manual/labels.pl +++ /dev/null @@ -1,3985 +0,0 @@ -# LaTeX2HTML 2002-2 (1.70) -# Associate labels original text with physical files. - - -$key = q/process-HTTP-data-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-version-field/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/network-interfaces/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/signal-handling/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-ratio-thresh-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-idle-min-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-deps/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-request-event/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-set-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-spoof-services-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-cmds-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/spontaneous-FIN-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/USER-env/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-authentication-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-pairs-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/mask-addr-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-record-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:signature-state/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/for-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-size-inconsistency-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/site-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/exit-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-id-patterns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-SYN-ack-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/Land-attack-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-nets-16-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-connection-reuse-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-legal-cmds-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-data-expected-session-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-record-packets-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-var/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-login-func/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-redef/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/endpoint-state-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/logical-operators/; -$external_labels{$key} = "$URL/" . q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-PTR-scans-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/UDP-datagram-length-mismatch-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-login-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-index/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/address-type/; -$external_labels{$key} = "$URL/" . q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-attempt-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/RST-storm-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/NULs-allowed-in-strings/; -$external_labels{$key} = "$URL/" . q|node13.html|; -$noresave{$key} = "$nosave"; - -$key = q/cross-product-init/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-portmapper/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-SYN-ack-ok-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/remote-code-red-response-pgm-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-max-keystroke-pkt-size-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-standard-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-func/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/relay-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-partial-close-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-remote-sensitive-URIs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ssl-log/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-overview/; -$external_labels{$key} = "$URL/" . q|node69.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-do-not-complain-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/print-filter-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger/; -$external_labels{$key} = "$URL/" . q|node68.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-example/; -$external_labels{$key} = "$URL/" . q|node70.html|; -$noresave{$key} = "$nosave"; - -$key = q/get-resp-seq-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/return-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-distinct-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-interface-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/scan-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-hot-ids/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-TCP-checksum-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-finger-request-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/temporal-types/; -$external_labels{$key} = "$URL/" . q|node15.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-conn-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ignore-checksums-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-addrs-field/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-service-pairs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-did-summary-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ack-above-hole-event/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/determine-service-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-sigconns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-decl/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-RPC-program-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/relational-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-finished-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-count-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-guest-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-type/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-frag/; -$external_labels{$key} = "$URL/" . q|node48.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-skip-remote-sensitive-URIs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-after-partial-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-distinct-peers-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-normal-line-ratio-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-stat-backoff-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-log/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/full-input-trouble-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-telnet-orig-ports-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-guest-files-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-relay-4-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-reference/; -$external_labels{$key} = "$URL/" . q|node73.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-conns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-ident-request-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-content/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/to-lower-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/finger-request-event/; -$external_labels{$key} = "$URL/" . q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-ident-request-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/mixing-numerics/; -$external_labels{$key} = "$URL/" . q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-weird-event/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzers/; -$external_labels{$key} = "$URL/" . q|node34.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-do-not-ignore-repeats-var/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/rule-file-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interfaces-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-established-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/blank-in-HTTP-request-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-session-timer-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_tls-56/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/_-library/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/open-for-append-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-nets-24-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/attrs/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/code-red-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-connection/; -$external_labels{$key} = "$URL/" . q|node86.html|; -$noresave{$key} = "$nosave"; - -$key = q/input-trouble-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node62.html|; -$noresave{$key} = "$nosave"; - -$key = q/horiz-scan-thresholds-var/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/logical-negation/; -$external_labels{$key} = "$URL/" . q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-interesting-changes-var/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/constant-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-terminal-types-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/red-log/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/router-prompts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-world-servers-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-snort2bro/; -$external_labels{$key} = "$URL/" . q|node67.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-mt/; -$external_labels{$key} = "$URL/" . q|node42.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC-NFS2/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC-NFS3/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-dump-okay-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-UDP-checksum-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/equality-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-constants/; -$external_labels{$key} = "$URL/" . q|node18.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-seq-jump-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-connection-ok-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-backdoor-prompts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-bytes-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewrite-finger-trace-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/null-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/restrict-filter-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/scan-dropping/; -$external_labels{$key} = "$URL/" . q|node84.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-forbidden-id-func/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-further-processing-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-request-length-var/; -$external_labels{$key} = "$URL/" . q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-bad-port-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-id-field/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-name-changed-event/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-type/; -$external_labels{$key} = "$URL/" . q|node18.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-dns-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/arithmetic-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-alert-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/field-test-op/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/gtld-servers-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-URIs-var/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-getport-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-overview/; -$external_labels{$key} = "$URL/" . q|node65.html|; -$noresave{$key} = "$nosave"; - -$key = q/address-constants/; -$external_labels{$key} = "$URL/" . q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ssh-orig-ports-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-conns-reported-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/packet-drops/; -$external_labels{$key} = "$URL/" . q|node87.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-half-finished-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-log-file/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-service-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-inbound-service-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/temporal-constants/; -$external_labels{$key} = "$URL/" . q|node15.html|; -$noresave{$key} = "$nosave"; - -$key = q/heartbeat-interval-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-answered-PTR-requests-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/restrict-filter/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/last-stat-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-confused/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/internally-truncated-header-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-stat-backoff-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/byte-len-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-stats-event/; -$external_labels{$key} = "$URL/" . q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_ssl-aes/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-sources-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-ICMP-checksum-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/baroque-SYN-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-connection-linger-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-request-event/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/unsolicited-SYN-response-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-login-state-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewriting-http-trace-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-dump-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/event-handlers/; -$external_labels{$key} = "$URL/" . q|node24.html|; -$noresave{$key} = "$nosave"; - -$key = q/authentication-accepted-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/frag-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node48.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-log/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/edited-input-trouble-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/inappropriate-FIN-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/string-constants/; -$external_labels{$key} = "$URL/" . q|node13.html|; -$noresave{$key} = "$nosave"; - -$key = q/sub-bytes-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-ASCII-hosts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-handshake-cipher-field/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:portmapper/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-accounts-tried-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-login-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/root-servers-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-req-count-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/patterns/; -$external_labels{$key} = "$URL/" . q|node14.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/FIN-storm-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-icmp/; -$external_labels{$key} = "$URL/" . q|node59.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-world-servers-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-del/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/reading-live-traffic-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-contents-file-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-relay-3-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/id-string-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:net-stats/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-var/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/clean-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-weird-event/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-marker/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/T-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-port-scan-thresh-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-prompts-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-pop3/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-port-name/; -$external_labels{$key} = "$URL/" . q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/write-expire-attr/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-ids-var/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dst-24nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-prompts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-altered-event/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-rexmit-inconsistency-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/timer-management/; -$external_labels{$key} = "$URL/" . q|node81.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-init/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/event-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-cache/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-rejected-PTR-requests-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-conn-var/; -$external_labels{$key} = "$URL/" . q|node44.html|; -$noresave{$key} = "$nosave"; - -$key = q/kazaa-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-peers-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/anonymous_function-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-filters/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-port-scan-thresh-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node45.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-log/; -$external_labels{$key} = "$URL/" . q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/truncated-header-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/code-red-list2-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-normal-line-ratio-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/capture-filter-var/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-ssh-stepping/; -$external_labels{$key} = "$URL/" . q|node61.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-established-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-spoof-func/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-file-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record_constructor-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-attempt-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-active/; -$external_labels{$key} = "$URL/" . q|node44.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-scan-sources-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-max-interarrival-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-verify-certificates-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/router-prompts-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/addl-web-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/account-tried-event/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/portmapper-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ids-var/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-names-var/; -$external_labels{$key} = "$URL/" . q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-log-file-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-weird-orig-func/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-demux-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fmt-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/predefineds-string/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-gamma-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-failure-msgs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-clear-ssh-reports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-with-data-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/same-local-net-is-spoof-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-scan-func/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-failure-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/inconsistent-option-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-inconsistency-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/data-before-established-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/inserting-tables-into-tables/; -$external_labels{$key} = "$URL/" . q|node90.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-stat-period-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/variable-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:http-log-eg/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-unverified-event/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/detected-stones-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC1122/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/if-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/tag-to-conn-map-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/refinement/; -$external_labels{$key} = "$URL/" . q|node79.html|; -$noresave{$key} = "$nosave"; - -$key = q/gnutella-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/napster-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-compare-cipherspecs-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/functions/; -$external_labels{$key} = "$URL/" . q|node23.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-functions/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_tlsv1/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-demux-skip-tags-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-ident/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-rejected-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-rlogin-prolog-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-ip-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-null-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-store-certificates-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_pcap/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-log-file/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-backdoor-prompts-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-ignore-src-addrs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-store-cert-path-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/repeated-SYN-with-ack-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:conn-file-states/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/mt-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node42.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-valid-field/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-confused-text-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/variables/; -$external_labels{$key} = "$URL/" . q|node29.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-done-event/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/type-conversion/; -$external_labels{$key} = "$URL/" . q|node9.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-non-failure-msgs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-hot-func/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-new-name-event/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-lost-name-event/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-match-undelivered-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-backscatter-peers-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/software-table-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cf-utility/; -$external_labels{$key} = "$URL/" . q|node7.html|; -$noresave{$key} = "$nosave"; - -$key = q/simultaneous-open-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-tcp-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/demuxed-conn-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-accounts-tried-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessive-line-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-interarrival-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-sensitive-cmds-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-7bit-ascii-ratio-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-rep-count-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flush-all-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:log-hook/; -$external_labels{$key} = "$URL/" . q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-storm-thresh-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/split-routing/; -$external_labels{$key} = "$URL/" . q|node83.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-inbound-service-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-stepping/; -$external_labels{$key} = "$URL/" . q|node60.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-attr/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-ssh-len-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-activation/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/expression-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-after-close-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/code-red-list1-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-24-nets-var/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/in-operator/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-relay-table-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-callit-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/output-trouble-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/contains-string-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/multiple-RPCs-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/membership-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-abstract-max-length-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/suppress-scan-checks-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-protocol-inconsistency-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/todo/; -$external_labels{$key} = "$URL/" . q|node74.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-to-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-ASCII-hosts-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-len-conns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/done-with-network-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-num-requests-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/arith-operators/; -$external_labels{$key} = "$URL/" . q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-scan-triples-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/last-stat-time-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-services-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-connection-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-prompts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/trace-log/; -$external_labels{$key} = "$URL/" . q|node76.html|; -$noresave{$key} = "$nosave"; - -$key = q/has-signature-matched-func/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/service-name-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-nets-24-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-scope/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ftp-log-eg/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-PTR-requests-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/signature-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/okay-to-lookup-sensitive-hosts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-lookup-hosts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/getting-started/; -$external_labels{$key} = "$URL/" . q|node5.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-filters-var/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/statements/; -$external_labels{$key} = "$URL/" . q|node26.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-constructors/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/BRO-ID-env/; -$external_labels{$key} = "$URL/" . q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-do-not-ignore-repeats-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/icmp-flows-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-interval-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-events/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/check-info-expanded-line-field/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-analy/; -$external_labels{$key} = "$URL/" . q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-stats-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-mod/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/suppress-pm-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/last-type/; -$external_labels{$key} = "$URL/" . q|node25.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-log/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/hf-utility/; -$external_labels{$key} = "$URL/" . q|node7.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-hot-id-func/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-and-check-line-func/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/data-after-reset-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/spontaneous-RST-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-post-URIs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/policy-script-events/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-service-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-services-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-alpha-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/repeated-SYN-reply-wo-ack-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dsts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-scan-sources-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-context/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-src-24nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-unset-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/software-ident-by-major-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-log-file-var/; -$external_labels{$key} = "$URL/" . q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-reply-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/x509-trusted-cert-path-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/never-shut-down-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-request-event/; -$external_labels{$key} = "$URL/" . q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/BROPATH-env/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/full-id-string-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-16-nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-name-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-dns/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dsts-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-pm-port-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/shut-down-all-scans-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-language/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/bibliography/; -$external_labels{$key} = "$URL/" . q|node105.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-addresses/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/NFS-services-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-mail-addr-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-proxy-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-HTTP-reply-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-notes/; -$external_labels{$key} = "$URL/" . q|node72.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-FTP-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/first-type/; -$external_labels{$key} = "$URL/" . q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/delete-func-attr/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-ssh-version-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-num-lines-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-list-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-16-nets-var/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-storm-interarrival-thresh-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/shallow-copy/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-logins-to-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/site-info/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/any-RPC-okay-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/parse-ftp-port-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/positivation-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-ftp/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/mime-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-scale-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-weird-func/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/hostnames-vs-addresses/; -$external_labels{$key} = "$URL/" . q|node93.html|; -$noresave{$key} = "$nosave"; - -$key = q/pattern-matching-ops/; -$external_labels{$key} = "$URL/" . q|node14.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-inside-connection-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/anonymize-ip-addr-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-weird-addl-event/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-if-no-password-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-check-getport-func/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/TCP-christmas-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-attempt-delayv-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-ident/; -$external_labels{$key} = "$URL/" . q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-option-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-rpc/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/scan-triples-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analy-conn/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux-conn-func/; -$external_labels{$key} = "$URL/" . q|node45.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-conn/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/non-analyzed-lifetime-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-login-ids-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_bro-usenix-98/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/suppress-pm-log-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/intro/; -$external_labels{$key} = "$URL/" . q|node4.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-set-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:login-confusion/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/display-pairs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_sslv30/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-min-ssh-pkts-ratio-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/SYN-after-reset-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_bro-comp-networks-99/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-log-if-not-unavail-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-request-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/open-log-file-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-with-DF-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-peer-scan-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-done-event/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-num-lines-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-originator-SYN-ack-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-success-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-terminal-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/tables/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-id-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/signatures/; -$external_labels{$key} = "$URL/" . q|node64.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-3byte-conns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/default-attr/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/always-hot-ids/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-tcp-port-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/process-HTTP-replies-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-conditions/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-load/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-RPC-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-excessive-filename-trunc-len-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-hot-conn-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-guest-ids-var/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-backdoor/; -$external_labels{$key} = "$URL/" . q|node62.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-files-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/root-backdoor-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flow-weird-event/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-double-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/alert-file-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-16-net-pairs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/terminate-connection-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/capture-filter/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-dst-24nets-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-net-var/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/NULs-run-time/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/reference/; -$external_labels{$key} = "$URL/" . q|node73.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-server-map-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-ssh-pkts-ratio-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-skip-hot-var/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-login-conn-func/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-24-nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-ftp/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:sigs-modactions/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-id-patterns-var/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-min-bytes-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-store-key-material-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/break-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/parenthesized-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/alert-action-filters-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-server-reply-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/global-stmts/; -$external_labels{$key} = "$URL/" . q|node89.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-orig-h-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/network-time-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-session-timeout-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/mkdir-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-login/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-option-termination-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/decrement-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-ignore-host-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-connection-id-field/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-max-cipherspec-size-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/min-interval-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-type/; -$external_labels{$key} = "$URL/" . q|node21.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_ssl-fips/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/preserved-net-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-demux-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-valid-event/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-post-URIs-var/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-prompts-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/read-expire-attr/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-var/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-num-pkts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/differences/; -$external_labels{$key} = "$URL/" . q|node100.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-telnet/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-hot/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-sig-1byte-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-constants/; -$external_labels{$key} = "$URL/" . q|node16.html|; -$noresave{$key} = "$nosave"; - -$key = q/output-trouble-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-nets-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/keystroke-editing/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-names-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-nets-var/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-programs-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-prog-func/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-16-nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-timer-expires-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:endpoint-stats/; -$external_labels{$key} = "$URL/" . q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/pattern-constants/; -$external_labels{$key} = "$URL/" . q|node14.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-16-net-pairs-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-output-line-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/vert-scan-thresholds-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-ops/; -$external_labels{$key} = "$URL/" . q|node16.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/numeric-constants/; -$external_labels{$key} = "$URL/" . q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/endpoint-size-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node44.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessively-large-fragment-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-nets-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/assignment-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-unset-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-IP-checksum-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-hot-cmds-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/multiple-HTTP-request-elements-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-URIs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-conns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-creation-time-field/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/icmp-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node59.html|; -$noresave{$key} = "$nosave"; - -$key = q/negation-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/FIN-after-reset-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-backscatter-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-type/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-annotate-standard-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_ptacek98/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/system-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/length-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/inactivity-timeout-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ftp-session-info/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux/; -$external_labels{$key} = "$URL/" . q|node91.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/icmp-conn/; -$external_labels{$key} = "$URL/" . q|node59.html|; -$noresave{$key} = "$nosave"; - -$key = q/include-HTTP-abstract-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_bpf/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-proc-events/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/sig-actions-var/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/get-orig-seq-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-3byte-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-services-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/module-demux/; -$external_labels{$key} = "$URL/" . q|node45.html|; -$noresave{$key} = "$nosave"; - -$key = q/horiz-scan-thresholds-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-rejected-service-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-guest-files-var/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/address-ops/; -$external_labels{$key} = "$URL/" . q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-reply-event/; -$external_labels{$key} = "$URL/" . q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/num-accounts-tried-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/var-attr/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-successful-service-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-weird-conn-func/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_sslv2/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/tftp-alert-count-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-activity-func/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-TCP-header-len-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-services-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/redef/; -$external_labels{$key} = "$URL/" . q|node79.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-type/; -$external_labels{$key} = "$URL/" . q|node16.html|; -$noresave{$key} = "$nosave"; - -$key = q/pattern_matching-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-if-no-password-var/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/redef-attr/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-and-check-user-func/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/cat-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-nets-var/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-file-name-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-reset-delay-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-connection-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/debugger-usage/; -$external_labels{$key} = "$URL/" . q|node71.html|; -$noresave{$key} = "$nosave"; - -$key = q/create-expire-attr/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-certificate-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-resp-h-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rule-actions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/records/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-report-script/; -$external_labels{$key} = "$URL/" . q|node94.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-common-host-thresh-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-exceptions-var/; -$external_labels{$key} = "$URL/" . q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-ftp-request-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessive-ntp-request-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-accounts-tried-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/can-drop-connectivity-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-addl-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/index-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/getenv-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-req-host-field/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/activating-encryption-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-dump-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/truncated-IP-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-func-attr/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/BRO-PREFIXES-env/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-xdr/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-srcs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-user-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-ssh/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/shut-down-thresh-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/unpaired-RPC-response-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/active-connection-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewrite-ident-trace-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-src-24nets-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/demux-dir-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:conn-record-states/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/port-names-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-ignore-dst-addrs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-exceptions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conditional-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-stat-period-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/delete-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/HTTP-version-mismatch-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/get-login-state-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/vert-scan-thresholds-var/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:contents-dir/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/preserved-subnet-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_x509/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/precedence/; -$external_labels{$key} = "$URL/" . q|node85.html|; -$noresave{$key} = "$nosave"; - -$key = q/close-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-server-cert-field/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/backscatter-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:portmapper-status/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:conn-record/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-signal-event/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/omit-rewrite-place-holder-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-remote-accounts-tried-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/max-finger-request-len-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-demux-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/RST-with-data-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-reply-event/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/finger-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/parse-ftp-pasv-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/public-ident-user-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-scan/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:x509/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/hostnames/; -$external_labels{$key} = "$URL/" . q|node17.html|; -$noresave{$key} = "$nosave"; - -$key = q/const-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-login-ids-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/distinct-backscatter-peers-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/temporal-ops/; -$external_labels{$key} = "$URL/" . q|node15.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-access/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-req-addr-field/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/scope_of_local_variables/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/account-tried/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-okay-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-pairs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-rejected-PTR-factor-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-HTTP-version-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-duration-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/compound-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-state-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-id-okay-if-no-password-exposed-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-skip-hot-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:weird-action/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/field-attrs/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-getport-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/public-ident-systems-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/capture-filter-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/finger-reply-event/; -$external_labels{$key} = "$URL/" . q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-failure-msgs-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/timer-expiration/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/bad-ident-reply-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-dollar/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessively-small-fragment-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-close-delay-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/possible-split-routing-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/stepping-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node60.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-HTTP-data-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/rewriting-smtp-trace-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-not-actually-hot-files-var/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-client-cert-field/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-session-by-message-id-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/terminate-successful-inbound-service-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/current-time-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-stone-summary-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/RPC-dump-okay-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/function_call-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/incompletely-captured-fragment-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-ssl/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/next-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-addresses/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-interconn/; -$external_labels{$key} = "$URL/" . q|node63.html|; -$noresave{$key} = "$nosave"; - -$key = q/http-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/actually-rejected-PTR-anno-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/anon-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/authentication-rejected-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/rel-operators/; -$external_labels{$key} = "$URL/" . q|node11.html|; -$noresave{$key} = "$nosave"; - -$key = q/full-output-trouble-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-ignore-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-F/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-text-after-rejected-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-init-file/; -$external_labels{$key} = "$URL/" . q|node92.html|; -$noresave{$key} = "$nosave"; - -$key = q/local-code-red-response-pgm-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/accounts-tried-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/shut-down-scans-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/open-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/process-smtp-relay-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-O/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-P/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-success-msgs-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/to-upper-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/NUL-in-line-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-random-pair-thresh-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sensitive-URIs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pending-data-when-closed-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/add-tcpdump-filter-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-peer-scan-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-W/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-size-func/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/worm-type-list-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/print-stmt/; -$external_labels{$key} = "$URL/" . q|node27.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-stats-update-event/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-port-scan-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-default-pkt-size-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/filtering/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-record/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-request-null-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-analyze-certificates-var/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-http-1-0/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-f/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC791/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-http-1-1/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-log-it-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-h/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC793/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-i/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-authentication-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tbl:check-hot-states/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-p/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/terminate-successful-inbound-service-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-ignore-host-var/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ntp-session-timeout-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-r/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-24-nets-var/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-s/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/analy-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node55.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-request-addendum-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-v/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-w/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/originator-RPC-reply-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/ident-error-event/; -$external_labels{$key} = "$URL/" . q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:print-filter/; -$external_labels{$key} = "$URL/" . q|node35.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-outbound-peer-scan-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/flag-rejected-service-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-actions/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC2373/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_RFC1644/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-programs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/have-SMTP-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-reassembler-ports-orig-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/values-types-constants/; -$external_labels{$key} = "$URL/" . q|node8.html|; -$noresave{$key} = "$nosave"; - -$key = q/to-net-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-names-var/; -$external_labels{$key} = "$URL/" . q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-assign/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-assign/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/notes/; -$external_labels{$key} = "$URL/" . q|node72.html|; -$noresave{$key} = "$nosave"; - -$key = q/enable-brov6-config/; -$external_labels{$key} = "$URL/" . q|node6.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-RPC-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/rexmit-inconsistency-event/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/software-file-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-terminal-types-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/predefineds-time/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-excessive-filename-len-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-ignore-invalid-PORT-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-reset-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-ftp-data-conn-func/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/sigs-header/; -$external_labels{$key} = "$URL/" . q|node66.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-remote-accounts-tried-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-orig-p-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/mime-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ids-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node49.html|; -$noresave{$key} = "$nosave"; - -$key = q/event_scheduling-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-excessive-ntp-requests-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarders/; -$external_labels{$key} = "$URL/" . q|node99.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-connection-info-id-index-field/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-partial-close-delay-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-request-t-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-hot-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rpc-timeout-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-input-line-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/authentication-skipped-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/load-directive/; -$external_labels{$key} = "$URL/" . q|node88.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-rlogin/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-expire-interval-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-maxlen-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-session-by-recipient-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/endpoint-id-func/; -$external_labels{$key} = "$URL/" . q|node41.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-log-file/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/net-ops/; -$external_labels{$key} = "$URL/" . q|node18.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-start-time-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-udp-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/record_field_access-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-timeouts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/input-wait-for-output-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-outbound-services-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-outbound-services-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-ignore-privileged-PASVs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-success-msgs-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-http/; -$external_labels{$key} = "$URL/" . q|node51.html|; -$noresave{$key} = "$nosave"; - -$key = q/HTTP-unknown-method-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/excess-RPC-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/min-double-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-callit-event/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/set-buf-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/step-log-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/forbidden-ids-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-non-failure-msgs-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/discarder-check-icmp-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/edited-input-trouble-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-min-7bit-ascii-ratio-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/backdoor-standard-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/excessive-RPC-len-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/smtp-session-by-content-hash-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/pm-attempt-func/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:ssl-connection-info/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/increment-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-decl/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/direct-login-prompts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/play-back/; -$external_labels{$key} = "$URL/" . q|node98.html|; -$noresave{$key} = "$nosave"; - -$key = q/signature-match-event/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-finger/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-reassembler-ports-resp-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/log-hook-func/; -$external_labels{$key} = "$URL/" . q|node43.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-signature/; -$external_labels{$key} = "$URL/" . q|node56.html|; -$noresave{$key} = "$nosave"; - -$key = q/predefineds/; -$external_labels{$key} = "$URL/" . q|node31.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-ignore-standard-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-tag-info-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-data-expected-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/weird-action-filters-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-hot-files-var/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/FIN-advanced-last-seq-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-x11/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssh-min-num-pkts-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/addl-web-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-confused-event/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/expire-func-attr/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/dns-mapping-hostname-field/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-summaries/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/neighbor-16-nets-var/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-pairs-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/stp-delta-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/udp-request-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/any-RPC-okay-var/; -$external_labels{$key} = "$URL/" . q|node54.html|; -$noresave{$key} = "$nosave"; - -$key = q/responder-RPC-call-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/cite_rfc-telnet-options/; -$external_labels{$key} = "$URL/" . q|node106.html|; -$noresave{$key} = "$nosave"; - -$key = q/record-constants/; -$external_labels{$key} = "$URL/" . q|node19.html|; -$noresave{$key} = "$nosave"; - -$key = q/table-init/; -$external_labels{$key} = "$URL/" . q|node20.html|; -$noresave{$key} = "$nosave"; - -$key = q/telnet-sig-disabled-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-unexpected-net-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-weak-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/logical-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/new-connection-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-spoof-services-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/direct-login-prompts-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-conn-reused-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/min-count-func/; -$external_labels{$key} = "$URL/" . q|node33.html|; -$noresave{$key} = "$nosave"; - -$key = q/type-inference/; -$external_labels{$key} = "$URL/" . q|node30.html|; -$noresave{$key} = "$nosave"; - -$key = q/syn-fin-filtering/; -$external_labels{$key} = "$URL/" . q|node82.html|; -$noresave{$key} = "$nosave"; - -$key = q/allow-services-to-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/fig:dns-mapping/; -$external_labels{$key} = "$URL/" . q|node46.html|; -$noresave{$key} = "$nosave"; - -$key = q/skip-logins-to-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-srcs-var/; -$external_labels{$key} = "$URL/" . q|node39.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-accounts-tried-var/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/SSL-analyzer-module/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/root-backdoor-sig-conns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/partial-portmapper-request-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-pending-event/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/did-PTR-scan-event-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-outbound-peer-scan-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/prefixes/; -$external_labels{$key} = "$URL/" . q|node75.html|; -$noresave{$key} = "$nosave"; - -$key = q/record_field_test-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/function-call-expr/; -$external_labels{$key} = "$URL/" . q|node28.html|; -$noresave{$key} = "$nosave"; - -$key = q/report-rejected-PTR-thresh-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/premature-connection-reuse-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/interconn-conns-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/login-timeouts-var/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/conn-id-resp-p-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-session-info-log-if-not-denied-field/; -$external_labels{$key} = "$URL/" . q|node50.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-log/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/analyzer-finger/; -$external_labels{$key} = "$URL/" . q|node47.html|; -$noresave{$key} = "$nosave"; - -$key = q/ssl-certificate-seen-event/; -$external_labels{$key} = "$URL/" . q|node57.html|; -$noresave{$key} = "$nosave"; - -$key = q/watchdog-interval-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/write-file/; -$external_labels{$key} = "$URL/" . q|node76.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-telnet-orig-ports-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/edit-and-check-password-func/; -$external_labels{$key} = "$URL/" . q|node53.html|; -$noresave{$key} = "$nosave"; - -$key = q/boolean-constants/; -$external_labels{$key} = "$URL/" . q|node10.html|; -$noresave{$key} = "$nosave"; - -$key = q/fragment-overlap-weird/; -$external_labels{$key} = "$URL/" . q|node58.html|; -$noresave{$key} = "$nosave"; - -$key = q/is-local-addr-func/; -$external_labels{$key} = "$URL/" . q|node38.html|; -$noresave{$key} = "$nosave"; - -$key = q/hot-ident-ids-var/; -$external_labels{$key} = "$URL/" . q|node52.html|; -$noresave{$key} = "$nosave"; - -$key = q/maintain-http-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/ftp-sessions-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/tcp-SYN-timeout-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/connection-duration-field/; -$external_labels{$key} = "$URL/" . q|node37.html|; -$noresave{$key} = "$nosave"; - -$key = q/rlogin-id-okay-if-no-password-exposed-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/same-local-net-is-spoof-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/input-trouble-global/; -$external_labels{$key} = "$URL/" . q|node32.html|; -$noresave{$key} = "$nosave"; - -$key = q/drop-address-func/; -$external_labels{$key} = "$URL/" . q|node40.html|; -$noresave{$key} = "$nosave"; - -$key = q/bro-init-event/; -$external_labels{$key} = "$URL/" . q|node36.html|; -$noresave{$key} = "$nosave"; - -1; - - -# LaTeX2HTML 2002-2 (1.70) -# labels from external_latex_labels array. - - -1; - diff --git a/doc/old/manual/manual.css b/doc/old/manual/manual.css deleted file mode 100644 index d1824aff42..0000000000 --- a/doc/old/manual/manual.css +++ /dev/null @@ -1,30 +0,0 @@ -/* Century Schoolbook font is very similar to Computer Modern Math: cmmi */ -.MATH { font-family: "Century Schoolbook", serif; } -.MATH I { font-family: "Century Schoolbook", serif; font-style: italic } -.BOLDMATH { font-family: "Century Schoolbook", serif; font-weight: bold } - -/* implement both fixed-size and relative sizes */ -SMALL.XTINY { font-size : xx-small } -SMALL.TINY { font-size : x-small } -SMALL.SCRIPTSIZE { font-size : smaller } -SMALL.FOOTNOTESIZE { font-size : small } -SMALL.SMALL { } -BIG.LARGE { } -BIG.XLARGE { font-size : large } -BIG.XXLARGE { font-size : x-large } -BIG.HUGE { font-size : larger } -BIG.XHUGE { font-size : xx-large } - -/* heading styles */ -H1 { } -H2 { } -H3 { } -H4 { } -H5 { } - -/* mathematics styles */ -DIV.displaymath { } /* math displays */ -TD.eqno { } /* equation-number cells */ - - -/* document-specific styles come next */ diff --git a/doc/pubs/bro-CN99.ps b/doc/pubs/bro-CN99.ps deleted file mode 100644 index 8ae2db3b4b..0000000000 --- a/doc/pubs/bro-CN99.ps +++ /dev/null @@ -1,5025 +0,0 @@ -%!PS-Adobe-2.0 -%%Creator: dvipsk 5.58f Copyright 1986, 1994 Radical Eye Software -%%Title: bro.dvi -%%Pages: 22 -%%PageOrder: Ascend -%%BoundingBox: 0 0 612 792 -%%DocumentFonts: Times-Roman Times-Bold Times-Italic Courier -%%+ Courier-Oblique -%%EndComments -%DVIPSCommandLine: dvips bro.dvi -%DVIPSParameters: dpi=600, compressed, comments removed -%DVIPSSource: TeX output 2000.02.22:0012 -%%BeginProcSet: texc.pro -/TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N -/X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72 -mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1} -ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale -isls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div -hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul -TR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if} -forall round exch round exch]setmatrix}N /@landscape{/isls true N}B -/@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B -/FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{ -/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N -string /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE N -end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{ -/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0] -N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup -length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{ -128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub -get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data -dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N -/rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup -/base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx -0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff -setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff -.1 sub]/id ch-image N /rw ch-width 7 add 8 idiv string N /rc 0 N /gp 0 N -/cp 0 N{rc 0 ne{rc 1 sub /rc X rw}{G}ifelse}imagemask restore}B /G{{id -gp get /gp gp 1 add N dup 18 mod S 18 idiv pl S get exec}loop}B /adv{cp -add /cp X}B /chg{rw cp id gp 4 index getinterval putinterval dup gp add -/gp X adv}B /nd{/cp 0 N rw exit}B /lsh{rw cp 2 copy get dup 0 eq{pop 1}{ -dup 255 eq{pop 254}{dup dup add 255 and S 1 and or}ifelse}ifelse put 1 -adv}B /rsh{rw cp 2 copy get dup 0 eq{pop 128}{dup 255 eq{pop 127}{dup 2 -idiv S 128 and or}ifelse}ifelse put 1 adv}B /clr{rw cp 2 index string -putinterval adv}B /set{rw cp fillstr 0 4 index getinterval putinterval -adv}B /fillstr 18 string 0 1 17{2 copy 255 put pop}for N /pl[{adv 1 chg} -{adv 1 chg nd}{1 add chg}{1 add chg nd}{adv lsh}{adv lsh nd}{adv rsh}{ -adv rsh nd}{1 add adv}{/rc X nd}{1 add set}{1 add clr}{adv 2 chg}{adv 2 -chg nd}{pop nd}]dup{bind pop}forall N /D{/cc X dup type /stringtype ne{] -}if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup -length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{ -cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin -0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul -add .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore userdict -/eop-hook known{eop-hook}if showpage}N /@start{userdict /start-hook -known{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X -/IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for -65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0 -0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V -{}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7 -getinterval dup(Display)eq exch 0 4 getinterval(NeXT)eq or}{pop false} -ifelse}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley false -RMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1 -false RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transform -round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg -rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail -{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M} -B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{ -4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{ -p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p -a}B /bos{/SS save N}B /eos{SS restore}B end -%%EndProcSet -%%BeginFont: Times-Roman -% @psencodingfile{ -% author = "P. MacKay, Alan Jeffrey, S. Rahtz, K. Berry, B. Horn", -% version = "0.2", -% date = "7 September 94", -% filename = "8r.enc", -% email = "kb@cs.umb.edu", -% address = "135 Center Hill Rd. // Plymouth, MA 02360", -% codetable = "ISO/ASCII", -% checksum = "xx", -% docstring = "Encoding for TrueType or Type 1 fonts to be used with TeX." -% } -% -% Idea is to have all the characters normally included in Type 1 fonts -% available for typesetting. This is effectively the characters in Adobe -% Standard Encoding + ISO Latin 1 + extra characters from Lucida. -% -% Character code assignments were made as follows: -% -% (1) the Windows ANSI characters are in their Windows ANSI positions, -% because Windows users cannot easily reencode the fonts, and it makes -% no difference on other systems. The only Windows ANSI characters not -% available are those that make no sense for typesetting -- rubout -% (127 decimal), nobreakspace (160), softhyphen (173). -% -% (2) The caron and dotlessi characters are in the positions used by -% Y&Y for their modified ATM encoding. -% -% (3) Remaining characters are assigned arbitrarily to the first few -% positions. -% -% (4) (Y&Y) Lucida Bright includes some extra text characters; in the -% hopes that other PostScript fonts, perhaps created for public -% consumption, will include them, they are included starting at 0x10. -% -% (5) Remaining positions left undefined are for use in (hopefully) -% upward-compatible revisions, if someday more characters are generally -% available in the Type 1 fonts. -% -% Ligatures are omitted, since this encoding is intended for use at the -% driver end. Including ligatures and kerns would make the TFM files -% much larger, to no particular purpose. If someone actually wants to -% typeset in this encoding, they can pick a different name, and regenerate -% the fonts. - -/TeXBase1Encoding [ -% 0x00 (encoded characters from Adobe Standard not in Windows 3.1) - /breve /dotaccent /fi /fl - /fraction /hungarumlaut /Lslash /lslash - /ogonek /ring /tilde /minus - % These are the only two remaining unencoded characters, so may as - % well include them. - /Zcaron /zcaron /.notdef /.notdef -% 0x10 (TeX characters from, e.g., Lucida Bright) - /dotlessj /ff /ffi /ffl /.notdef /.notdef /.notdef /.notdef - /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef /.notdef -% 0x20 (ASCII begins) - /space /exclam /quotedbl /numbersign - /dollar /percent /ampersand /quotesingle - /parenleft /parenright /asterisk /plus /comma /hyphen /period /slash -% 0x30 - /zero /one /two /three /four /five /six /seven - /eight /nine /colon /semicolon /less /equal /greater /question -% 0x40 - /at /A /B /C /D /E /F /G /H /I /J /K /L /M /N /O -% 0x50 - /P /Q /R /S /T /U /V /W - /X /Y /Z /bracketleft /backslash /bracketright /asciicircum /underscore -% 0x60 - /grave /a /b /c /d /e /f /g /h /i /j /k /l /m /n /o -% 0x70 - /p /q /r /s /t /u /v /w - /x /y /z /braceleft /bar /braceright /asciitilde - /.notdef % rubout; ASCII ends -% 0x80 - /.notdef /.notdef /quotesinglbase /florin - /quotedblbase /ellipsis /dagger /daggerdbl - /circumflex /perthousand /Scaron /guilsinglleft - /OE - /caron % Y&Y - /.notdef - /.notdef -% 0x90 - /.notdef /quoteleft /quoteright /quotedblleft - /quotedblright /bullet /endash /emdash - /tildeaccent /trademark /scaron /guilsinglright - /oe - /dotlessi % Y&Y - /.notdef - /Ydieresis -% 0xA0 - /.notdef % nobreakspace - /exclamdown /cent /sterling - /currency /yen /brokenbar /section - /dieresis /copyright /ordfeminine /guillemotleft - /logicalnot - /hyphen % Y&Y (also at 45); Windows' softhyphen - /registered - /macron -% 0xD0 - /degree /plusminus /twosuperior /threesuperior - /acute /mu /paragraph /periodcentered - /cedilla /onesuperior /ordmasculine /guillemotright - /onequarter /onehalf /threequarters /questiondown -% 0xC0 - /Agrave /Aacute /Acircumflex /Atilde /Adieresis /Aring /AE /Ccedilla - /Egrave /Eacute /Ecircumflex /Edieresis - /Igrave /Iacute /Icircumflex /Idieresis -% 0xD0 - /Eth /Ntilde /Ograve /Oacute - /Ocircumflex /Otilde /Odieresis /multiply - /Oslash /Ugrave /Uacute /Ucircumflex - /Udieresis /Yacute /Thorn /germandbls -% 0xE0 - /agrave /aacute /acircumflex /atilde - /adieresis /aring /ae /ccedilla - /egrave /eacute /ecircumflex /edieresis - /igrave /iacute /icircumflex /idieresis -% 0xF0 - /eth /ntilde /ograve /oacute - /ocircumflex /otilde /odieresis /divide - /oslash /ugrave /uacute /ucircumflex - /udieresis /yacute /thorn /ydieresis -] def -%%EndFont -%%BeginProcSet: texps.pro -TeXDict begin /rf{findfont dup length 1 add dict begin{1 index /FID ne 2 -index /UniqueID ne and{def}{pop pop}ifelse}forall[1 index 0 6 -1 roll -exec 0 exch 5 -1 roll VResolution Resolution div mul neg 0 0]/Metrics -exch def dict begin Encoding{exch dup type /integertype ne{pop pop 1 sub -dup 0 le{pop}{[}ifelse}{FontMatrix 0 get div Metrics 0 get div def} -ifelse}forall Metrics /Metrics currentdict end def[2 index currentdict -end definefont 3 -1 roll makefont /setfont load]cvx def}def -/ObliqueSlant{dup sin S cos div neg}B /SlantFont{4 index mul add}def -/ExtendFont{3 -1 roll mul exch}def /ReEncodeFont{/Encoding exch def}def -end -%%EndProcSet -%%BeginProcSet: special.pro -TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N -/vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen -false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B -/@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit -div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{ -/CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{ -10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B -/@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale -true def end /@MacSetUp{userdict /md known{userdict /md get type -/dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup -length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{} -N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath -clippath mark{transform{itransform moveto}}{transform{itransform lineto} -}{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{ -itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{ -closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39 -0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N -/txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1 -scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get -ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip -not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0 -TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR -pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1 --1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg -TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg -sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr -0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add -2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp -{pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72 -div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray} -N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict -maxlength dict begin /magscale true def normalscale currentpoint TR -/psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts -/psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx -psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy -scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR -/showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{ -psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2 -roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath -moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDict -begin /SpecialSave save N gsave normalscale currentpoint TR -@SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial -{CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto -closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx -sub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR -}{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse -CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury -lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath -}N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{ -end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin} -N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{ -/SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX -SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X -/startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad -yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end -%%EndProcSet -TeXDict begin 40258431 52099146 1000 600 600 (bro.dvi) -@start /Fa 171[36 6[52 77[{TeXBase1Encoding ReEncodeFont}2 -58.333336 /Times-Roman rf /Fb 172[50 6[50 6[50 50 1[50 -66[{TeXBase1Encoding ReEncodeFont}5 83.333336 /Courier-Oblique -rf /Fc 6 112 df<146014E0EB01C0EB0380EB0700130E131E5B5BA25B485AA2485AA212 -075B120F90C7FCA25A121EA2123EA35AA65AB2127CA67EA3121EA2121F7EA27F12077F12 -03A26C7EA26C7E1378A27F7F130E7FEB0380EB01C0EB00E01460135278BD20>40 -D<12C07E12707E7E7E120F6C7E6C7EA26C7E6C7EA21378A2137C133C133E131EA2131F7F -A21480A3EB07C0A6EB03E0B2EB07C0A6EB0F80A31400A25B131EA2133E133C137C1378A2 -5BA2485A485AA2485A48C7FC120E5A5A5A5A5A13527CBD20>I49 D103 D108 D111 D E /Fd -141[72 2[72 44[72 66[{TeXBase1Encoding ReEncodeFont}3 -119.999947 /Courier rf /Fe 2 67 df<4B7E1503150782150F151FA2153FA2156F15 -CF82EC0187140315071406140E140C02187FA2EC30031460A214C013011480D903007F91 -B5FC5B90380C0001A25B13380130805B01E013005B12011203000F4A7ED8FFF890381FFF -E0A22B2A7DA932>65 D<013FB512F816FF903A01FC001FC04AEB07E0EE03F001031401A2 -4A14F8A2130717F04A130317E0010F1407EE0FC04AEB1F80EE7E00011F495A91B512F0A2 -91388001FC013FEB007E8291C7EA1F80160F4915C0A2137EA213FEEE1F805BEE3F000001 -153E16FE49EB01F84B5A0003EC1FC0B7C7FC15F82D287DA732>I -E /Ff 130[40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 -40 40 40 40 1[40 40 40 40 40 40 40 40 40 1[40 1[40 40 -40 1[40 1[40 40 40 40 40 40 40 40 40 40 1[40 2[40 40 -1[40 40 40 40 40 40 1[40 40 40 1[40 40 40 40 40 40 40 -40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 -40 40 33[{TeXBase1Encoding ReEncodeFont}82 66.666664 -/Courier rf /Fg 143[60 3[60 2[60 5[60 60 60 97[{ -TeXBase1Encoding ReEncodeFont}6 100.000000 /Courier rf -/Fh 134[50 2[50 55 33 39 44 1[55 50 55 83 28 55 1[28 -55 50 33 44 55 44 55 50 6[66 3[72 1[66 55 72 1[61 78 -1[94 3[39 2[61 66 72 72 11[50 50 50 50 50 50 50 2[25 -46[{TeXBase1Encoding ReEncodeFont}42 100.000000 /Times-Bold -rf /Fi 4 121 df15 D102 D<12FCEAFFC0EA07F0EA01FCEA -007E7F80131F80130FB3A7801307806D7E6D7EEB007EEC1FF0EC07F8EC1FF0EC7E00495A -495A495A5C130F5CB3A7131F5C133F91C7FC137E485AEA07F0EAFFC000FCC8FC1D537ABD -2A>I<137E3801FFC03807C1E0380F0070001E1338003E131C48130C141E147E5AA3143C -1400A3127CA37E121E7E6C7E6C7EEA00F013FCEA03FF380F8780381F01E0003E13F0EB00 -F848137CA200FC133E5A141FA6127C143F6C133EA26C137CEA0F80000713F83801E1F038 -00FFC0EB3F00130FEB03C0EB01E0EB00F01478147C143EA3141FA3123C127EA3143E1278 -12300038137C6C13786C13F0380783E03803FF8038007E00184C7ABA25>120 -D E /Fj 9 113 df<121C127FEAFF80A5EA7F00121C0909798817>58 -D<1760177017F01601A21603A21607160FA24C7EA216331673166316C3A2ED0183A2ED03 -03150683150C160115181530A21560A215C014011580DA03007FA202061300140E140C5C -021FB5FC5CA20260C7FC5C83495A8349C8FC1306A25BA25B13385B01F01680487E000716 -FFB56C013F13FF5EA2383C7DBB3E>65 D<0103B77E4916F018FC903B0007F80003FE4BEB -00FFF07F80020FED3FC0181F4B15E0A2141FA25DA2143F19C04B143F1980027F157F1900 -92C812FE4D5A4A4A5AEF0FF04AEC1FC005FFC7FC49B612FC5F02FCC7B4FCEF3FC00103ED -0FE0717E5C717E1307844A1401A2130F17035CA2131F4D5A5C4D5A133F4D5A4A4A5A4D5A -017F4BC7FC4C5A91C7EA07FC49EC3FF0B812C094C8FC16F83B397DB83F>I<902603FFF8 -91381FFFF8496D5CA2D90007030113006FEC007C02061678DA0EFF157081020C6D1460A2 -DA1C3F15E0705CEC181F82023815016F6C5C1430150702706D1303030392C7FC02607FA2 -DAE0015C701306ECC0008201016E130EEF800C5C163F0103EDC01C041F131891C713E016 -0F49EDF03818300106140717F8010E02031370EFFC60130CEE01FE011C16E004005B0118 -15FF177F1338600130153FA20170151F95C8FC01F081EA07FCB512E01706A245397DB843 ->78 D<4BB4FC031F13F09238FE01FC913903F0007EDA07C0EB1F80DA1F80EB0FC0023EC7 -EA07E002FCEC03F0495A4948EC01F8495A4948EC00FC495A49C912FE49167E13FE49167F -1201485AA2485AA2120F5B001F17FFA2485AA34848ED01FEA400FFEE03FC90C9FCA2EF07 -F8A2EF0FF0A218E0171F18C0EF3F806C167F180017FE4C5A6C6C5D1603001F4B5A6D4A5A -000FED1F806C6C4AC7FC6D147E0003EC01F8D801FC495AD8007EEB0FC090263F807FC8FC -903807FFF801001380383D7CBA3F>I<0003B812FEA25A903AF8003FC00101C091388000 -7E4848163C90C7007F141C121E001C92C7FCA2485CA200305C007017180060130112E048 -5CA21403C716005DA21407A25DA2140FA25DA2141FA25DA2143FA25DA2147FA292C9FCA2 -5CA25CA21301A25CA21303A25CEB0FFC003FB6FC5AA237397EB831>84 -D107 -D110 D<90390F8003F090391FE00FFC90 -3939F03C1F903A70F8700F80903AE0FDE007C09038C0FF80030013E00001491303018015 -F05CEA038113015CA2D800031407A25CA20107140FA24A14E0A2010F141F17C05CEE3F80 -131FEE7F004A137E16FE013F5C6E485A4B5A6E485A90397F700F80DA383FC7FC90387E1F -FCEC07E001FEC9FCA25BA21201A25BA21203A25B1207B512C0A32C3583A42A>112 -D E /Fk 5 54 df<13E01201120712FF12F91201B3A7487EB512C0A212217AA01E>49 -DI<13FF000313C0380F03E0381C00F014F800 -3E13FC147CA2001E13FC120CC712F8A2EB01F0EB03E0EB0FC03801FF00A2380003E0EB00 -F01478147C143E143F1230127812FCA2143E48137E0060137C003813F8381E03F0380FFF -C00001130018227DA01E>I<14E01301A213031307A2130D131D13391331136113E113C1 -EA01811203EA07011206120C121C12181230127012E0B6FCA2380001E0A6EB03F0EB3FFF -A218227DA11E>I<00101330381E01F0381FFFE014C01480EBFE00EA1BF00018C7FCA513 -FE381BFF80381F03C0381C01E0381800F014F8C71278A2147CA21230127812F8A2147848 -13F8006013F0387001E01238381E07803807FF00EA01F816227CA01E>I -E /Fl 133[37 42 42 60 42 46 28 32 37 1[46 42 46 69 23 -46 1[23 46 42 28 37 46 37 46 42 11[60 55 46 60 1[51 65 -60 78 1[65 1[32 65 2[55 60 60 1[60 18[21 28 21 47 40[46 -2[{TeXBase1Encoding ReEncodeFont}44 83.333336 /Times-Bold -rf /Fm 131[50 1[50 50 50 50 50 50 50 50 50 50 50 50 50 -50 50 50 50 50 50 50 50 50 50 50 50 50 3[50 50 50 3[50 -50 50 50 50 50 1[50 50 50 1[50 1[50 50 50 1[50 50 50 -50 50 50 1[50 50 50 50 1[50 1[50 50 50 50 1[50 50 50 -50 50 50 50 50 50 50 50 50 1[50 50 50 2[50 33[{ -TeXBase1Encoding ReEncodeFont}74 83.333336 /Courier rf -/Fn 5 54 df<13381378EA01F8121F12FE12E01200B3AB487EB512F8A215267BA521>49 -D<13FF000313E0380E03F0381800F848137C48137E00787F12FC6CEB1F80A4127CC7FC15 -005C143E147E147C5C495A495A5C495A010EC7FC5B5B903870018013E0EA018039030003 -0012065A001FB5FC5A485BB5FCA219267DA521>I<13FF000313E0380F01F8381C007C00 -30137E003C133E007E133FA4123CC7123E147E147C5C495AEB07E03801FF8091C7FC3800 -01E06D7E147C80143F801580A21238127C12FEA21500485B0078133E00705B6C5B381F01 -F03807FFC0C690C7FC19277DA521>I<1438A2147814F81301A2130313071306130C131C -131813301370136013C012011380EA03005A120E120C121C5A12305A12E0B612E0A2C7EA -F800A7497E90383FFFE0A21B277EA621>I<0018130C001F137CEBFFF85C5C1480D819FC -C7FC0018C8FCA7137F3819FFE0381F81F0381E0078001C7F0018133EC7FC80A21580A212 -30127C12FCA3150012F00060133E127000305B001C5B380F03E03803FFC0C648C7FC1927 -7DA521>I E /Fo 136[44 1[33 18 26 26 1[33 33 1[48 1[29 -5[29 22[44 10[44 67[{TeXBase1Encoding ReEncodeFont}12 -66.666664 /Times-Italic rf /Fp 104[66 33 1[29 29 25[33 -33 48 33 33 18 26 22 33 33 33 33 52 18 33 1[18 33 33 -22 29 33 29 33 29 3[22 1[22 41 1[48 63 1[48 41 37 44 -1[37 48 48 59 41 1[26 22 48 1[37 41 48 44 44 48 6[18 -33 33 33 33 33 33 33 33 33 33 1[17 22 17 2[22 22 22 35[37 -37 2[{TeXBase1Encoding ReEncodeFont}70 66.666664 /Times-Roman -rf /Fq 1 4 df<136013701360A20040132000E0137038F861F0387E67E0381FFF803807 -FE00EA00F0EA07FE381FFF80387E67E038F861F038E060700040132000001300A2137013 -6014157B9620>3 D E /Fr 134[37 37 55 37 42 23 32 32 42 -42 42 42 60 23 37 1[23 42 42 23 37 42 37 42 42 8[51 69 -1[60 46 42 51 1[51 60 55 69 46 2[28 60 60 51 51 1[55 -1[51 6[28 42 1[42 3[42 1[42 1[23 21 28 3[28 28 28 35[42 -3[{TeXBase1Encoding ReEncodeFont}54 83.333336 /Times-Italic -rf /Fs 104[83 42 1[37 37 24[37 42 42 60 42 42 23 32 28 -42 42 42 42 65 23 42 23 23 42 42 28 37 42 37 42 37 3[28 -1[28 51 60 60 78 60 60 51 46 55 60 46 60 60 74 51 60 -32 28 60 60 46 51 60 55 55 60 5[23 23 42 42 42 42 42 -42 42 42 42 42 23 21 28 21 47 1[28 28 28 1[69 3[28 29[46 -46 2[{TeXBase1Encoding ReEncodeFont}82 83.333336 /Times-Roman -rf /Ft 134[60 60 86 1[66 40 47 53 1[66 60 66 100 33 66 -1[33 66 60 40 53 66 53 66 60 12[80 66 86 8[47 2[73 80 -3[86 6[40 60 60 60 60 60 60 60 60 60 3[40 42[66 2[{ -TeXBase1Encoding ReEncodeFont}41 119.999947 /Times-Bold -rf /Fu 1 4 df<130C131EA50060EB01800078130739FC0C0FC0007FEB3F80393F8C7F00 -3807CCF83801FFE038007F80011EC7FCEB7F803801FFE03807CCF8383F8C7F397F0C3F80 -00FCEB0FC039781E078000601301000090C7FCA5130C1A1D7C9E23>3 -D E /Fv 134[50 50 72 50 1[28 39 33 2[50 50 1[28 50 1[28 -50 50 33 44 50 44 50 44 10[72 1[61 55 66 1[55 1[72 1[61 -2[33 5[66 66 72 92 17[25 1[25 5[78 38[{TeXBase1Encoding ReEncodeFont}35 -100.000000 /Times-Roman rf /Fw 134[72 1[104 1[72 40 56 -48 2[72 72 112 40 72 1[40 1[72 48 64 72 64 1[64 12[88 -80 96 3[104 4[48 4[104 1[96 104 6[40 12[48 45[{ -TeXBase1Encoding ReEncodeFont}28 144.000000 /Times-Roman -rf end -%%EndProlog -%%BeginSetup -%%Feature: *Resolution 600dpi -TeXDict begin - -%%EndSetup -%%Page: 1 1 -1 0 bop 180 161 a Fw(Bro:)43 b(A)36 b(System)e(for)h(Detecting)f(Netw)o -(ork)f(Intruders)h(in)i(Real-T)-5 b(ime)1700 402 y Fv(V)-11 -b(ern)25 b(P)o(axson)854 634 y(La)o(wrence)h(Berk)o(ele)o(y)f(National) -f(Laboratory)-6 b(,)24 b(Berk)o(ele)o(y)-6 b(,)24 b(CA)3045 -598 y Fu(\003)1878 751 y Fv(and)792 867 y(A)-11 b(T&T)24 -b(Center)i(for)f(Internet)g(Research)h(at)f(ICSI,)h(Berk)o(ele)o(y)-6 -b(,)24 b(CA)1650 983 y(v)o(ern@aciri.or)n(g)-150 1309 -y Ft(Abstract)-150 1498 y Fs(W)-7 b(e)36 b(describe)f(Bro,)k(a)c -(stand-alone)f(system)h(for)g(detecting)f(net-)-150 1598 -y(w)o(ork)c(intruders)f(in)i(real-time)e(by)h(passi)n(v)o(ely)g -(monitoring)e(a)j(net-)-150 1698 y(w)o(ork)23 b(link)g(o)o(v)o(er)g -(which)g(the)g(intruder')-5 b(s)23 b(traf)n(\002c)g(transits.)36 -b(W)-7 b(e)24 b(gi)n(v)o(e)-150 1797 y(an)c(o)o(v)o(ervie)n(w)e(of)h -(the)h(system')-5 b(s)20 b(design,)f(which)h(emphasizes)f(high-)-150 -1897 y(speed)30 b(\(FDDI-rate\))f(monitoring,)i(real-time)f -(noti\002cation,)i(clear)-150 1996 y(separation)18 b(between)g -(mechanism)g(and)h(polic)o(y)-5 b(,)18 b(and)g(e)o(xtensibility)-5 -b(.)-150 2096 y(T)e(o)21 b(achie)n(v)o(e)f(these)h(ends,)g(Bro)g(is)h -(di)n(vided)d(into)i(an)g(\223e)n(v)o(ent)f(engine\224)-150 -2196 y(that)e(reduces)f(a)h(k)o(ernel-\002ltered)e(netw)o(ork)g(traf)n -(\002c)i(stream)f(into)h(a)g(se-)-150 2295 y(ries)27 -b(of)f(higher)n(-le)n(v)o(el)f(e)n(v)o(ents,)i(and)f(a)h(\223polic)o(y) -f(script)g(interpreter\224)-150 2395 y(that)33 b(interprets)g(e)n(v)o -(ent)f(handlers)g(written)h(in)h(a)f(specialized)g(lan-)-150 -2495 y(guage)17 b(used)g(to)h(e)o(xpress)g(a)g(site')-5 -b(s)19 b(security)e(polic)o(y)-5 b(.)23 b(Ev)o(ent)17 -b(handlers)-150 2594 y(can)24 b(update)f(state)i(information,)e -(synthesize)h(ne)n(w)g(e)n(v)o(ents,)g(record)-150 2694 -y(information)e(to)i(disk,)g(and)g(generate)e(real-time)i -(noti\002cations)f(via)-150 2793 y Fr(syslo)o(g)p Fs(.)62 -b(W)-7 b(e)34 b(also)f(discuss)g(a)g(number)d(of)j(attacks)f(that)h -(attempt)-150 2893 y(to)25 b(sub)o(v)o(ert)f(passi)n(v)o(e)h -(monitoring)e(systems)j(and)f(defenses)f(against)-150 -2993 y(these,)k(and)f(gi)n(v)o(e)f(particulars)f(of)i(ho)n(w)f(Bro)h -(analyzes)f(the)h(six)g(ap-)-150 3092 y(plications)22 -b(inte)o(grated)e(into)i(it)h(so)g(f)o(ar:)29 b(Finger)m(,)22 -b(FTP)-9 b(,)22 b(Portmapper)m(,)-150 3192 y(Ident,)d(T)-6 -b(elnet)20 b(and)f(Rlogin.)24 b(The)c(system)g(is)h(publicly)d(a)n(v)n -(ailable)h(in)-150 3292 y(source)g(code)h(form.)-150 -3584 y Ft(1)119 b(Intr)n(oduction)-150 3774 y Fs(W)m(ith)31 -b(gro)n(wing)f(Internet)g(connecti)n(vity)f(comes)i(gro)n(wing)e(oppor) -n(-)-150 3873 y(tunities)j(for)e(attack)o(ers)i(to)f(illicitly)h -(access)h(computers)c(o)o(v)o(er)i(the)-150 3973 y(netw)o(ork.)51 -b(The)29 b(problem)e(of)i(detecting)f(such)h(attacks)g(is)h(termed)-150 -4073 y Fr(network)19 b(intrusion)f(detection)p Fs(,)g(a)h(relati)n(v)o -(ely)f(ne)n(w)g(area)h(of)f(security)-150 4172 y(research)29 -b([MHL94)n(].)53 b(W)-7 b(e)31 b(can)e(di)n(vide)g(these)h(systems)g -(into)f(tw)o(o)-150 4272 y(types,)h(those)f(that)g(rely)f(on)g(audit)g -(information)f(gathered)f(by)j(the)-150 4372 y(hosts)19 -b(in)h(the)f(netw)o(ork)e(the)o(y)i(are)g(trying)f(to)h(protect,)f(and) -h(those)f(that)-150 4471 y(operate)24 b(\223stand-alone\224)f(by)h -(observing)f(netw)o(ork)h(traf)n(\002c)h(directly)-5 -b(,)-150 4571 y(and)23 b(passi)n(v)o(ely)-5 b(,)23 b(using)g(a)h(pack)o -(et)f(\002lter)-5 b(.)36 b(There)23 b(is)i(also)f(increasing)-150 -4670 y(interest)29 b(in)f(b)n(uilding)f(hybrid)g(systems)i(that)g -(combine)e(these)h(tw)o(o)-150 4770 y(approaches)18 b([Ax99)n(].)p --150 4850 801 4 v -66 4903 a Fq(\003)-30 4927 y Fp(This)f(paper)h -(appears)h(in)f Fo(Computer)g(Networks)p Fp(,)h(31\(23\22624\),)f(pp.)g -(2435\2262463,)-150 5006 y(14)i(Dec.)h(1999.)31 b(This)20 -b(w)o(ork)g(w)o(as)h(supported)h(by)e(the)h(Director)m(,)i(Of)n(\002ce) -e(of)f(Ener)o(gy)-150 5085 y(Research,)k(Of)n(\002ce)e(of)f -(Computational)k(and)d(T)-5 b(echnology)23 b(Research,)h(Mathemati-) --150 5163 y(cal,)17 b(Information,)i(and)e(Computational)j(Sciences)f -(Di)n(vision)f(of)f(the)g(United)h(States)-150 5242 y(Department)k(of)f -(Ener)o(gy)f(under)h(Contract)i(No.)c(DE-A)m(C03-76SF00098.)32 -b(An)20 b(ear)o(-)-150 5321 y(lier)j(v)o(ersion)g(of)f(this)g(paper)h -(appeared)h(in)e(the)h(Proceedings)h(of)e(the)g(7th)h(USENIX)-150 -5400 y(Security)c(Symposium,)e(San)g(Antonio,)h(TX,)d(January)k(1998.) -2132 1309 y Fs(In)25 b(this)h(paper)e(we)i(focus)f(on)g(the)g(problem)f -(of)h(b)n(uilding)f(stand-)2049 1408 y(alone)15 b(systems,)i(which)e -(we)h(will)h(term)e(\223monitors.)-6 b(\224)22 b(Though)14 -b(mon-)2049 1508 y(itors)28 b(necessarily)g(f)o(ace)g(the)g(dif)n -(\002culties)g(of)g(more)g(limited)g(infor)n(-)2049 1607 -y(mation)35 b(than)g(systems)h(with)f(access)h(to)g(audit)f(trails,)40 -b(monitors)2049 1707 y(also)26 b(gain)f(the)g(major)g(bene\002t)h(that) -f(the)o(y)g(can)h(be)f(added)g(to)h(a)g(net-)2049 1807 -y(w)o(ork)k(without)g(requiring)e(an)o(y)i(changes)f(to)i(the)f(hosts.) -56 b(F)o(or)30 b(our)2049 1906 y(purposes\227monitoring)22 -b(a)k(collection)f(of)h(se)n(v)o(eral)g(thousand)e(het-)2049 -2006 y(erogeneous,)17 b(di)n(v)o(ersely-administered)f(hosts\227this)k -(adv)n(antage)e(is)2049 2106 y(immense.)2132 2211 y(Our)34 -b(monitoring)e(system)j(is)h(called)e(Bro)h(\(an)f(Orwellian)g(re-)2049 -2311 y(minder)f(that)h(monitoring)e(comes)i(hand)f(in)i(hand)e(with)h -(the)g(po-)2049 2410 y(tential)48 b(for)f(pri)n(v)n(ac)o(y)e -(violations\).)106 b(A)48 b(number)e(of)h(commer)n(-)2049 -2510 y(cial)35 b(products)d(e)o(xist)j(that)f(do)g(what)g(Bro)g(does,)k -(generally)32 b(with)2049 2609 y(much)f(more)g(sophisticated)g(interf)o -(aces)g(and)g(management)f(soft-)2049 2709 y(w)o(are)f([In99)n(,)h(T)-7 -b(o99)n(,)30 b(Ci99],)2900 2679 y Fn(1)2968 2709 y Fs(and)f(lar)o(ger)f -(\223attack)h(signature\224)f(li-)2049 2809 y(braries.)51 -b(T)-7 b(o)29 b(our)f(kno)n(wledge,)h(ho)n(we)n(v)o(er)m(,)g(there)g -(are)g(no)f(detailed)2049 2908 y(accounts)c(in)h(the)h(netw)o(ork)d -(security)i(literature)f(of)h(ho)n(w)g(monitors)2049 -3008 y(can)f(be)h(b)n(uilt.)38 b(Furthermore,)23 b(monitors)g(can)i(be) -f(susceptible)g(to)h(a)2049 3108 y(number)j(of)h(attacks)h(aimed)f(at)h -(sub)o(v)o(erting)d(the)j(monitoring;)i(we)2049 3207 -y(belie)n(v)o(e)19 b(the)i(attacks)f(we)h(discuss)f(here)g(ha)n(v)o(e)g -(not)g(been)g(pre)n(viously)2049 3307 y(described)g(in)i(the)g -(literature.)29 b(Thus,)21 b(the)h(contrib)n(ution)d(of)j(this)g(pa-) -2049 3406 y(per)h(is)i(not)e(at)h(heart)f(a)h(no)o(v)o(el)e(idea)h -(\(though)f(we)i(belie)n(v)o(ed)e(it)i(no)o(v)o(el)2049 -3506 y(when)30 b(we)h(undertook)c(the)k(project,)h(in)e(1995\),)h(b)n -(ut)g(rather)e(a)i(de-)2049 3606 y(tailed)i(o)o(v)o(ervie)n(w)d(of)i -(some)h(e)o(xperiences)e(with)h(b)n(uilding)g(such)g(a)2049 -3705 y(system.)2132 3811 y(Prior)16 b(to)g(de)n(v)o(eloping)e(Bro,)j -(we)f(had)g(signi\002cant)g(operational)e(e)o(x-)2049 -3910 y(perience)20 b(with)i(a)g(simpler)g(system)f(based)h(on)f(of)n -(f-line)f(analysis)i(of)2049 4010 y Fm(tcpdump)29 b Fs([JLM89)o(])h -(trace)f(\002les.)55 b(Out)30 b(of)g(this)g(e)o(xperience)e(we)2049 -4110 y(formulated)18 b(a)j(number)d(of)i(design)f(goals)i(and)e -(requirements:)2049 4315 y Fl(High-speed,)h(lar)o(ge)g(v)o(olume)g -(monitoring)40 b Fs(F)o(or)69 b(our)f(en)m(viron-)2215 -4415 y(ment,)20 b(we)h(vie)n(w)f(the)h(greatest)f(source)g(of)g -(threats)h(as)g(e)o(xternal)2215 4515 y(hosts)28 b(connecting)d(to)j -(our)f(hosts)g(o)o(v)o(er)f(the)i(Internet.)46 b(Since)2215 -4614 y(the)28 b(netw)o(ork)f(we)i(w)o(ant)f(to)g(protect)g(has)g(a)h -(single)f(link)f(con-)2215 4714 y(necting)e(it)i(to)g(the)f(remainder)f -(of)h(the)g(Internet)f(\(a)h(\223DMZ\224\),)2215 4814 -y(we)42 b(can)f(economically)f(monitor)g(our)h(greatest)g(potential) -2215 4913 y(source)23 b(of)g(attacks)g(by)g(passi)n(v)o(ely)f(w)o -(atching)h(the)g(DMZ)g(link.)p 2049 5007 V 2134 5061 -a Fk(1)2169 5085 y Fp(Or)18 b(at)h(least)h(appear)m(,)h(according)g(to) -e(their)h(product)g(literature,)i(to)d(do)g(the)h(same)2049 -5163 y(things\227we)f(do)e(not)g(ha)o(v)o(e)h(direct)h(e)o(xperience)h -(with)e(an)o(y)f(of)g(these)h(products.)2115 5242 y(A)h(some)n(what)i -(dif)n(ferent)h(sort)d(of)g(product,)i(the)f(\223Netw)o(ork)h(Flight)g -(Recorder)m(,)-5 b(\224)23 b(is)2049 5321 y(described)d(in)e([RLSSL)-5 -b(W97)o(],)17 b(though)i(it)f(is)g(no)n(w)f(increasingly)k(used)d(for)g -(intrusion)2049 5400 y(detection)i([Ne99)q(].)1929 5649 -y Fs(1)p eop -%%Page: 2 2 -2 1 bop 16 -104 a Fs(Ho)n(we)n(v)o(er)m(,)22 b(the)i(link)f(is)h(an)g -(FDDI)g(ring,)f(so)h(to)g(monitor)e(it)i(re-)16 -5 y(quires)g(a)h -(system)g(that)f(can)h(capture)e(traf)n(\002c)h(at)h(speeds)g(of)f(up) -16 95 y(to)c(100)g(Mbps.)-150 266 y Fl(No)g(pack)o(et)g(\002lter)h(dr)o -(ops)41 b Fs(If)25 b(an)h(application)e(using)h(a)h(pack)o(et)f(\002l-) -16 366 y(ter)20 b(cannot)e(consume)g(pack)o(ets)h(as)i(quickly)d(as)i -(the)o(y)f(arri)n(v)o(e)f(on)16 466 y(the)25 b(monitored)d(link,)j -(then)f(the)h(\002lter)g(will)g(b)n(uf)n(fer)e(the)i(pack-)16 -565 y(ets)g(for)g(later)f(consumption.)36 b(Ho)n(we)n(v)o(er)m(,)24 -b(e)n(v)o(entually)e(the)j(\002l-)16 665 y(ter)30 b(will)g(run)e(out)h -(of)h(b)n(uf)n(fer)m(,)f(at)h(which)f(point)g(it)h Fr(dr)l(ops)f -Fs(an)o(y)16 765 y(further)i(pack)o(ets)g(that)h(arri)n(v)o(e.)60 -b(From)31 b(a)i(security)e(monitor)n(-)16 864 y(ing)25 -b(perspecti)n(v)o(e,)h(drops)e(can)i(completely)e(defeat)h(the)h(mon-) -16 964 y(itoring,)41 b(since)c(the)h(missing)g(pack)o(ets)f(might)g -(contain)f(e)o(x-)16 1063 y(actly)24 b(the)g(interesting)f(traf)n -(\002c)h(that)g(identi\002es)g(a)g(netw)o(ork)f(in-)16 -1163 y(truder)-5 b(.)27 b(Gi)n(v)o(en)21 b(our)f(\002rst)i(design)f -(requirement\227high-speed)16 1263 y(monitoring\227then)c(a)n(v)n -(oiding)i(pack)o(et)h(\002lter)h(drops)f(becomes)16 1362 -y(another)f(strong)g(requirement.)16 1498 y(It)25 b(is)h(sometimes)f -(tempting)f(to)h(dismiss)g(a)h(problem)d(such)i(as)16 -1598 y(pack)o(et)h(\002lter)h(drops)e(with)i(an)f(ar)o(gument)e(that)i -(it)h(is)h(unlik)o(ely)16 1697 y(a)e(traf)n(\002c)g(spik)o(e)f(will)i -(occur)d(at)i(the)g(same)g(time)g(as)g(an)g(attack)16 -1797 y(happens)j(to)h(be)g(underw)o(ay)-5 b(.)52 b(This)31 -b(ar)o(gument,)f(ho)n(we)n(v)o(er)m(,)g(is)16 1896 y(completely)e -(undermined)f(if)j(we)h(assume)e(that)h(an)g(attack)o(er)16 -1996 y(might,)35 b(in)e(parallel)f(with)h(a)h(break-in)d(attempt,)k -Fr(attac)n(k)e(the)16 2096 y(monitor)20 b(itself)33 b -Fs(\(see)20 b(belo)n(w\).)-150 2267 y Fl(Real-time)g(noti\002cation)39 -b Fs(One)50 b(of)f(our)g(main)g(dissatisf)o(actions)16 -2367 y(with)31 b(our)e(initial)i(of)n(f-line)e(system)h(w)o(as)h(the)g -(lengthy)d(delay)16 2467 y(incurred)33 b(before)h(detecting)g(an)h -(attack.)69 b(If)35 b(an)g(attack,)j(or)16 2566 y(an)25 -b(attempted)f(attack,)h(is)h(detected)e(quickly)-5 b(,)24 -b(then)g(it)i(can)f(be)16 2666 y(much)c(easier)h(to)g(trace)g(back)f -(the)h(attack)o(er)f(\(for)g(e)o(xample,)g(by)16 2765 -y(telephoning)d(the)i(site)h(from)d(which)i(the)o(y)f(are)h(coming\),)e -(min-)16 2865 y(imize)35 b(damage,)i(pre)n(v)o(ent)c(further)g -(break-ins,)k(and)d(initiate)16 2965 y(full)28 b(recording)d(of)j(all)h -(of)e(the)h(attack)o(er')-5 b(s)28 b(netw)o(ork)f(acti)n(vity)-5 -b(.)16 3064 y(Therefore,)24 b(one)h(of)g(our)f(requirements)g(for)g -(Bro)h(w)o(as)i(that)e(it)16 3164 y(detect)i(attacks)g(in)g(real-time.) -44 b(This)27 b(is)g(not)g(to)g(discount)f(the)16 3264 -y(enormous)e(utility)i(of)f(k)o(eeping)f(e)o(xtensi)n(v)o(e,)i -(permanent)e(logs)16 3363 y(of)g(netw)o(ork)e(acti)n(vity)i(for)f -(later)h(analysis.)36 b(In)m(v)n(ariably)-5 b(,)21 b(when)16 -3463 y(we)28 b(ha)n(v)o(e)e(suf)n(fered)g(a)h(break-in,)g(we)h(turn)e -(to)i(these)f(logs)g(for)16 3562 y(retrospecti)n(v)o(e)20 -b(damage)g(assessment,)i(sometimes)f(searching)16 3662 -y(back)f(a)g(number)f(of)g(months.)-150 3834 y Fl(Mechanism)i(separate) -f(fr)o(om)f(policy)41 b Fs(Sound)h(softw)o(are)g(design)16 -3933 y(often)29 b(stresses)j(constructing)c(a)i(clear)g(separation)f -(between)16 4033 y(mechanism)g(and)i(polic)o(y;)k(done)29 -b(properly)-5 b(,)31 b(this)g(b)n(uys)f(both)16 4133 -y(simplicity)f(and)g(\003e)o(xibility)-5 b(.)53 b(The)29 -b(problems)f(f)o(aced)h(by)g(our)16 4232 y(system)19 -b(particularly)d(bene\002t)i(from)g(separating)f(the)h(tw)o(o:)25 -b(be-)16 4332 y(cause)32 b(we)f(ha)n(v)o(e)g(a)h(f)o(airly)f(high)g(v)n -(olume)g(of)g(traf)n(\002c)g(to)h(deal)16 4431 y(with,)i(we)d(need)f -(to)h(be)g(able)f(to)h(easily)h(trade-of)n(f)c(at)k(dif)n(fer)n(-)16 -4531 y(ent)19 b(times)g(ho)n(w)g(we)g(\002lter)m(,)g(inspect)g(and)f -(respond)f(to)i(dif)n(ferent)16 4631 y(types)d(of)h(traf)n(\002c.)23 -b(If)16 b(we)h(hardwired)e(these)h(responses)g(into)h(the)16 -4730 y(system,)j(then)g(these)g(changes)g(w)o(ould)f(be)h(cumbersome)e -(\(and)16 4830 y(error)n(-prone\))f(to)j(mak)o(e.)-150 -5001 y Fl(Extensible)42 b Fs(Because)27 b(there)h(are)f(an)h(enormous)e -(number)g(of)h(dif-)16 5101 y(ferent)39 b(netw)o(ork)g(attacks,)45 -b(with)40 b(who)g(kno)n(ws)f(ho)n(w)h(man)o(y)16 5201 -y(w)o(aiting)32 b(to)h(be)g(disco)o(v)o(ered,)g(the)f(system)h(clearly) -f(must)h(be)16 5300 y(designed)17 b(in)h(order)f(to)h(mak)o(e)g(it)h -(easy)f(to)g(add)g(to)g(it)h(kno)n(wledge)16 5400 y(of)25 -b(ne)n(w)g(types)f(of)h(attacks.)40 b(In)24 b(addition,)h(while)g(our)f -(system)2215 -104 y(is)e(a)f(research)f(project,)g(it)i(is)g(at)g(the)f -(same)g(time)g(a)g(production)2215 -5 y(system)30 b(that)h(plays)f(a)g -(signi\002cant)g(role)f(in)i(our)e(daily)h(secu-)2215 -95 y(rity)h(operations.)56 b(Consequently)-5 b(,)31 b(we)g(need)f(to)i -(be)f(able)f(to)2215 194 y(upgrade)18 b(it)j(in)f(small,)h(easily)f -(deb)n(ugged)e(increments.)2049 394 y Fl(A)-8 b(v)o(oid)20 -b(simple)h(mistak)o(es)42 b Fs(Of)19 b(course,)g(we)g(al)o(w)o(ays)h(w) -o(ant)f(to)h(a)n(v)n(oid)2215 493 y(mistak)o(es.)36 b(Ho)n(we)n(v)o(er) -m(,)23 b(here)g(we)i(mean)e(that)h(we)g(particularly)2215 -593 y(desire)k(that)g(the)g(w)o(ay)g(that)g(a)h(site)g(de\002nes)f(its) -h(security)e(pol-)2215 693 y(ic)o(y)22 b(be)g(both)f(clear)h(and)f(as)i -(error)n(-free)c(as)k(possible.)30 b(\(F)o(or)21 b(e)o(x-)2215 -792 y(ample,)j(we)g(w)o(ould)f(not)g(consider)f(e)o(xpressing)g(the)i -(polic)o(y)e(in)2215 892 y(C)f(code)f(as)h(meeting)e(these)h(goals.\)) -2049 1091 y Fl(The)h(monitor)f(will)h(be)g(attack)o(ed)40 -b Fs(W)-7 b(e)18 b(must)f(assume)h(that)f(attack-)2215 -1191 y(ers)30 b(will)h(\(e)n(v)o(entually\))c(ha)n(v)o(e)i(full)h(kno)n -(wledge)e(of)h(the)h(tech-)2215 1290 y(niques)j(used)g(by)g(the)h -(monitor)m(,)g(and)f(access)h(to)g(its)g(source)2215 -1390 y(code,)29 b(and)f(will)h(use)g(this)g(kno)n(wledge)d(in)i -(attempts)h(to)f(sub-)2215 1490 y(v)o(ert)c(or)h(o)o(v)o(erwhelm)d(the) -j(monitor)e(so)i(that)g(it)g(f)o(ails)h(to)f(detect)2215 -1589 y(the)18 b(attack)o(er')-5 b(s)17 b(break-in)f(acti)n(vity)-5 -b(.)23 b(This)18 b(assumption)f(signi\002-)2215 1689 -y(cantly)f(complicates)g(the)h(design)f(of)h(the)g(monitor;)f(b)n(ut)h -(f)o(ailing)2215 1788 y(to)j(address)g(it)h(is)g(to)g(b)n(uild)e(a)i -(house)e(of)h(cards.)2215 1938 y(W)-7 b(e)22 b(do,)f(ho)n(we)n(v)o(er)m -(,)e(allo)n(w)i(one)g(further)f(assumption,)g(namely)2215 -2038 y(that)34 b Fr(the)f(monitor)h(will)g(only)f(be)h(attac)n(k)o(ed)f -(fr)l(om)h(one)f(end)p Fs(.)2215 2137 y(That)c(is,)k(gi)n(v)o(en)28 -b(a)i(netw)o(ork)f(connection)e(between)i(hosts)h Fj(A)2215 -2237 y Fs(and)21 b Fj(B)t Fs(,)h(we)g(assume)f(that)g(at)h(most)g(one)e -(of)h Fj(A)i Fs(or)e Fj(B)26 b Fs(has)21 b(been)2215 -2336 y(compromised)k(and)i(might)g(try)h(to)g(attack)f(the)h(monitor)m -(,)g(b)n(ut)2215 2436 y(not)c(both.)37 b(This)25 b(assumption)e -(greatly)h(aids)g(in)h(dealing)e(with)2215 2536 y(the)29 -b(problem)d(of)i(attacks)h(on)f(the)h(monitor)m(,)f(since)h(it)g(means) -2215 2635 y(that)g Fr(we)i(can)d(trust)j(one)d(of)i(the)f(endpoints)f -Fs(\(though)f(we)j(do)2215 2735 y(not)20 b(kno)n(w)f(which\).)2215 -2884 y(In)26 b(addition,)g(we)g(note)f(that)i(this)f(second)f -(assumption)g(costs)2215 2984 y(us)17 b(virtually)e(nothing.)22 -b(If,)17 b(indeed,)f(both)g Fj(A)h Fs(and)f Fj(B)21 b -Fs(ha)n(v)o(e)16 b(been)2215 3084 y(compromised,)28 b(then)g(the)h -(attack)o(er)g(can)f(establish)h(intricate)2215 3183 -y(co)o(v)o(ert)19 b(channels)g(between)h(the)g(tw)o(o.)25 -b(These)20 b(can)g(be)g(immea-)2215 3283 y(surably)27 -b(hard)g(to)i(detect,)h(depending)25 b(on)j(ho)n(w)g(de)n(vious)f(the) -2215 3383 y(channel)18 b(is;)i(that)f(our)e(system)i(f)o(ails)h(to)f -(do)f(so)h(only)f(means)g(we)2215 3482 y(gi)n(v)o(e)h(up)h(on)g -(something)f(e)o(xtremely)f(dif)n(\002cult)i(an)o(yw)o(ay)-5 -b(.)2132 3698 y(A)28 b(\002nal)g(important)f(point)g(concerns)f(the)i -(broader)e(conte)o(xt)g(for)2049 3798 y(our)20 b(monitoring)e(system.) -27 b(Our)21 b(site)g(is)h(engaged)c(in)j(basic,)g(unclas-)2049 -3897 y(si\002ed)k(research.)37 b(The)24 b(consequences)f(of)h(a)h -(break-in)e(are)h(usually)2049 3997 y(limited)31 b(to)g(\(potentially)f -(signi\002cant\))g(e)o(xpenditure)e(in)k(lost)f(time)2049 -4097 y(and)d(re-securing)e(the)j(compromised)d(machines,)j(and)f -(perhaps)f(a)2049 4196 y(tarnished)20 b(public)g(image)h(depending)d -(on)j(the)g(subsequent)f(actions)2049 4296 y(of)g(the)g(attack)o(ers.) -25 b(Thus,)20 b(while)g(we)h(v)o(ery)e(much)h(aim)g(to)g(minimize)2049 -4395 y(break-in)d(acti)n(vity)-5 b(,)19 b(we)g(do)g(not)f(try)h(to)h -(achie)n(v)o(e)e(\223airtight\224)g(security)-5 b(.)2049 -4495 y(W)e(e)18 b(instead)f(emphasize)f(monitoring)f(o)o(v)o(er)h -(blocking)f(when)i(possi-)2049 4595 y(ble.)31 b(Ob)o(viously)-5 -b(,)20 b(other)h(sites)j(may)d(ha)n(v)o(e)h(quite)g(dif)n(ferent)e -(security)2049 4694 y(priorities,)f(which)h(we)h(do)e(not)h(claim)g(to) -h(address.)2132 4802 y(In)i(the)h(remainder)e(of)h(this)h(paper)f(we)h -(discuss)g(ho)n(w)f(the)g(design)2049 4902 y(of)d(Bro)h(attempts)f(to)h -(meet)f(these)h(goals)f(and)g(constraints.)25 b(First,)c(in)2049 -5001 y Fi(x)d Fs(2)g(we)g(gi)n(v)o(e)e(an)i(o)o(v)o(ervie)n(w)d(of)j -(the)f(structure)g(of)g(the)h(whole)f(system.)2049 5101 -y Fi(x)23 b Fs(3)f(presents)g(the)h(specialized)f Fm(Bro)g -Fs(language)f(used)h(to)g(e)o(xpress)g(a)2049 5201 y(site')-5 -b(s)21 b(security)e(polic)o(y)-5 b(.)23 b(W)-7 b(e)20 -b(turn)f(in)h Fi(x)g Fs(4)f(to)h(the)g(details)f(of)h(ho)n(w)f(the)2049 -5300 y(system)29 b(is)h(currently)e(implemented.)49 b -Fi(x)30 b Fs(5)f(discusses)h(attacks)f(on)2049 5400 y(the)23 -b(monitoring)e(system.)33 b Fi(x)24 b Fs(6)f(looks)f(at)i(the)f -(specialized)g(analysis)1929 5649 y(2)p eop -%%Page: 3 3 -3 2 bop 175 -187 a - 10656645 18968821 0 0 33285570 59269365 startTexFig - 175 -187 a -%%BeginDocument: structure.eps -%Magnification: 1.00 -/$F2psDict 200 dict def -$F2psDict begin -$F2psDict /mtrx matrix put -/col-1 {0 setgray} bind def -/col0 {0.000 0.000 0.000 srgb} bind def -/col1 {0.000 0.000 1.000 srgb} bind def -/col2 {0.000 1.000 0.000 srgb} bind def -/col3 {0.000 1.000 1.000 srgb} bind def -/col4 {1.000 0.000 0.000 srgb} bind def -/col5 {1.000 0.000 1.000 srgb} bind def -/col6 {1.000 1.000 0.000 srgb} bind def -/col7 {1.000 1.000 1.000 srgb} bind def -/col8 {0.000 0.000 0.560 srgb} bind def -/col9 {0.000 0.000 0.690 srgb} bind def -/col10 {0.000 0.000 0.820 srgb} bind def -/col11 {0.530 0.810 1.000 srgb} bind def -/col12 {0.000 0.560 0.000 srgb} bind def -/col13 {0.000 0.690 0.000 srgb} bind def -/col14 {0.000 0.820 0.000 srgb} bind def -/col15 {0.000 0.560 0.560 srgb} bind def -/col16 {0.000 0.690 0.690 srgb} bind def -/col17 {0.000 0.820 0.820 srgb} bind def -/col18 {0.560 0.000 0.000 srgb} bind def -/col19 {0.690 0.000 0.000 srgb} bind def -/col20 {0.820 0.000 0.000 srgb} bind def -/col21 {0.560 0.000 0.560 srgb} bind def -/col22 {0.690 0.000 0.690 srgb} bind def -/col23 {0.820 0.000 0.820 srgb} bind def -/col24 {0.500 0.190 0.000 srgb} bind def -/col25 {0.630 0.250 0.000 srgb} bind def -/col26 {0.750 0.380 0.000 srgb} bind def -/col27 {1.000 0.500 0.500 srgb} bind def -/col28 {1.000 0.630 0.630 srgb} bind def -/col29 {1.000 0.750 0.750 srgb} bind def -/col30 {1.000 0.880 0.880 srgb} bind def -/col31 {1.000 0.840 0.000 srgb} bind def - -end -save --142.0 971.0 translate -1 -1 scale - -/cp {closepath} bind def -/ef {eofill} bind def -/gr {grestore} bind def -/gs {gsave} bind def -/sa {save} bind def -/rs {restore} bind def -/l {lineto} bind def -/m {moveto} bind def -/rm {rmoveto} bind def -/n {newpath} bind def -/s {stroke} bind def -/sh {show} bind def -/slc {setlinecap} bind def -/slj {setlinejoin} bind def -/slw {setlinewidth} bind def -/srgb {setrgbcolor} bind def -/rot {rotate} bind def -/sc {scale} bind def -/sd {setdash} bind def -/ff {findfont} bind def -/sf {setfont} bind def -/scf {scalefont} bind def -/sw {stringwidth} bind def -/tr {translate} bind def -/tnt {dup dup currentrgbcolor - 4 -2 roll dup 1 exch sub 3 -1 roll mul add - 4 -2 roll dup 1 exch sub 3 -1 roll mul add - 4 -2 roll dup 1 exch sub 3 -1 roll mul add srgb} - bind def -/shd {dup dup currentrgbcolor 4 -2 roll mul 4 -2 roll mul - 4 -2 roll mul srgb} bind def -/$F2psBegin {$F2psDict begin /$F2psEnteredState save def} def -/$F2psEnd {$F2psEnteredState restore end} def - -$F2psBegin -10 setmiterlimit -n 0 79200 m 0 0 l 61200 0 l 61200 79200 l cp clip - 0.06000 0.06000 sc -7.500 slw -% Polyline -n 2385 5385 m 10785 5385 l 10785 3585 l 2385 3585 l cp gs col-1 s gr -% Polyline -n 2385 8940 m 10785 8940 l 10785 7140 l 2385 7140 l cp gs col-1 s gr -60.000 slw -% Polyline -gs clippath -6435 13410 m 6585 12690 l 6735 13410 l 6735 12480 l 6435 12480 l cp clip -n 6585 14355 m 6585 12555 l gs col7 0.95 shd ef gr gs col-1 s gr gr - -% arrowhead -n 6435 13410 m 6585 12690 l 6735 13410 l 6585 13290 l 6435 13410 l cp gs 0.00 setgray ef gr col-1 s -7.500 slw -% Polyline -n 2385 12555 m 10785 12555 l 10785 10755 l 2385 10755 l cp gs col-1 s gr -45.000 slw -% Polyline -gs clippath -6465 9624 m 6585 9048 l 6705 9624 l 6705 8880 l 6465 8880 l cp clip -n 6585 10740 m 6585 8940 l gs col7 0.95 shd ef gr gs col-1 s gr gr - -% arrowhead -n 6465 9624 m 6585 9048 l 6705 9624 l 6585 9528 l 6465 9624 l cp gs 0.00 setgray ef gr col-1 s -30.000 slw -% Polyline -gs clippath -6495 5898 m 6585 5466 l 6675 5898 l 6675 5340 l 6495 5340 l cp clip -n 6585 7185 m 6585 5385 l gs col7 0.95 shd ef gr gs col-1 s gr gr - -% arrowhead -n 6495 5898 m 6585 5466 l 6675 5898 l 6585 5826 l 6495 5898 l cp gs 0.00 setgray ef gr col-1 s -15.000 slw -% Polyline -gs clippath -6540 1542 m 6600 1254 l 6660 1542 l 6660 1170 l 6540 1170 l cp clip -n 6600 3600 m 6600 1200 l gs col7 0.95 shd ef gr gs col-1 s gr gr - -% arrowhead -n 6540 1542 m 6600 1254 l 6660 1542 l 6600 1494 l 6540 1542 l cp gs 0.00 setgray ef gr col-1 s -% Polyline - [100.0] 0 sd -gs clippath -3060 10506 m 3000 10746 l 2940 10506 l 2940 10830 l 3060 10830 l cp clip -n 3000 9000 m 3000 10800 l gs col7 0.95 shd ef gr gs col-1 s gr gr - [] 0 sd -% arrowhead -n 3060 10506 m 3000 10746 l 2940 10506 l 3000 10506 l 3060 10506 l cp gs col7 1.00 shd ef gr col-1 s -% Polyline - [100.0] 0 sd -gs clippath -3060 6906 m 3000 7146 l 2940 6906 l 2940 7230 l 3060 7230 l cp clip -n 3000 5400 m 3000 7200 l gs col7 0.95 shd ef gr gs col-1 s gr gr - [] 0 sd -% arrowhead -n 3060 6906 m 3000 7146 l 2940 6906 l 3000 6906 l 3060 6906 l cp gs col7 1.00 shd ef gr col-1 s -% Polyline - [100.0] 0 sd -gs clippath -3060 3306 m 3000 3546 l 2940 3306 l 2940 3630 l 3060 3630 l cp clip -n 3000 1200 m 3000 3600 l gs col7 0.95 shd ef gr gs col-1 s gr gr - [] 0 sd -% arrowhead -n 3060 3306 m 3000 3546 l 2940 3306 l 3000 3306 l 3060 3306 l cp gs col7 1.00 shd ef gr col-1 s -7.500 slw -% Polyline -n 2385 14355 m 10785 14355 l 10785 16155 l 2385 16155 l cp gs col7 0.50 shd ef gr gs col-1 s gr -/Helvetica-Bold ff 540.00 scf sf -5520 15442 m -gs 1 -1 sc (Network) col-1 sh gr -/Helvetica ff 360.00 scf sf -6885 6405 m -gs 1 -1 sc (Event stream) col-1 sh gr -/Helvetica ff 360.00 scf sf -6855 2835 m -gs 1 -1 sc (Record to disk) col-1 sh gr -/Helvetica ff 360.00 scf sf -6825 2265 m -gs 1 -1 sc (Real-time notification) col-1 sh gr -/Helvetica ff 360.00 scf sf -6885 9960 m -gs 1 -1 sc (Filtered packet stream) col-1 sh gr -/Times-Bold ff 540.00 scf sf -6615 8220 m -gs 1 -1 sc (Event Engine) dup sw pop 2 div neg 0 rm col-1 sh gr -/Helvetica ff 360.00 scf sf -3210 2505 m -gs 1 -1 sc (Policy script) col-1 sh gr -/Helvetica ff 360.00 scf sf -3210 6405 m -gs 1 -1 sc (Event control) col-1 sh gr -/Helvetica ff 360.00 scf sf -3210 10005 m -gs 1 -1 sc (Tcpdump filter) col-1 sh gr -/Helvetica ff 360.00 scf sf -6885 13575 m -gs 1 -1 sc (Packet stream) col-1 sh gr -/Times-Bold ff 540.00 scf sf -6615 4665 m -gs 1 -1 sc (Policy Script Interpreter) dup sw pop 2 div neg 0 rm col-1 sh gr -/Courier-Bold ff 540.00 scf sf -6615 11835 m -gs 1 -1 sc (libpcap) dup sw pop 2 div neg 0 rm col-1 sh gr -$F2psEnd -rs -%%EndDocument - - endTexFig - 220 2398 a Fs(Figure)19 b(1:)25 b(Structure)20 b(of)f(the)i(Bro)f -(system)-150 2675 y(Bro)d(does)h(for)e(six)i(Internet)e(applications:) -23 b(FTP)-9 b(,)17 b(Finger)m(,)g(Portmap-)-150 2775 -y(per)m(,)22 b(Ident,)g(T)-6 b(elnet)22 b(and)g(Rlogin.)31 -b Fi(x)23 b Fs(7)g(gi)n(v)o(es)f(the)g(status)h(of)f(the)h(im-)-150 -2874 y(plementation)i(and)i(our)g(e)o(xperiences)e(with)j(it,)h -(including)d(a)h(brief)-150 2974 y(assessment)d(of)g(its)g -(performance.)33 b Fi(x)24 b Fs(8)g(of)n(fers)e(some)i(thoughts)e(on) --150 3074 y(future)28 b(directions.)51 b(Finally)-5 b(,)30 -b(an)f(Appendix)e(illustrates)j(ho)n(w)f(the)-150 3173 -y(dif)n(ferent)21 b(elements)h(of)g(the)g(system)h(come)e(together)g -(for)h(monitor)n(-)-150 3273 y(ing)e(Finger)f(traf)n(\002c.)-150 -3580 y Ft(2)119 b(Structur)n(e)31 b(of)f(the)g(system)-150 -3775 y Fs(Bro)e(is)g(conceptually)e(di)n(vided)g(into)h(an)h(\223e)n(v) -o(ent)f(engine\224)f(that)i(re-)-150 3874 y(duces)15 -b(a)g(stream)h(of)f(\(\002ltered\))f(pack)o(ets)h(to)g(a)h(stream)f(of) -g(higher)n(-le)n(v)o(el)-150 3974 y(netw)o(ork)i(e)n(v)o(ents,)i(and)f -(an)g(interpreter)f(for)h(a)h(specialized)f(language)-150 -4074 y(that)25 b(is)i(used)e(to)g(e)o(xpress)g(a)h(site')-5 -b(s)26 b(security)f(polic)o(y)-5 b(.)39 b(More)25 b(gener)n(-)-150 -4173 y(ally)-5 b(,)20 b(the)g(system)h(is)g(structured)e(in)i(layers,)f -(as)h(sho)n(wn)e(in)i(Figure)f(1.)-150 4273 y(The)26 -b(lo)n(wer)n(-most)f(layers)h(process)g(the)h(greatest)f(v)n(olume)f -(of)h(data,)-150 4373 y(and)20 b(hence)f(must)i(limit)g(the)f(w)o(ork)g -(performed)d(to)k(a)g(minimum.)j(As)-150 4472 y(we)i(go)g(higher)e(up)h -(through)f(the)i(layers,)g(the)g(data)g(stream)g(dimin-)-150 -4572 y(ishes,)g(allo)n(wing)d(for)g(more)h(processing)f(per)g(data)h -(item.)38 b(This)24 b(ba-)-150 4671 y(sic)h(design)f(re\003ects)h(the)g -(need)f(to)h(conserv)o(e)e(processing)g(as)j(much)-150 -4771 y(as)i(possible,)h(in)f(order)e(to)i(meet)f(the)h(goals)f(of)h -(monitoring)d(high-)-150 4871 y(speed,)20 b(lar)o(ge)f(v)n(olume)g -(traf)n(\002c)h(\003o)n(ws)g(without)g(dropping)d(pack)o(ets.)-150 -5135 y Fh(2.1)99 b Fg(libpcap)-150 5300 y Fs(From)18 -b(the)h(perspecti)n(v)o(e)f(of)g(the)h(rest)h(of)f(the)g(system,)g -(just)g(abo)o(v)o(e)f(the)-150 5400 y(netw)o(ork)24 b(itself)i(is)g -Fm(libpcap)e Fs([MLJ94)n(],)j(the)e(pack)o(et-capture)d(li-)2049 --104 y(brary)j(used)h(by)g Fm(tcpdump)f Fs([JLM89)o(].)43 -b(Using)26 b Fm(libpcap)f Fs(gains)2049 -5 y(signi\002cant)34 -b(adv)n(antages:)51 b(it)35 b(isolates)g(Bro)f(from)f(details)i(of)f -(the)2049 95 y(netw)o(ork)k(link)g(technology)f(\(Ethernet,)42 -b(FDDI,)d(SLIP)-9 b(,)39 b(etc.\);)48 b(it)2049 194 y(greatly)21 -b(aids)h(in)g(porting)f(Bro)g(to)i(dif)n(ferent)d(Unix)h(v)n(ariants)g -(\(which)2049 294 y(also)28 b(mak)o(es)f(it)h(easier)f(to)h(upgrade)d -(to)j(f)o(aster)f(hardw)o(are)f(as)i(it)g(be-)2049 394 -y(comes)34 b(a)n(v)n(ailable\);)41 b(and)34 b(it)h(means)f(that)g(Bro)h -(can)f(also)h(operate)2049 493 y(on)c Fm(tcpdump)f Fs(sa)n(v)o(e)h -(\002les,)k(making)29 b(of)n(f-line)h(de)n(v)o(elopment)e(and)2049 -593 y(analysis)20 b(easy)-5 b(.)2132 693 y(Another)24 -b(major)g(adv)n(antage)f(of)h Fm(libpcap)h Fs(is)g(that)g(if)h(the)f -(host)2049 792 y(operating)41 b(system)i(pro)o(vides)e(a)i(suf)n -(\002ciently)e(po)n(werful)g(k)o(ernel)2049 892 y(pack)o(et)32 -b(\002lter)m(,)k(such)d(as)h(BPF)g([MJ93)o(],)i(then)d -Fm(libpcap)f Fs(do)n(wn-)2049 992 y(loads)18 b(the)f(\002lter)h(used)g -(to)g(reduce)e(the)i(traf)n(\002c)f(into)h(the)g(k)o(ernel.)23 -b(Con-)2049 1091 y(sequently)-5 b(,)17 b(rather)g(than)h(ha)n(ving)g -(to)g(haul)g(e)n(v)o(ery)f(pack)o(et)h(up)g(to)h(user)n(-)2049 -1191 y(le)n(v)o(el)30 b(merely)f(so)i(the)f(majority)f(can)h(be)g -(discarded)f(\(if)h(the)g(\002lter)2049 1291 y(accepts)e(only)g(a)h -(small)f(proportion)e(of)i(the)g(traf)n(\002c\),)i(the)e(rejected)2049 -1390 y(pack)o(ets)d(can)f(instead)h(be)g(discarded)e(in)i(the)g(k)o -(ernel,)g(without)f(suf-)2049 1490 y(fering)i(a)i(conte)o(xt)e(switch)h -(or)g(data)h(cop)o(ying.)44 b(W)m(inno)n(wing)26 b(do)n(wn)2049 -1589 y(the)c(pack)o(et)g(stream)g(as)h(soon)f(as)g(possible)g(greatly)g -(abets)g(monitor)n(-)2049 1689 y(ing)e(at)h(high)e(speeds)h(without)f -(losing)h(pack)o(ets.)2132 1789 y(The)26 b(k)o(e)o(y)g(to)h(pack)o(et)f -(\002ltering)g(is,)j(of)d(course,)h(judicious)e(selec-)2049 -1889 y(tion)e(of)f(which)g(pack)o(ets)h(to)g(k)o(eep)f(and)h(which)f -(to)h(discard.)32 b(F)o(or)23 b(the)2049 1988 y(application)17 -b(protocols)f(that)j(Bro)f(kno)n(ws)f(about,)h(it)h(captures)e(e)n(v)o -(ery)2049 2088 y(pack)o(et,)25 b(so)g(it)g(can)f(analyze)g(ho)n(w)g -(the)g(application)f(is)j(being)d(used.)2049 2187 y(In)d -Fm(tcpdump)p Fs(')-5 b(s)20 b(\002ltering)f(language,)g(this)h(looks)g -(lik)o(e:)2208 2351 y Ff(port)40 b(finger)f(or)g(port)g(ftp)h(or)f(tcp) -h(port)f(113)g(or)2208 2430 y(port)h(telnet)f(or)g(port)g(login)h(or)f -(port)g(111)2049 2613 y Fs(That)34 b(is,)k(the)c(\002lter)h(accepts)f -(an)o(y)f(TCP)i(pack)o(ets)f(with)g(a)g(source)2049 2713 -y(or)g(destination)f(port)g(of)h(79)g(\(Finger\),)i(21)d(\(FTP\),)h -(113)f(\(Ident\),)2049 2813 y(23)18 b(\(T)-6 b(elnet\),)17 -b(513)g(\(Rlogin\),)g(and)h(an)o(y)f(TCP)i(or)f(UDP)h(pack)o(ets)e -(with)2049 2912 y(a)g(source)f(or)g(destination)f(port)h(of)g(111)g -(\(Portmapper\).)21 b(In)16 b(addition,)2049 3012 y(Bro)k(uses:)2208 -3175 y Ff(tcp[13])39 b(&)h(7)g(!=)f(0)2049 3359 y Fs(to)19 -b(capture)f(an)o(y)g(TCP)i(pack)o(ets)e(with)h(the)g(SYN,)g(FIN,)g(or)g -(RST)g(con-)2049 3458 y(trol)i(bits)g(set.)27 b(These)21 -b(pack)o(ets)f(delimit)h(the)f(be)o(ginning)f(\(SYN\))h(and)2049 -3558 y(end)f(\(FIN)g(or)h(RST\))g(of)f(each)g(TCP)i(connection.)h -(Because)e(TCP/IP)2049 3658 y(pack)o(et)i(headers)g(contain)f -(considerable)g(information)f(about)i(each)2049 3757 -y(TCP)36 b(connection,)i(from)c(just)i(these)g(control)e(pack)o(ets)i -(one)f(can)2049 3857 y(e)o(xtract)30 b(connection)e(start)j(time,)j -(duration,)d(participating)e(hosts,)2049 3957 y(ports)15 -b(\(and)g(hence,)g(generally)-5 b(,)15 b(the)g(application)f -(protocol\),)h(and)g(the)2049 4056 y(number)24 b(of)h(bytes)h(sent)g -(in)f(each)h(direction.)40 b(Thus,)26 b(by)f(capturing)2049 -4156 y(on)f(the)g(order)f(of)i(only)e(4)h(pack)o(ets)h(\(the)f(tw)o(o)g -(initial)h(SYN)g(pack)o(ets)2049 4255 y(e)o(xchanged,)30 -b(and)g(the)g(\002nal)h(tw)o(o)g(FIN)f(pack)o(ets)g(e)o(xchanged\),)g -(we)2049 4355 y(can)c(determine)f(a)i(great)f(deal)g(about)g(a)h -(connection)d(e)n(v)o(en)h(though)2049 4455 y(we)c(\002lter)f(out)g -(all)h(of)f(its)h(data)f(pack)o(ets.)2132 4555 y(The)g(\002nal)g -(\002lter)h(we)f(use)h(is:)2208 4718 y Ff(ip[6:2])39 -b(&)h(0x3fff)f(!=)g(0)2049 4902 y Fs(which)f(captures)g(IP)i -(fragments,)i(necessary)c(for)g(sound)g(traf)n(\002c)2049 -5001 y(analysis,)21 b(and)g(also)g(to)h(protect)e(against)h(particular) -e(attacks)j(on)f(the)2049 5101 y(monitoring)d(system)i -Fi(x)h Fs(5.3.)2132 5201 y(When)j(using)f(a)i(pack)o(et)e(\002lter)m(,) -i(one)e(must)h(also)g(choose)f(a)i Fr(snap-)2049 5300 -y(shot)37 b(length)p Fs(,)j(which)c(determines)g(ho)n(w)h(much)f(of)g -(each)h(pack)o(et)2049 5400 y(should)20 b(be)g(captured.)25 -b(F)o(or)20 b(e)o(xample,)f(by)h(def)o(ault)g Fm(tcpdump)g -Fs(uses)1929 5649 y(3)p eop -%%Page: 4 4 -4 3 bop -150 -104 a Fs(a)20 b(snapshot)e(length)g(of)h(68)g(bytes,)g -(which)f(suf)n(\002ces)i(to)f(capture)f(link-)-150 -5 -y(layer)g(and)g(TCP/IP)i(headers,)e(b)n(ut)h(generally)e(discards)h -(most)h(of)g(the)-150 95 y(data)j(in)h(the)f(pack)o(et.)32 -b(The)22 b(smaller)g(the)h(snapshot)e(length,)h(the)g(less)-150 -194 y(data)e(per)f(accepted)g(pack)o(et)g(needs)h(to)g(copied)e(up)i -(to)g(the)g(user)n(-le)n(v)o(el)-150 294 y(by)29 b(the)g(pack)o(et)g -(\002lter)m(,)i(which)d(aids)i(in)f(accelerating)f(pack)o(et)h(pro-) --150 394 y(cessing)j(and)g(a)n(v)n(oiding)f(loss.)61 -b(On)32 b(the)g(other)f(hand,)j(to)e(analyze)-150 493 -y(connections)14 b(at)i(the)g(application)e(le)n(v)o(el,)i(Bro)g -(requires)f(the)h(full)g(data)-150 593 y(contents)25 -b(of)h(each)g(pack)o(et.)42 b(Consequently)-5 b(,)25 -b(it)i(sets)g(the)f(snapshot)-150 693 y(length)19 b(to)i(capture)e -(entire)h(pack)o(ets.)-150 945 y Fh(2.2)99 b(Ev)o(ent)26 -b(engine)-150 1105 y Fs(The)21 b(resulting)g(\002ltered)g(pack)o(et)g -(stream)h(is)g(then)g(handed)e(up)h(to)h(the)-150 1205 -y(ne)o(xt)g(layer)m(,)g(the)h(Bro)g(\223e)n(v)o(ent)f(engine.)-6 -b(\224)32 b(This)22 b(layer)h(\002rst)g(performs)-150 -1305 y(se)n(v)o(eral)d(inte)o(grity)g(checks)h(to)g(assure)g(that)g -(the)g(pack)o(et)f(headers)h(are)-150 1404 y(well-formed,)d(including)g -(v)o(erifying)f(the)j(IP)h(header)d(checksum.)24 b(If)-150 -1504 y(these)e(checks)g(f)o(ail,)h(then)e(Bro)h(generates)g(an)g(e)n(v) -o(ent)f(indicating)g(the)-150 1604 y(problem)h(and)h(discards)h(the)f -(pack)o(et.)35 b(It)24 b(is)h(also)f(at)g(this)g(point)f(that)-150 -1703 y(Bro)29 b(reassembles)g(IP)h(fragments)d(so)j(it)g(can)f(then)f -(analyze)g(com-)-150 1803 y(plete)20 b(IP)h(datagrams.)-67 -1905 y(If)37 b(the)h(checks)f(succeed,)k(then)c(the)g(e)n(v)o(ent)g -(engine)f(looks)h(up)-150 2005 y(the)f(connection)f(state)i(associated) -f(with)g(the)h(tuple)f(of)g(the)g(tw)o(o)-150 2104 y(IP)30 -b(addresses)g(and)f(the)h(tw)o(o)g(TCP)h(or)f(UDP)g(port)f(numbers,)i -(cre-)-150 2204 y(ating)22 b(ne)n(w)g(state)i(if)f(none)e(already)g(e)o -(xists.)33 b(It)23 b(then)f(dispatches)g(the)-150 2304 -y(pack)o(et)32 b(to)g(a)h(handler)e(for)h(the)g(corresponding)d -(connection)h(\(de-)-150 2403 y(scribed)24 b(shortly\).)35 -b(Bro)25 b(maintains)e(a)i Fm(tcpdump)e Fs(trace)i(\002le)f(asso-)-150 -2503 y(ciated)i(with)g(the)f(traf)n(\002c)h(it)g(sees.)43 -b(The)25 b(connection)f(handler)g(indi-)-150 2603 y(cates)17 -b(upon)f(return)f(whether)h(the)h(engine)f(should)g(record)f(the)i -(entire)-150 2702 y(pack)o(et)j(to)h(the)f(trace)h(\002le,)g(just)g -(its)h(header)m(,)c(or)j(nothing)e(at)i(all.)26 b(This)-150 -2802 y(triage)f(trades)g(of)n(f)f(the)h(completeness)f(of)h(the)g(traf) -n(\002c)g(trace)g(v)o(ersus)-150 2901 y(its)h(size)g(and)f(time)h -(spent)f(generating)e(the)i(trace.)41 b(Generally)-5 -b(,)24 b(Bro)-150 3001 y(records)f(full)h(pack)o(ets)g(if)h(it)g -(analyzed)e(the)h(entire)g(pack)o(et;)i(just)f(the)-150 -3101 y(header)16 b(if)h(it)h(only)e(analyzed)f(the)i(pack)o(et)f(for)h -(SYN/FIN/RST)g(com-)-150 3200 y(putations;)j(and)h(skips)g(recording)e -(the)h(pack)o(et)h(if)g(it)h(did)e(not)h(do)f(an)o(y)-150 -3300 y(processing)f(on)h(it.)-67 3402 y(W)-7 b(e)25 b(no)n(w)e(gi)n(v)o -(e)g(an)h(o)o(v)o(ervie)n(w)e(of)h(general)g(processing)f(done)h(for) --150 3502 y(TCP)28 b(and)f(UDP)h(pack)o(ets.)46 b(In)27 -b(both)g(cases,)i(the)f(processing)e(ends)-150 3601 y(with)j(in)m(v)n -(oking)d(a)j(handler)e(to)i(process)f(the)g(data)g(payload)f(of)i(the) --150 3701 y(pack)o(et.)24 b(F)o(or)c(applications)e(kno)n(wn)g(to)i -(Bro,)g(this)g(results)g(in)g(further)-150 3801 y(analysis,)g(as)g -(discussed)f(in)h Fi(x)g Fs(6.)25 b(F)o(or)19 b(other)g(applications,)g -(analysis)-150 3900 y(ends)h(at)h(this)f(point.)-67 4003 -y Fl(TCP)41 b(pr)o(ocessing)o(.)87 b Fs(F)o(or)40 b(each)h(TCP)g(pack)o -(et,)k(the)c(connec-)-150 4102 y(tion)25 b(handler)e(\(a)i(C++)h -(virtual)e(function\))f(v)o(eri\002es)i(that)g(the)g(entire)-150 -4202 y(TCP)c(header)e(is)j(present)d(and)h(v)n(alidates)g(the)h(TCP)g -(checksum)e(o)o(v)o(er)-150 4301 y(the)30 b(pack)o(et)g(header)f(and)h -(payload.)53 b(If)30 b(successful,)j(it)e(then)e(tests)-150 -4401 y(whether)23 b(the)g(TCP)i(header)e(includes)g(an)o(y)g(of)g(the)h -(SYN/FIN/RST)-150 4501 y(control)35 b(\003ags,)41 b(and)36 -b(if)h(so)g(adjusts)g(the)f(connection')-5 b(s)35 b(state)j(ac-)-150 -4600 y(cordingly)-5 b(.)46 b(Finally)-5 b(,)29 b(it)f(processes)g(an)o -(y)f(data)h(ackno)n(wledgement)-150 4700 y(present)23 -b(in)h(the)f(header)m(,)g(and)g(then)g(in)m(v)n(ok)o(es)f(a)i(handler)e -(to)i(process)-150 4800 y(the)c(payload)f(data,)h(if)g(an)o(y)-5 -b(.)-67 4902 y(Dif)n(ferent)28 b(changes)g(in)i(the)f(connection')-5 -b(s)28 b(state)i(generate)e(dif-)-150 5001 y(ferent)42 -b(e)n(v)o(ents.)93 b(When)43 b(the)g(initial)h(SYN)g(pack)o(et)e -(requesting)-150 5101 y(a)37 b(connection)e(is)j(seen,)j(the)c(e)n(v)o -(ent)f(engine)g(schedules)g(a)i(timer)-150 5201 y(for)i -Fj(T)52 b Fs(seconds)40 b(in)g(the)h(future)e(\(presently)-5 -b(,)43 b(\002)n(v)o(e)e(minutes\);)49 b(if)-150 5300 -y(the)h(timer)g(e)o(xpires)g(and)f(the)i(connection)d(has)i(not)g -(changed)-150 5400 y(state,)23 b(then)e(the)h(engine)f(generates)g(a)h -Fm(connection)p 1479 5400 25 4 v 28 w(attempt)2049 -104 -y Fs(e)n(v)o(ent.)125 b(If)54 b(before)f(that)h(time,)62 -b(ho)n(we)n(v)o(er)m(,)e(the)54 b(other)f(con-)2049 -5 -y(nection)g(endpoint)f(replies)h(with)h(a)g(correct)f(SYN)h(ackno)n(w-) -2049 95 y(ledgement)35 b(pack)o(et,)k(then)d(the)g(engine)f -(immediately)g(generates)2049 194 y(a)44 b Fm(connection)p -2635 194 V 28 w(established)e Fs(e)n(v)o(ent,)48 b(and)42 -b(cancels)i(the)2049 294 y(connection)49 b(attempt)i(timer)-5 -b(.)118 b(On)51 b(the)g(other)g(hand,)57 b(if)52 b(the)2049 -394 y(endpoint)c(replies)h(with)h(a)g(RST)g(pack)o(et,)57 -b(then)49 b(the)g(connec-)2049 493 y(tion)38 b(attempt)g(has)h(been)e -(rejected,)42 b(and)c(the)g(engine)g(generates)2049 593 -y Fm(connection)p 2554 593 V 28 w(rejected)p Fs(.)47 -b(Similarly)-5 b(,)28 b(if)h(a)f(connection)d(ter)n(-)2049 -693 y(minates)31 b(via)g(a)h(normal)e(FIN)i(e)o(xchange,)f(then)g(the)g -(engine)f(gen-)2049 792 y(erates)23 b Fm(connection)p -2771 792 V 28 w(finished)p Fs(.)34 b(It)23 b(also)h(generates)e(se)n(v) -o(eral)2049 892 y(other)f(e)n(v)o(ents)g(re\003ecting)g(more)g(unusual) -g(w)o(ays)h(in)g(which)f(connec-)2049 991 y(tions)f(can)g(terminate.) -2132 1099 y Fl(UDP)j(pr)o(ocessing)o(.)34 b Fs(UDP)24 -b(processing)e(is)i(similar)f(b)n(ut)h(simpler)m(,)2049 -1199 y(since)k(there)f(is)h(no)f(connection)f(state,)k(e)o(xcept)c(in)i -(one)f(re)o(gard.)45 b(If)2049 1299 y(host)16 b Fj(A)g -Fs(sends)g(a)g(UDP)g(pack)o(et)f(to)h(host)g Fj(B)k Fs(with)c(a)g -(source)f(port)g(of)g Fj(p)3996 1311 y Fe(A)2049 1398 -y Fs(and)k(a)h(destination)e(port)h(of)g Fj(p)2915 1410 -y Fe(B)2972 1398 y Fs(,)h(then)f(Bro)h(considers)e Fj(A)i -Fs(as)h(ha)n(ving)2049 1498 y(initiated)16 b(a)h(\223request\224)e(to)i -Fj(B)t Fs(,)g(and)f(establishes)h(pseudo-connection)2049 -1597 y(state)27 b(associated)g(with)f(that)h(request.)43 -b(If)27 b Fj(B)k Fs(subsequently)25 b(sends)2049 1697 -y(a)31 b(UDP)g(pack)o(et)e(to)i Fj(A)g Fs(with)f(a)h(source)e(port)h -(of)g Fj(p)3549 1709 y Fe(B)3636 1697 y Fs(and)g(destina-)2049 -1797 y(tion)d Fj(p)2248 1809 y Fe(A)2302 1797 y Fs(,)j(then)e(Bro)f -(considers)g(this)i(pack)o(et)e(to)h(re\003ect)f(a)i(\223reply\224)2049 -1896 y(to)23 b(the)f(request.)32 b(The)22 b(handlers)g(\(virtual)f -(functions\))g(for)h(the)h(UDP)2049 1996 y(payload)j(data)i(can)f(then) -g(readily)g(distinguish)g(between)g(requests)2049 2096 -y(and)22 b(replies)g(for)g(the)g(usual)h(case)g(when)e(UDP)i(traf)n -(\002c)f(follo)n(ws)g(that)2049 2195 y(pattern.)43 b(The)26 -b(def)o(ault)g(handlers)f(for)h(UDP)h(requests)f(and)g(replies)2049 -2295 y(simply)20 b(generate)f Fm(udp)p 2753 2295 V 29 -w(request)h Fs(and)f Fm(udp)p 3442 2295 V 30 w(reply)g -Fs(e)n(v)o(ents.)2049 2578 y Fh(2.3)124 b(P)n(olicy)24 -b(script)h(inter)o(pr)n(eter)2049 2749 y Fs(After)30 -b(the)g(e)n(v)o(ent)f(engine)g(has)h(\002nished)g(processing)f(a)h -(pack)o(et,)i(it)2049 2849 y(then)h(checks)g(whether)f(the)h -(processing)f(generated)g(an)o(y)g(e)n(v)o(ents.)2049 -2948 y(\(These)26 b(are)h(k)o(ept)f(on)g(a)h(FIFO)g(queue.\))43 -b(If)27 b(so,)h(it)g(processes)e(each)2049 3048 y(e)n(v)o(ent)h(until)h -(the)f(queue)g(is)i(empty)-5 b(,)28 b(as)h(described)d(belo)n(w)-5 -b(.)47 b(It)28 b(also)2049 3148 y(checks)19 b(whether)f(an)o(y)h(timer) -g(e)n(v)o(ents)g(ha)n(v)o(e)g(e)o(xpired,)e(and)i(if)h(so)g(pro-)2049 -3247 y(cesses)h(them,)f(too)g(\(see)g Fi(x)h Fs(4)f(for)g(more)f(on)h -(timer)g(e)o(xpiration\).)3882 3217 y Fn(2)2132 3355 -y Fs(A)d(k)o(e)o(y)e(f)o(acet)i(of)f(Bro')-5 b(s)17 b(design)e(is)i -(the)g(clear)f(distinction)f(between)2049 3455 y(the)33 -b(generation)d(of)j(e)n(v)o(ents)e(v)o(ersus)i(what)f(to)h(do)f(in)h -(response)e(to)2049 3554 y(the)26 b(e)n(v)o(ents.)40 -b(These)26 b(are)g(sho)n(wn)f(as)h(separate)f(box)o(es)g(in)h(Figure)f -(1,)2049 3654 y(and)18 b(this)h(structure)f(re\003ects)g(the)h -(separation)e(between)h(mechanism)2049 3754 y(and)25 -b(polic)o(y)g(discussed)g(in)h Fi(x)h Fs(1.)42 b(The)25 -b(\223polic)o(y)g(script)g(interpreter\224)2049 3853 -y(e)o(x)o(ecutes)17 b(scripts)h(written)g(in)g(the)g(specialized)f -Fm(Bro)h Fs(language)e(\(de-)2049 3953 y(tailed)h(in)h -Fi(x)g Fs(3\).)24 b(These)17 b(scripts)h(specify)f(e)n(v)o(ent)f -(handlers,)h(which)g(are)2049 4052 y(essentially)26 b(identical)f(to)h -(Bro)g(functions)e(e)o(xcept)h(that)h(the)o(y)f(don')o(t)2049 -4152 y(return)19 b(a)i(v)n(alue.)k(F)o(or)20 b(each)g(e)n(v)o(ent)f -(passed)i(to)f(the)h(interpreter)m(,)d(it)j(re-)2049 -4252 y(trie)n(v)o(es)g(the)h(\(semi-\)compiled)d(code)i(for)g(the)g -(corresponding)d(han-)2049 4351 y(dler)m(,)28 b(binds)e(the)h(v)n -(alues)f(of)h(the)f(e)n(v)o(ents)h(to)f(the)h(ar)o(guments)e(of)i(the)p -2049 4455 801 4 v 2134 4509 a Fk(2)2169 4532 y Fp(There)e(is)f(a)h -(subtle)h(design)g(decision)g(in)m(v)o(olv)o(ed)h(with)e(processing)i -(all)e(of)g(the)2049 4611 y(generated)g(e)n(v)o(ents)f(before)g -(proceeding)h(to)e(read)g(the)g(ne)o(xt)g(pack)o(et.)39 -b(W)-5 b(e)22 b(might)h(be)2049 4690 y(tempted)f(to)e(defer)h(e)n(v)o -(ent)h(processing)g(until)g(a)e(period)h(of)g(relati)n(v)o(ely)j(light) -d(acti)n(vity)l(,)2049 4769 y(to)g(aid)g(the)g(engine)h(with)f(k)o -(eeping)i(up)d(during)h(periods)h(of)e(hea)o(vy)h(load.)32 -b(Ho)n(we)n(v)o(er)m(,)2049 4848 y(doing)24 b(so)f(can)h(lead)h(to)f -(races:)35 b(the)24 b(\223e)n(v)o(ent)h(control\224)h(arro)n(w)e(in)g -(Figure)g(1)f(re\003ects)2049 4927 y(the)e(f)o(act)h(that)g(the)f -(polic)o(y)h(script)g(can,)f(to)g(a)g(limited)h(de)o(gree,)h -(manipulate)g(the)e(con-)2049 5006 y(nection)h(state)f(maintained)i -(inside)e(the)f(engine.)31 b(If)19 b(e)n(v)o(ent)j(processing)f(is)f -(deferred,)2049 5085 y(then)k(such)f(control)h(may)f(happen)h(after)g -(the)f(connection)j(state)e(has)f(already)i(been)2049 -5163 y(changed)20 b(due)f(to)f(more)g(recently-recei)n(v)o(ed)24 -b(traf)n(\002c.)h(So,)18 b(to)g(ensure)h(that)g(e)n(v)o(ent)h(pro-)2049 -5242 y(cessing)e(al)o(w)o(ays)i(re\003ects)e(fresh)g(data,)g(and)g -(does)g(not)g(inadv)o(ertently)j(lead)e(to)e(incon-)2049 -5321 y(sistent)k(connection)i(state,)e(we)f(process)h(e)n(v)o(ents)g -(immediately)l(,)h(before)f(mo)o(ving)g(on)2049 5400 -y(to)c(ne)n(wly-arri)n(v)o(ed)k(netw)o(ork)e(traf)n(\002c.)1929 -5649 y Fs(4)p eop -%%Page: 5 5 -5 4 bop -150 -104 a Fs(handler)m(,)23 b(and)h(interprets)g(the)g(code.) -37 b(This)25 b(code)e(in)i(turn)e(can)i(e)o(x)o(e-)-150 --5 y(cute)19 b(arbitrary)e(Bro)i(scripting)f(commands,)f(including)h -(generating)-150 95 y(ne)n(w)27 b(e)n(v)o(ents,)h(logging)e(real-time)g -(noti\002cations)g(\(using)h(the)g(Unix)-150 194 y Fr(syslo)o(g)d -Fs(function\),)e(recording)g(data)h(to)h(disk,)g(or)g(modifying)d -(inter)n(-)-150 294 y(nal)k(state)g(for)f(access)i(by)e(subsequently)f -(in)m(v)n(ok)o(ed)g(e)n(v)o(ent)h(handlers)-150 394 y(\(or)c(by)f(the)i -(e)n(v)o(ent)e(engine)g(itself\).)-67 497 y(Finally)-5 -b(,)41 b(along)c(with)g(separating)g(mechanism)f(from)g(polic)o(y)-5 -b(,)-150 597 y(Bro')g(s)23 b(emphasis)g(on)f(asynchronous)e(e)n(v)o -(ents)i(as)i(the)f(link)f(between)-150 696 y(the)c(e)n(v)o(ent)f -(engine)g(and)h(the)g(polic)o(y)e(script)i(interpreter)f(b)n(uys)h(a)g -(great)-150 796 y(deal)28 b(in)f(terms)h(of)f(e)o(xtensibility)-5 -b(.)46 b(Adding)26 b(ne)n(w)i(functionality)d(to)-150 -896 y(Bro)e(generally)f(consists)i(of)f(adding)e(a)j(ne)n(w)f(protocol) -e(analyzer)h(to)-150 995 y(the)e(e)n(v)o(ent)f(engine)g(and)h(then)g -(writing)f(ne)n(w)h(e)n(v)o(ent)f(handlers)g(for)h(the)-150 -1095 y(e)n(v)o(ents)27 b(generated)f(by)h(the)h(analyzer)-5 -b(.)46 b(Neither)27 b(the)h(analyzer)e(nor)-150 1194 -y(the)g(e)n(v)o(ent)f(handlers)g(tend)h(to)g(ha)n(v)o(e)g(much)f(o)o(v) -o(erlap)f(with)i(e)o(xisting)-150 1294 y(functionality)-5 -b(,)16 b(so)k(for)e(the)h(most)f(part)h(we)g(can)g(a)n(v)n(oid)f(the)h -(subtle)g(in-)-150 1394 y(teractions)25 b(between)g(loosely)g(coupled)f -(modules)h(that)h(can)f(easily)-150 1493 y(lead)20 b(to)g(maintenance)f -(headaches)g(and)g(b)n(uggy)g(programs.)-150 1794 y Ft(3)119 -b(The)31 b Fd(Bro)e Ft(language)-150 1987 y Fs(As)21 -b(discussed)g(abo)o(v)o(e,)d(we)j(e)o(xpress)f(security)g(policies)h -(in)f(terms)h(of)-150 2086 y(scripts)i(written)g(in)g(the)g -(specialized)f Fm(Bro)h Fs(language.)31 b(In)23 b(this)g(sec-)-150 -2186 y(tion)18 b(we)g(gi)n(v)o(e)f(an)g(o)o(v)o(ervie)n(w)f(of)h(the)h -(language')-5 b(s)17 b(features.)23 b(The)17 b(aim)-150 -2285 y(is)25 b(to)g(con)m(v)o(e)o(y)d(the)i(\003a)n(v)n(or)h(of)f(the)g -(language,)g(rather)f(than)h(describe)-150 2385 y(it)d(precisely)-5 -b(.)-67 2488 y(Our)23 b(goal)f(of)h(\223a)n(v)n(oid)g(simple)g(mistak)o -(es\224)g(\()p Fi(x)g Fs(1\),)h(while)f(perhaps)-150 -2588 y(sounding)28 b(trite,)k(in)e(f)o(act)g(hea)n(vily)g(in\003uenced) -e(the)i(design)f(of)h(the)-150 2688 y Fm(Bro)24 b Fs(language.)35 -b(Because)24 b(intrusion)f(detection)g(can)h(form)f(a)h(cor)n(-)-150 -2787 y(nerstone)18 b(of)i(the)f(security)g(measures)g(a)n(v)n(ailable)g -(to)h(a)g(site,)g(we)g(v)o(ery)-150 2887 y(much)26 b(w)o(ant)g(our)g -(polic)o(y)f(scripts)i(to)g(beha)n(v)o(e)e(as)j(e)o(xpected.)42 -b(From)-150 2987 y(our)20 b(o)n(wn)h(e)o(xperience,)e(a)j(big)f(step)g -(to)n(w)o(ards)g(a)n(v)n(oiding)f(surprises)h(is)-150 -3086 y(to)d(use)g(a)g(strongly)f(typed)g(language)f(that)i(detects)g -(typing)e(inconsis-)-150 3186 y(tencies)21 b(at)h(compile-time,)e(and)g -(that)i(guarantees)e(that)h(all)h(v)n(ariable)-150 3285 -y(references)h(at)i(run-time)d(will)j(be)f(to)h(v)n(alid)f(v)n(alues.) -36 b(Furthermore,)-150 3385 y(we)26 b(ha)n(v)o(e)e(come)h(to)g -(appreciate)f(the)h(bene\002ts)g(of)g(domain-speci\002c)-150 -3485 y(languages,)32 b(that)f(is,)j(languages)29 b(tailored)h(for)g(a)h -(particular)e(task.)-150 3584 y(Ha)n(ving)c(cobbled)f(together)g(our)h -(\002rst)h(monitoring)d(system)j(out)f(of)-150 3684 y -Fm(tcpdump)p Fs(,)30 b Fm(awk)p Fs(,)h(and)d(shell)h(scripts,)i(we)e -(thirsted)f(for)g(w)o(ays)h(to)-150 3784 y(deal)j(directly)g(with)h -(hostnames,)h(IP)f(addresses,)i(port)c(numbers,)-150 -3883 y(and)20 b(the)g(lik)o(e,)g(rather)f(than)h(de)n(vising)f(ASCII)h -(pseudo-equi)n(v)n(alents.)-150 3983 y(By)c(making)e(these)h(sorts)g -(of)g(entities)h(\002rst-class)g(v)n(alues)f(in)g Fm(Bro)p -Fs(,)h(we)-150 4082 y(both)k(increase)g(the)h(ease)g(of)g(e)o -(xpression)e(of)n(fered)g(by)h(the)h(language)-150 4182 -y(and,)h(due)f(to)h(strong)f(typing,)g(catch)h(errors)f(\(such)g(as)i -(comparing)c(a)-150 4282 y(port)h(to)g(an)g(IP)h(address\))e(that)h -(might)g(otherwise)f(slip)i(by)-5 b(.)-150 4540 y Fh(3.1)99 -b(Data)25 b(types)g(and)h(constants)-150 4703 y Fl(Atomic)d(types.)35 -b Fm(Bro)23 b Fs(supports)f(se)n(v)o(eral)h(types)g(f)o(amiliar)g(to)g -(users)-150 4802 y(of)32 b(traditional)g(languages:)48 -b Fm(bool)32 b Fs(for)g(booleans,)i Fm(int)f Fs(for)f(in-)-150 -4902 y(te)o(gers,)25 b Fm(count)f Fs(for)g(non-ne)o(gati)n(v)o(e)d -(inte)o(gers)j(\(\223unsigned\224)e(in)j(C\),)-150 5001 -y Fm(double)k Fs(for)g(double-precision)d(\003oating)j(point,)i(and)e -Fm(string)-150 5101 y Fs(for)18 b(a)h(series)g(of)f(bytes.)24 -b(The)19 b(\002rst)g(four)e(of)h(these)h(\(all)g(b)n(ut)f -Fm(string)p Fs(\))-150 5201 y(are)h(termed)g Fr(arithmetic)g -Fs(types,)g(and)g(mixing)f(them)h(in)h(e)o(xpressions)-150 -5300 y(promotes)35 b Fm(bool)h Fs(to)h Fm(count)p Fs(,)i -Fm(count)d Fs(to)h Fm(int)p Fs(,)j(and)c Fm(int)g Fs(to)-150 -5400 y Fm(double)p Fs(.)2132 -104 y Fm(Bro)e Fs(pro)o(vides)d -Fm(T)j Fs(and)f Fm(F)h Fs(as)g Fm(bool)g Fs(constants)f(for)g(true)g -(and)2049 -5 y(f)o(alse;)38 b(a)33 b(series)f(of)g(digits)g(for)g -Fm(count)f Fs(constants;)38 b(and)31 b(C-style)2049 95 -y(constants)20 b(for)f Fm(double)h Fs(and)g Fm(string)p -Fs(.)2132 194 y(Unlik)o(e)27 b(in)g(C,)g(ho)n(we)n(v)o(er)m(,)f -Fm(Bro)h Fs(strings)g(are)g(represented)e(inter)n(-)2049 -294 y(nally)j(as)g(a)h(count)e(and)g(a)i(v)o(ector)d(of)i(bytes,)i -(rather)d(than)g(a)i(NUL-)2049 394 y(terminated)24 b(series)j(of)e -(bytes.)41 b(This)26 b(dif)n(ference)d(is)k(important)d(be-)2049 -493 y(cause)34 b(NULs)g(can)g(easily)g(be)g(introduced)d(into)j -(strings)f(deri)n(v)o(ed)2049 593 y(from)22 b(netw)o(ork)f(traf)n -(\002c,)i(either)f(by)h(the)f(nature)g(of)h(the)f(application,)2049 -693 y(inadv)o(ertently)-5 b(,)35 b(or)f(maliciously)g(by)g(an)g(attack) -o(er)g(attempting)f(to)2049 792 y(sub)o(v)o(ert)21 b(the)i(monitor)-5 -b(.)30 b(An)23 b(e)o(xample)e(of)h(the)h(latter)g(is)g(sending)f(the) -2049 892 y(follo)n(wing)d(to)h(an)g(FTP)h(serv)o(er:)2208 -1043 y Ff(USER)40 b(nice\\0USER)e(root)2049 1216 y Fs(where)20 -b(\223)p Fm(\\0)p Fs(\224)g(represents)f(a)i(NUL.)f(Depending)f(on)h -(ho)n(w)f(it)i(is)h(writ-)2049 1315 y(ten,)33 b(the)e(FTP)h -(application)d(recei)n(ving)h(this)h(te)o(xt)g(might)f(well)i(in-)2049 -1415 y(terpret)i(it)h(as)h(tw)o(o)f(separate)f(commands,)j(\223)p -Fm(USER)49 b(nice)p Fs(\224)34 b(fol-)2049 1515 y(lo)n(wed)d(by)g(\223) -p Fm(USER)49 b(root)p Fs(\224.)58 b(But)32 b(if)g(the)g(monitoring)d -(program)2049 1614 y(uses)18 b(NUL-terminated)c(strings,)k(then)e(it)i -(will)g(ef)n(fecti)n(v)o(ely)d(see)i(only)2049 1714 y(\223)p -Fm(USER)49 b(nice)p Fs(\224)27 b(and)h(ha)n(v)o(e)f(no)h(opportunity)c -(to)k(detect)g(the)g(sub-)2049 1813 y(v)o(ersi)n(v)o(e)19 -b(action.)2132 1913 y(Similarly)-5 b(,)22 b(it)h(is)h(important)c(that) -j(when)f(Bro)g(logs)h(such)f(strings,)2049 2013 y(or)33 -b(prints)g(them)f(as)i(te)o(xt)f(to)g(a)h(\002le,)i(that)e(it)f(e)o -(xpands)f(embedded)2049 2112 y(NULs)19 b(into)g(visible)f(escape)h -(sequences)f(to)h(\003ag)f(their)h(appearance.)2132 2212 -y Fm(Bro)44 b Fs(also)f(includes)g(a)h(number)e(of)h(non-traditional)e -(types,)2049 2312 y(geared)35 b(to)n(w)o(ards)h(its)i(speci\002c)f -(problem)d(domain.)73 b(A)37 b(v)n(alue)f(of)2049 2411 -y(type)23 b Fm(time)h Fs(re\003ects)g(an)g(absolute)f(time,)i(and)e -Fm(interval)g Fs(a)h(dif-)2049 2511 y(ference)35 b(in)h(time.)74 -b(Subtracting)34 b(tw)o(o)j Fm(time)f Fs(v)n(alues)g(yields)g(an)2049 -2610 y Fm(interval)p Fs(;)17 b(adding)e(or)h(subtracting)f(an)i -Fm(interval)e Fs(to)i(a)g Fm(time)2049 2710 y Fs(yields)25 -b(a)h Fm(time)p Fs(;)j(adding)24 b(tw)o(o)i Fm(time)f -Fs(v)n(alues)g(is)i(an)e(error)-5 b(.)40 b(There)2049 -2810 y(are)24 b(presently)e(no)i Fm(time)f Fs(constants,)h(b)n(ut)g -Fm(interval)f Fs(constants)2049 2909 y(can)33 b(be)h(speci\002ed)f -(using)g(a)h(numeric)f(\(possibly)f(\003oating-point\))2049 -3009 y(v)n(alue)i(follo)n(wed)f(by)h(a)g(unit)h(of)f(time,)j(such)e(as) -g(\223)p Fm(30)49 b(min)p Fs(\224)34 b(for)2049 3109 -y(thirty)20 b(minutes.)2132 3208 y(The)k Fm(port)g Fs(type)g -(corresponds)e(to)i(a)h(TCP)g(or)e(UDP)i(port)f(num-)2049 -3308 y(ber)-5 b(.)24 b(TCP)18 b(and)e(UDP)h(ports)g(are)g(distinct.)23 -b(Thus,)17 b(a)h(v)n(ariable)d(of)i(type)2049 3407 y -Fm(port)j Fs(can)g(hold)f(either)h(a)h(TCP)g(or)f(a)g(UDP)h(port,)f(b)n -(ut)g(at)g(an)o(y)g(gi)n(v)o(en)2049 3507 y(time)g(it)h(is)g(holding)e -(e)o(xactly)g(one)h(of)g(these.)2132 3607 y(There)29 -b(are)h(tw)o(o)h(forms)e(of)h Fm(port)g Fs(constants.)55 -b(The)30 b(\002rst)g(con-)2049 3706 y(sists)h(of)f(an)g(unsigned)e -(inte)o(ger)h(follo)n(wed)f(by)i(either)f(\223)p Fm(/tcp)p -Fs(\224)h(or)2049 3806 y(\223)p Fm(/udp)p Fs(.)-6 b(\224)46 -b(So,)28 b(for)f(e)o(xample,)g(\223)p Fm(80/tcp)p Fs(\224)g -(corresponds)d(to)k(TCP)2049 3906 y(port)c(80)h(\(the)f(HTTP)h -(protocol)e(used)i(by)f(the)h(W)-7 b(orld)25 b(W)m(ide)f(W)-7 -b(eb\).)2049 4005 y(The)39 b(second)e(form)h(of)h(constant)f(is)i -(speci\002ed)e(using)h(a)g(prede-)2049 4105 y(\002ned)28 -b(identi\002er)m(,)i(such)e(as)i(\223)p Fm(http)p Fs(\224,)g(equi)n(v)n -(alent)d(to)h(\223)p Fm(80/tcp)p Fs(.)-6 b(\224)2049 -4204 y(Originally)h(,)15 b(we)h(w)o(ould)g(look)f(up)g -(otherwise-unde\002ned)e(identi\002ers)2049 4304 y(using)33 -b(the)h Fr(g)o(etservbyname)e Fs(library)g(routine.)64 -b(Ho)n(we)n(v)o(er)m(,)35 b(doing)2049 4404 y(so)e(not)f(only)f(runs)h -(into)h(dif)n(\002culties)f(when)f(a)i(single)g(name)e(lik)o(e)2049 -4503 y(\223)p Fm(domain)p Fs(\224)g(has)h(both)f(TCP)i(and)e(UDP)h -(de\002nitions,)i(b)n(ut,)g(more)2049 4603 y(fundamentally)-5 -b(,)27 b(erodes)h(portability)e(because)i(a)h Fr(g)o(etservbyname)2049 -4703 y Fs(service)e(name)h(kno)n(wn)e(on)h(one)h(system)f(might)h(well) -g(be)g(missing)2049 4802 y(from)17 b(another)g(system,)h(rendering)e -(in)m(v)n(alid)h(an)o(y)g Fm(Bro)h Fs(scripts)h(writ-)2049 -4902 y(ten)h(using)g(the)g(service)g(name.)2132 5001 -y(V)-9 b(alues)20 b(of)g(type)g Fm(port)g Fs(may)g(be)g(compared)e(for) -i(equality)f(or)h(or)n(-)2049 5101 y(dering)31 b(\(for)g(e)o(xample,)j -(\223)p Fm(20/tcp)48 b(<)i(telnet)p Fs(\224)31 b(yields)i(true\),)2049 -5201 y(b)n(ut)20 b(otherwise)g(cannot)f(be)h(operated)f(on.)2132 -5300 y(Another)j(netw)o(orking)f(type)i(pro)o(vided)e(by)i -Fm(Bro)g Fs(is)h Fm(addr)p Fs(,)g(cor)n(-)2049 5400 y(responding)29 -b(to)j(an)f(IP)h(address.)59 b(These)31 b(are)h(represented)e(inter)n -(-)1929 5649 y(5)p eop -%%Page: 6 6 -6 5 bop -150 -104 a Fs(nally)17 b(as)h(unsigned,)e(32-bit)g(inte)o -(gers,)h(b)n(ut)g(in)h Fm(Bro)f Fs(scripts)h(the)f(only)-150 --5 y(operations)26 b(that)h(can)g(be)g(performed)d(on)j(them)f(are)h -(comparisons)-150 95 y(for)e(equality)g(or)h(inequality)e(\(also,)j(a)f -(b)n(uilt-in)f(function)f(pro)o(vides)-150 194 y(masking,)19 -b(as)h(discussed)g(belo)n(w\).)k(Constants)c(of)g(type)f -Fm(addr)h Fs(ha)n(v)o(e)-150 294 y(the)g(f)o(amiliar)g(\223dotted)f -(quad\224)g(format,)g Fj(A)1064 306 y Fn(1)1102 294 y -Fj(:A)1187 306 y Fn(2)1224 294 y Fj(:A)1309 306 y Fn(3)1347 -294 y Fj(:A)1432 306 y Fn(4)1469 294 y Fs(.)-67 394 y(More)37 -b(interesting)g(are)g Fr(hostname)f Fs(constants.)77 -b(There)37 b(is)h(no)-150 493 y Fm(Bro)45 b Fs(type)f(corresponding)d -(to)j(Internet)g(hostnames,)49 b(because)-150 593 y(hostnames)26 -b(can)g(correspond)e(to)j(multiple)f(IP)h(addresses,)g(so)g(one)-150 -693 y(quickly)34 b(runs)g(into)h(ambiguities)f(if)h(comparing)d(one)j -(hostname)-150 792 y(with)h(another)-5 b(.)71 b Fm(Bro)36 -b Fs(does,)j(ho)n(we)n(v)o(er)m(,)e(support)e(hostnames)g(as)-150 -892 y(constants.)81 b(An)o(y)38 b(series)i(of)e(tw)o(o)i(or)e(more)h -(identi\002ers)f(delim-)-150 991 y(ited)c(by)f(dots)h(forms)f(a)i -(hostname)d(constant,)37 b(so,)g(for)c(e)o(xample,)-150 -1091 y(\223)p Fm(lbl.gov)p Fs(\224)23 b(and)h(\223)p -Fm(www.microsoft.com)p Fs(\224)d(are)j(both)f(host-)-150 -1191 y(name)f(constants)g(\(the)h(latter)m(,)g(as)g(of)f(this)i -(writing,)e(corresponds)e(to)-150 1290 y(6)27 b(distinct)g(IP)h -(addresses\).)44 b(The)27 b(v)n(alue)f(of)h(a)g(hostname)f(constant) --150 1390 y(is)21 b(a)g Fm(list)g Fs(of)f Fm(addr)g Fs(containing)f -(one)h(or)g(more)g(elements.)26 b(These)-150 1490 y(lists)21 -b(cannot)e(be)g(used)h(in)g Fm(Bro)f Fs(e)o(xpressions;)g(b)n(ut)h(the) -o(y)f(play)g(a)h(cen-)-150 1589 y(tral)27 b(role)f(in)h(initializing)f -Fm(Bro)h(table)p Fs(')-5 b(s)26 b(and)g Fm(set)p Fs(')-5 -b(s,)29 b(discussed)-150 1689 y(in)20 b Fi(x)h Fs(3.3)f(belo)n(w)-5 -b(.)-67 1788 y Fl(Aggr)o(egate)22 b(types.)38 b Fm(Bro)24 -b Fs(also)h(supports)e(a)i(number)e(of)h(aggre-)-150 -1888 y(gate)j(types.)46 b(A)28 b Fm(record)f Fs(is)h(a)g(collection)e -(of)h(elements)g(of)g(arbi-)-150 1988 y(trary)19 b(type.)25 -b(F)o(or)19 b(e)o(xample,)f(the)i(prede\002ned)e Fm(conn)p -1370 1988 25 4 v 29 w(id)j Fs(type,)e(used)-150 2087 -y(to)f(hold)g(connection)e(identi\002ers,)i(is)i(de\002ned)d(in)h(the)h -Fm(Bro)f Fs(run-time)-150 2187 y(initialization)i(\002le)g(as:)9 -2339 y Ff(type)40 b(conn_id:)e(record)h({)169 2418 y(orig_h:)g(addr;) -169 2497 y(orig_p:)g(port;)169 2576 y(resp_h:)g(addr;)169 -2655 y(resp_p:)g(port;)9 2734 y(};)-150 2907 y Fs(The)27 -b Fm(orig)p 212 2907 V 29 w(h)h Fs(and)f Fm(resp)p 667 -2907 V 29 w(h)h Fs(elements)f(\(or)g(\223\002elds\224\))g(ha)n(v)o(e)g -(type)-150 3006 y Fm(addr)e Fs(and)g(hold)g(the)h(connection)d -(originator')-5 b(s)24 b(and)h(responder')-5 b(s)-150 -3106 y(IP)21 b(addresses.)26 b(Similarly)-5 b(,)20 b -Fm(orig)p 862 3106 V 29 w(p)h Fs(and)f Fm(resp)p 1303 -3106 V 29 w(p)h Fs(hold)f(the)h(orig-)-150 3205 y(inator)g(and)f -(responder)f(ports.)28 b(Record)21 b(\002elds)h(are)f(accessed)g(using) --150 3305 y(the)f(\223)p Fm($)p Fs(\224)g(operator)-5 -b(.)-67 3405 y(F)o(or)20 b(specifying)e(security)i(policies,)f(a)i -(particularly)d(useful)i Fm(Bro)-150 3504 y Fs(type)26 -b(is)i Fm(table)p Fs(.)44 b Fm(Bro)26 b Fs(tables)h(ha)n(v)o(e)f(tw)o -(o)h(components,)f(a)h(set)h(of)-150 3604 y Fr(indices)c -Fs(and)g(a)h Fr(yield)g(type)p Fs(.)37 b(The)24 b(indices)h(may)f(be)g -(of)g(an)o(y)g(atomic)-150 3704 y(\(non-aggre)o(gate\))c(type,)25 -b(and/or)e(an)o(y)h Fm(record)g Fs(types)h(that,)g(when)-150 -3803 y(\(recursi)n(v)o(ely\))i(e)o(xpanded)g(into)i(all)h(of)f(their)g -(elements,)i(are)e(com-)-150 3903 y(prised)h(of)h(only)f(atomic)h -(types.)57 b(\(Thus,)32 b Fm(Bro)f Fs(tables)g(pro)o(vide)e(a)-150 -4002 y(form)19 b(of)h(associati)n(v)o(e)g(array)-5 b(.\))23 -b(So,)d(for)g(e)o(xample,)9 4155 y Ff(table[port])39 -b(of)g(string)-150 4307 y Fs(can)20 b(be)g(inde)o(x)o(ed)e(by)i(a)h -Fm(port)f Fs(v)n(alue,)f(yielding)g(a)h Fm(string)p Fs(,)g(and:)9 -4445 y Ff(table[conn_id])38 b(of)i(ftp_session_info)-150 -4603 y Fs(is)34 b(inde)o(x)o(ed)c(by)i(a)h Fm(conn)p -623 4603 V 30 w(id)f Fs(record\227or)m(,)h(equi)n(v)n(alently)-5 -b(,)33 b(by)g(an)-150 4703 y Fm(addr)p Fs(,)42 b(a)d -Fm(port)p Fs(,)j(another)36 b Fm(addr)p Fs(,)43 b(and)37 -b(another)g Fm(port)p Fs(\227and)-150 4802 y(yields)20 -b(an)g Fm(ftp)p 323 4802 V 30 w(session)p 703 4802 V -28 w(info)g Fs(record)f(as)i(a)f(result.)-67 4902 y(Closely)i(related)e -(to)i Fm(table)e Fs(types)h(are)h Fm(set)f Fs(types.)28 -b(These)21 b(are)-150 5001 y(simply)d Fm(table)f Fs(types)h(that)h(do)e -(not)h(yield)g(a)g(v)n(alue.)24 b(Their)17 b(purpose)-150 -5101 y(is)j(to)f(maintain)f(collections)h(of)g(tuples,)g(e)o(xpressed)e -(in)j(terms)f(of)g(the)-150 5201 y(set')-5 b(s)18 b(indices.)23 -b(The)16 b(e)o(xamples)f(in)i Fi(x)g Fs(3.3)f(clarify)f(ho)n(w)h(this)h -(is)g(useful.)-67 5300 y(Another)27 b(aggre)o(gate)e(type)i(supported)f -(is)j Fm(file)p Fs(.)48 b(Support)26 b(for)-150 5400 -y(\002les)d(is)g(presently)d(crude:)28 b(a)22 b(script)g(can)g(open)f -(\002les)h(for)g(writing)f(or)2049 -104 y(appending,)j(and)g(can)h -(pass)h(the)g(resulting)e Fm(file)h Fs(v)n(ariable)f(to)i(the)2049 --5 y Fm(print)e Fs(command)f(to)i(specify)f(where)g(it)i(should)e -(write,)i(b)n(ut)e(that)2049 95 y(is)j(all.)42 b(Also,)27 -b(these)f(\002les)h(are)f(simple)f(ASCII.)h(In)g(the)f(future,)h(we) -2049 194 y(plan)g(to)h(e)o(xtend)f(\002les)i(to)f(support)e(reading,)i -(ASCII)g(parsing,)g(and)2049 294 y(binary)19 b(\(typed\))f(reading)h -(and)h(writing.)2132 394 y(Finally)-5 b(,)24 b(abo)o(v)o(e)d(we)j -(alluded)f(to)h(the)f Fm(list)g Fs(type,)h(which)f(holds)2049 -493 y(zero)e(or)g(more)g(instances)h(of)f(a)h(v)n(alue.)28 -b(Currently)-5 b(,)20 b(this)i(type)f(is)i(not)2049 593 -y(directly)c(a)n(v)n(ailable)g(to)h(the)g Fm(Bro)f Fs(script)h(writer)m -(,)f(other)g(than)g(implic-)2049 693 y(itly)k(when)e(using)h -Fr(hostname)f Fs(constants.)30 b(Since)22 b(its)i(present)d(use)i(is) -2049 792 y(primarily)g(internal)h(to)g(the)h(script)f(interpreter)f -(\(when)g(initializing)2049 892 y(v)n(ariables,)c(per)h -Fi(x)h Fs(3.3\),)e(we)h(do)g(not)g(describe)f(it)i(further)-5 -b(.)2132 991 y Fl(Regular)44 b(expr)o(essions.)99 b Fs(The)45 -b(last)g(b)n(uilt-in)f Fm(Bro)h Fs(type)g(is)2049 1091 -y Fm(pattern)p Fs(.)51 b(P)o(atterns)29 b(are)g(Unix-style)f(re)o -(gular)g(e)o(xpressions;)k(in)2049 1191 y(particular)m(,)22 -b(the)h(syntax)f(used)h(by)g(the)g Fr(\003e)n(x)g Fs(utility)g([P)o -(a96)n(].)34 b(P)o(attern)2049 1290 y(constants)20 b(are)g(enclosed)f -(by)h Fm(/)g Fs(delimiters.)25 b(F)o(or)20 b(e)o(xample:)2208 -1435 y Ff(/sync|lp|uucp|operator|ezsetup|4dgifts/)2049 -1600 y Fs(is)k(a)f(pattern)f(that)i(matches)e(a)i(number)d(of)i(common) -e(def)o(ault)h(Unix)2049 1700 y(accounts.)2132 1800 y(Presently)-5 -b(,)20 b(only)h(tw)o(o)g(operations)f(are)h(allo)n(wed)f(on)h(pattern)f -(v)n(al-)2049 1899 y(ues:)25 b(assignment,)18 b(and)h(testing)g(to)h -(see)f(whether)g(the)g(pattern)f(v)n(alue)2049 1999 y(matches)i(a)g(gi) -n(v)o(en)f(string)h(\(discussed)g(belo)n(w\).)2049 2233 -y Fh(3.2)99 b(Operators)2049 2389 y Fm(Bro)27 b Fs(pro)o(vides)e(a)j -(number)d(of)i(C-lik)o(e)g(operators)f(\()p Fm(+)p Fs(,)j -Fm(-)p Fs(,)g Fm(*)p Fs(,)f Fm(/)p Fs(,)h Fm(\045)p Fs(,)2049 -2489 y Fm(!)p Fs(,)g Fm(&&)p Fs(,)f Fm(||)p Fs(,)h Fm(?:)p -Fs(,)f(relationals)e(lik)o(e)h Fm(<=)p Fs(\))g(with)g(which)f(we)i -(assume)2049 2588 y(the)e(reader)f(is)i(f)o(amiliar)m(,)f(and)g(will)h -(not)e(detail)h(here.)42 b(Assignment)2049 2688 y(is)28 -b(done)e(using)h Fm(=)p Fs(,)i(table)e(and)f(set)i(inde)o(xing)d(with)i -Fm([])p Fs(,)i(and)e(func-)2049 2787 y(tion)19 b(in)m(v)n(ocation)f -(and)h(e)n(v)o(ent)g(generation)e(with)j Fm(\(\))p Fs(.)25 -b(Numeric)18 b(v)n(ari-)2049 2887 y(ables)35 b(can)g(be)f(incremented)f -(and)h(decremented)f(using)h Fm(++)h Fs(and)2049 2987 -y Fm(--)p Fs(.)i(Record)23 b(\002elds)i(are)f(accessed)g(using)g -Fm($)p Fs(,)h(to)f(a)n(v)n(oid)g(ambiguity)2049 3086 -y(with)30 b Fr(hostname)f Fs(constants.)54 b(Assignment)30 -b(of)f(aggre)o(gate)f(v)n(alues)2049 3186 y(is)h Fr(shallow)p -Fs(\227the)e(ne)n(wly-assigned)e(v)n(ariable)i(refers)g(to)h(the)f -(same)2049 3286 y(aggre)o(gate)20 b(v)n(alue)h(as)i(the)f(right-hand)d -(side)j(of)g(the)g(assignment)f(e)o(x-)2049 3385 y(pression.)52 -b(This)30 b(choice)f(w)o(as)h(made)f(to)h(f)o(acilitate)f(performance;) -2049 3485 y(we)e(ha)n(v)o(e)f(not)g(yet)h(been)f(bitten)g(by)h(the)f -(semantics)h(\(which)f(dif)n(fer)2049 3585 y(from)21 -b(C\).)i(W)-7 b(e)24 b(may)d(in)i(the)f(future)g(add)f(a)i -Fm(copy)f Fs(operator)f(to)h(con-)2049 3684 y(struct)e(\223deep\224)f -(copies.)2132 3784 y(From)30 b(the)g(perspecti)n(v)o(e)e(of)i(C,)g(the) -g(only)g(no)o(v)o(el)e(operators)h(are)2049 3883 y Fm(in)f -Fs(and)e Fm(!in)p Fs(.)47 b(These)27 b(in\002x)g(operators)f(yield)h -Fm(bool)g Fs(v)n(alues)g(de-)2049 3983 y(pending)16 b(on)h(whether)g -(or)g(not)h(a)g(gi)n(v)o(en)e(inde)o(x)h(is)h(in)g(a)g(gi)n(v)o(en)f -Fm(table)2049 4083 y Fs(or)k Fm(set)p Fs(.)26 b(F)o(or)21 -b(e)o(xample,)e(if)i Fm(sensitive)p 3322 4083 V 29 w(services)f -Fs(is)h(a)h Fm(set)2049 4182 y Fs(inde)o(x)o(ed)c(by)i(a)h(single)f -Fm(port)p Fs(,)f(then)2208 4327 y Ff(23/tcp)39 b(in)h -(sensitive_services)2049 4492 y Fs(returns)20 b(true)g(if)h(the)g(set)h -(has)f(an)g(element)f(corresponding)d(to)k(an)g(in-)2049 -4592 y(de)o(x)c(of)h(TCP)h(port)f(23,)g(f)o(alse)g(if)h(it)g(does)f -(not)g(ha)n(v)o(e)f(such)h(an)g(element.)2049 4692 y(Similarly)-5 -b(,)25 b(if)f Fm(RPC)p 2630 4692 V 30 w(okay)g Fs(is)i(a)e -Fm(set)h Fs(\(or)f Fm(table)p Fs(\))g(inde)o(x)o(ed)e(by)i(a)2049 -4791 y(source)30 b(address,)i(a)f(destination)e(address,)k(and)d(an)g -(RPC)i(service)2049 4891 y(number)18 b(\(a)j Fm(count)p -Fs(\),)e(then)2129 5035 y Ff([src_addr,)38 b(dst_addr,)h(serv])g(in)g -(RPC_okay)2049 5201 y Fs(yields)34 b(true)f(if)h(the)g(gi)n(v)o(en)e -(ordered)g(triple)h(is)i(present)e(as)h(an)g(in-)2049 -5300 y(de)o(x)26 b(into)h Fm(RPC)p 2507 5300 V 30 w(okay)p -Fs(.)45 b(The)27 b Fm(!in)g Fs(operator)f(simply)g(returns)h(the)2049 -5400 y(boolean)19 b(ne)o(gation)f(of)i(the)g Fm(in)g -Fs(operator)-5 b(.)1929 5649 y(6)p eop -%%Page: 7 7 -7 6 bop -67 -104 a Fs(Presently)-5 b(,)17 b(inde)o(xing)e(a)j(table)g -(or)f(set)h(with)g(a)g(v)n(alue)f(that)h(does)f(not)-150 --5 y(correspond)24 b(to)i(one)g(of)g(its)h(elements)f(leads)g(to)h(a)g -(run-time)d(error)m(,)-150 95 y(so)d(such)g(operations)e(need)h(to)h -(be)g(preceded)e(by)h Fm(in)h Fs(tests.)28 b(W)-7 b(e)22 -b(\002nd)-150 194 y(this)g(not)f(entirely)f(satisfying,)h(and)g(plan)f -(to)i(add)f(a)g(mechanism)f(for)-150 294 y(optionally)28 -b(specifying)g(the)h(action)g(to)h(tak)o(e)f(in)h(such)f(cases)h(on)f -(a)-150 394 y(per)n(-table)19 b(basis.)-67 498 y(Another)26 -b(use)h(of)f(the)h Fm(in)g Fs(and)g Fm(!in)g Fs(operators)e(is)j(for)e -(re)o(gular)n(-)-150 598 y(e)o(xpression)19 b(pattern)g(matching.)k(F)o -(or)d(e)o(xample,)-70 785 y Ff(filename)38 b(in)i(/rootkit-1\\.[5-8]/) --150 987 y Fs(yields)20 b(true)h(if)g(the)f(v)n(alue)g(of)g(the)h(e)o -(xpression)e Fm(filename)g Fs(\(which)-150 1087 y(must)26 -b(ha)n(v)o(e)g(type)g Fm(string)p Fs(\))f(matches)h(an)o(y)f(of)h -Fm(rootkit-1.5)p Fs(,)-150 1187 y Fm(rootkit-1.6)p Fs(,)18 -b Fm(rootkit-1.7)p Fs(,)h(or)h Fm(rootkit-1.8)p Fs(.)-67 -1291 y(Finally)-5 b(,)33 b Fm(Bro)d Fs(includes)h(a)g(number)e(of)h -(prede\002ned)f(functions)-150 1391 y(to)46 b(perform)e(operations)g -(not)i(directly)f(a)n(v)n(ailable)h(in)g(the)g(lan-)-150 -1490 y(guage.)27 b(Some)21 b(of)g(the)g(more)f(interesting:)27 -b Fm(fmt)21 b Fs(pro)o(vides)e Fr(sprintf)12 b Fs(-)-150 -1590 y(style)26 b(formatting)d(for)i(use)g(in)h(printing)d(or)i -(manipulating)f(strings;)-150 1690 y Fm(edit)j Fs(returns)f(a)i(cop)o -(y)e(of)h(a)g(string)g(that)g(has)g(been)g(edited)f(using)-150 -1789 y(the)i(gi)n(v)o(en)f(editing)h(characters)f(\(currently)f(it)j -(only)f(kno)n(ws)g(about)-150 1889 y(single-character)44 -b(deletions\);)57 b Fm(mask)p 1041 1889 25 4 v 29 w(addr)46 -b Fs(tak)o(es)g(an)g Fm(addr)-150 1989 y Fs(and)31 b(returns)f(another) -g Fm(addr)g Fs(corresponding)e(to)j(its)i(top)d Fj(n)i -Fs(bits;)-150 2088 y Fm(open)43 b Fs(and)g Fm(close)g -Fs(manipulate)f Fm(file)p Fs(s;)55 b Fm(network)p 1628 -2088 V 29 w(time)-150 2188 y Fs(returns)62 b(the)h(timestamp)g(of)g -(the)g(most)g(recently)f(recei)n(v)o(ed)-150 2287 y(pack)o(et;)29 -b Fm(getenv)d Fs(pro)o(vides)e(access)j(to)g(en)m(vironment)c(v)n -(ariables;)-150 2387 y Fm(skip)p 55 2387 V 29 w(further)p -434 2387 V 29 w(processing)e Fs(marks)h(a)h(connection)e(as)i(not)-150 -2487 y(requiring)d(an)o(y)h(further)f(analysis;)j Fm(set)p -1035 2487 V 29 w(record)p 1364 2487 V 29 w(packets)e -Fs(in-)-150 2586 y(structs)38 b(the)f(e)n(v)o(ent)f(engine)g(whether)g -(or)h(not)g(to)h(record)d(an)o(y)i(of)-150 2686 y(a)j(connection')-5 -b(s)38 b(future)g(pack)o(ets)h(\(though)e(SYN/FIN/RST)k(are)-150 -2786 y(al)o(w)o(ays)c(recorded\);)43 b Fm(set)p 658 2786 -V 29 w(contents)p 1087 2786 V 29 w(file)36 b Fs(speci\002es)i(a)f -(\002le)-150 2885 y(to)k(which)f(Bro)h(records)f(the)h(connection')-5 -b(s)39 b(reassembled)h(byte)-150 2985 y(stream;)46 b -Fm(system)36 b Fs(e)o(x)o(ecutes)h(a)g(string)g(as)h(a)g(Unix)f(shell)g -(com-)-150 3084 y(mand;)25 b(and)e Fm(parse)p 483 3084 -V 29 w(ftp)p 662 3084 V 30 w(port)g Fs(tak)o(es)i(an)e(FTP)i(\223POR)-5 -b(T\224)24 b(com-)-150 3184 y(mand)g(and)h(returns)g(a)g -Fm(record)g Fs(with)h(the)f(corresponding)d Fm(addr)-150 -3284 y Fs(and)e Fm(port)p Fs(.)-150 3549 y Fh(3.3)99 -b(V)-9 b(ariables)-150 3714 y Fm(Bro)28 b Fs(supports)f(tw)o(o)h(le)n -(v)o(els)g(of)f(scoping:)40 b(local)27 b(to)h(a)h(function)d(or)-150 -3813 y(e)n(v)o(ent)31 b(handler)m(,)i(and)e(global)g(to)h(the)g(entire) -f Fm(Bro)h Fs(script.)60 b(Expe-)-150 3913 y(rience)28 -b(has)h(already)f(sho)n(wn)g(that)i(we)f(w)o(ould)f(bene\002t)g(by)h -(adding)-150 4013 y(a)37 b(third,)i(intermediate)c(le)n(v)o(el)h(of)g -(scoping,)j(perhaps)c(as)i(part)f(of)-150 4112 y(a)f(\223module\224)d -(or)j(\223object\224)e(f)o(acility)-5 b(,)37 b(or)d(e)n(v)o(en)g(as)h -(simple)f(as)h(C')-5 b(s)-150 4212 y Fm(static)33 b Fs(scoping.)65 -b(Local)33 b(v)n(ariables)g(are)h(declared)e(using)i(the)-150 -4312 y(k)o(e)o(yw)o(ord)20 b Fm(local)p Fs(,)i(and)f(the)h -(declarations)f(must)g(come)h(inside)g(the)-150 4411 -y(body)c(of)i(a)g(function)e(or)h(e)n(v)o(ent)g(handler)-5 -b(.)24 b(There)19 b(is)i(no)e(requirement)-150 4511 y(to)31 -b(declare)f(v)n(ariables)g(at)i(the)f(be)o(ginning)d(of)j(the)g -(function.)55 b(The)-150 4610 y(scope)21 b(of)h(the)g(v)n(ariable)e -(ranges)h(from)g(the)h(point)f(of)g(declaration)f(to)-150 -4710 y(the)j(end)e(of)i(the)f(body)-5 b(.)30 b(Global)22 -b(v)n(ariables)g(are)g(declared)g(using)g(the)-150 4810 -y(k)o(e)o(yw)o(ord)28 b Fm(global)h Fs(and)g(the)g(declarations)g(must) -g(come)g(outside)-150 4909 y(of)g(an)o(y)f(function)g(bodies.)51 -b(F)o(or)29 b(either)f(type)h(of)g(declaration,)h(the)-150 -5009 y(k)o(e)o(yw)o(ord)17 b(can)h(be)g(replaced)f(instead)i(by)f -Fm(const)p Fs(,)g(which)g(indicates)-150 5109 y(that)i(the)g(v)n -(ariable')-5 b(s)20 b(v)n(alue)f(is)j(constant)d(and)h(cannot)f(be)h -(changed.)-67 5213 y(Syntactically)-5 b(,)19 b(a)h(v)n(ariable)f -(declaration)g(looks)h(lik)o(e:)-150 5400 y Ff({class})39 -b({identifier})f([':')h({type}])g(['=')g({init}])2049 --104 y Fs(That)29 b(is,)j(a)d(class)h(\()p Fm(local)e -Fs(or)h Fm(global)g Fs(scope,)h(or)f(the)g Fm(const)2049 --5 y Fs(quali\002er\),)21 b(the)h(name)f(of)h(the)f(v)n(ariable,)g(an)h -(optional)f(type,)g(and)h(an)2049 95 y(optional)k(initialization)g(v)n -(alue.)45 b(One)27 b(of)g(the)g(latter)g(tw)o(o)h(must)f(be)2049 -194 y(speci\002ed.)43 b(If)26 b(both)f(are,)i(then)f(naturally)f(the)h -(type)g(of)f(the)i(initial-)2049 294 y(ization)22 b(much)g(agree)g -(with)h(the)f(speci\002ed)g(type.)32 b(If)23 b(only)e(a)i(type)g(is) -2049 394 y(gi)n(v)o(en,)e(then)g(the)h(v)n(ariable)f(is)i(mark)o(ed)d -(as)j(not)e(ha)n(ving)g(a)h(v)n(alue)f(yet;)2049 493 -y(attempting)f(to)i(access)h(its)f(v)n(alue)f(before)g(\002rst)h -(setting)g(it)g(results)g(in)2049 593 y(a)f(run-time)d(error)-5 -b(.)2132 694 y(If)23 b(only)f(an)g(initializer)h(is)h(speci\002ed,)f -(then)f(Bro)h(infers)f(the)h(v)n(ari-)2049 793 y(able')-5 -b(s)19 b(type)g(from)f(the)h(form)f(of)h(the)g(initializer)-5 -b(.)25 b(This)19 b(pro)o(v)o(es)f(quite)2049 893 y(con)m(v)o(enient,)i -(as)j(does)f(the)g(ease)h(with)f(which)g(comple)o(x)f(tables)h(and)2049 -993 y(sets)f(can)f(be)g(initialized.)25 b(F)o(or)20 b(e)o(xample,)2049 -1160 y Ff(const)39 b(IRC)h(=)f({)h(6666/tcp,)e(6667/tcp,)h(6668/tcp)g -(};)2049 1348 y Fs(infers)20 b(a)g(type)g(of)g Fm(set[port])f -Fs(for)h Fm(IRC)p Fs(,)g(while:)2049 1515 y Ff(const)39 -b(ftp_serv)g(=)g({)h(ftp.lbl.gov,)e(www.lbl.gov)g(};)2049 -1703 y Fs(infers)33 b(a)h(type)g(of)f Fm(set[addr])f -Fs(for)i Fm(ftp)p 3393 1703 V 29 w(serv)p Fs(,)i(and)e(initial-)2049 -1802 y(izes)i(it)g(to)g(consist)f(of)g(the)h(IP)f(addresses)g(for)g -Fm(ftp.lbl.gov)2049 1902 y Fs(and)30 b Fm(www.lbl.gov)p -Fs(,)i(which,)g(as)g(noted)d(abo)o(v)o(e,)j(may)e(encom-)2049 -2001 y(pass)22 b(more)e(than)h(tw)o(o)h(addresses.)28 -b(Bro)21 b(infers)g(compound)e(indices)2049 2101 y(by)h(use)g(of)g -Fm([])g Fs(notation:)2049 2269 y Ff(const)39 b(allowed_services)f(=)h -({)2169 2348 y([ftp.lbl.gov,)e(ftp],)j([ftp.lbl.gov,)d(smtp],)2169 -2427 y([ftp.lbl.gov,)g(ident],)i([ftp.lbl.gov,)f(20/tcp],)2169 -2505 y([www.lbl.gov,)f(ftp],)j([www.lbl.gov,)d(smtp],)2169 -2584 y([www.lbl.gov,)g(ident],)i([www.lbl.gov,)f(20/tcp],)2169 -2663 y([nntp.lbl.gov,)f(nntp])2049 2742 y(};)2049 2929 -y Fs(results)25 b(in)g Fm(allowed)p 2736 2929 V 29 w(services)f -Fs(ha)n(ving)f(type)i Fm(set[addr,)2049 3029 y(port])p -Fs(.)47 b(Here)28 b(again,)g(the)g Fr(hostname)f Fs(constants)g(may)h -(result)f(in)2049 3129 y(more)20 b(than)f(one)h(IP)h(address.)k(An)o(y) -19 b(time)i(Bro)f(encounters)f(a)i Fm(list)2049 3228 -y Fs(of)33 b(v)n(alues)g(in)h(an)g(initialization,)h(it)g(replicates)e -(the)g(correspond-)2049 3328 y(ing)22 b(inde)o(x.)31 -b(Furthermore,)21 b(one)h(can)g(e)o(xplicitly)g(introduce)e(lists)k(in) -2049 3427 y(initializers)h(by)f(enclosing)f(a)i(series)g(of)f(v)n -(alues)g(\(with)g(compatible)2049 3527 y(types\))c(in)g -Fm([])p Fs(')-5 b(s,)21 b(so)f(the)g(abo)o(v)o(e)f(could)g(be)h -(written:)2049 3695 y Ff(const)39 b(allowed_services:)e(set[addr,)i -(port])g(=)h({)2169 3774 y([ftp.lbl.gov,)d([ftp,)j(smtp,)f(ident,)g -(20/tcp]],)2169 3852 y([www.lbl.gov,)e([ftp,)j(smtp,)f(ident,)g -(20/tcp]],)2169 3931 y([nntp.lbl.gov,)e(nntp])2049 4010 -y(};)2049 4198 y Fs(The)18 b(only)f(cost)i(of)f(such)g(an)g -(initialization)g(is)h(that)f(Bro')-5 b(s)19 b(algorithm)2049 -4297 y(for)k(inferring)e(the)i(v)n(ariable')-5 b(s)23 -b(type)g(from)f(its)i(initializer)f(currently)2049 4397 -y(gets)17 b(confused)d(by)i(these)h(embedded)d(lists,)k(so)f(the)f -(type)g(no)n(w)g(needs)2049 4496 y(to)k(be)g(e)o(xplicitly)g(supplied,) -f(as)h(sho)n(wn.)2132 4597 y(In)h(addition,)e(an)o(y)h(pre)n -(viously-de\002ned)d(global)j(v)n(ariable)g(can)h(be)2049 -4697 y(used)j(in)h(the)f(initialization)g(of)g(a)h(subsequent)e(global) -h(v)n(ariable.)37 b(If)2049 4796 y(the)19 b(v)n(ariable)f(used)g(in)h -(this)h(f)o(ashion)e(is)i(a)f Fm(set)p Fs(,)g(then)f(its)i(indices)f -(are)2049 4896 y(e)o(xpanded)e(as)j(if)f(enclosed)g(in)g(their)g(o)n -(wn)g(list.)26 b(So)20 b(the)f(abo)o(v)o(e)f(could)2049 -4996 y(be)i(further)f(simpli\002ed)h(to:)2049 5163 y -Ff(const)39 b(allowed_services:)e(set[addr,)i(port])g(=)h({)2169 -5242 y([ftp_serv,)e([ftp,)h(smtp,)g(ident,)g(20/tcp]],)2169 -5321 y([nntp.lbl.gov,)e(nntp])2049 5400 y(};)1929 5649 -y Fs(7)p eop -%%Page: 8 8 -8 7 bop -150 -104 a Fs(Initializing)17 b Fm(table)g Fs(v)n(alues)g -(looks)g(v)o(ery)g(similar)m(,)g(with)h(the)g(dif)n(fer)n(-)-150 --5 y(ence)h(that)g(a)h Fm(table)f Fs(initializer)g(includes)f(a)i -Fr(yield)h Fs(v)n(alue,)e(too.)24 b(F)o(or)-150 95 y(e)o(xample:)-150 -257 y Ff(global)39 b(port_names)f(=)i({)-30 336 y([7/tcp])e(=)i -("echo",)-30 415 y([9/tcp])e(=)i("discard",)-30 493 y([11/tcp])e(=)i -("systat",)-30 572 y(...)-150 651 y(};)-150 834 y Fs(which)20 -b(infers)f(a)i(type)f(of)g Fm(table[port])47 b(of)j(string)p -Fs(.)-67 934 y(W)-7 b(e)35 b(\002nd)e(that)h(these)g(forms)f(of)g -(initialization)g(shorthand)f(are)-150 1033 y(much)k(more)g(than)g -(syntactic)h(sugar)-5 b(.)74 b(Because)37 b(the)o(y)f(allo)n(w)h(us) --150 1133 y(to)29 b(de\002ne)g(lar)o(ge)f(tables)i(in)f(a)g(succinct)g -(f)o(ashion,)i(by)d(referring)f(to)-150 1232 y(pre)n(viously-de\002ned) -16 b(objects)j(and)g(by)h(concisely)e(capturing)g(forms)-150 -1332 y(of)i(replication)e(in)j(the)f(table,)g(we)g(can)g(specify)f -(intricate)h(polic)o(y)f(re-)-150 1432 y(lationships)31 -b(in)g(a)h(f)o(ashion)e(that')-5 b(s)32 b(both)e(easy)i(to)f(write)h -(and)e(easy)-150 1531 y(to)d(v)o(erify)-5 b(.)41 b(Certainly)-5 -b(,)27 b(we)g(w)o(ould)f(prefer)f(the)h(\002nal)h(de\002nition)e(of) --150 1631 y Fm(allowed)p 205 1631 25 4 v 29 w(services)g -Fs(abo)o(v)o(e)f(to)i(an)o(y)g(of)f(its)i(predecessors,)f(in)-150 -1731 y(terms)20 b(of)g(kno)n(wing)e(e)o(xactly)i(what)g(the)g(set)h -(consists)g(of.)-67 1830 y(Along)39 b(with)h(clarity)f(and)g -(conciseness,)44 b(another)38 b(important)-150 1930 y(adv)n(antage)31 -b(of)h Fm(Bro)p Fs(')-5 b(s)33 b(emphasis)f(on)g(tables)g(and)g(sets)i -(is)f(speed.)-150 2030 y(Consider)c(the)h(common)d(problem)h(of)i -(attempting)e(to)i(determine)-150 2129 y(whether)18 b(access)h(is)h -(allo)n(wed)e(to)h(service)g Fm(S)g Fs(of)g(host)f Fm(H)p -Fs(.)h(Rather)g(than)-150 2229 y(using)h(\(conceptually\):)-150 -2391 y Ff(if)40 b(\()f(H)h(==)g(ftp.lbl.gov)e(||)h(H)h(==)g -(www.lbl.gov)e(\))9 2470 y(if)i(\()g(S)f(==)h(ftp)f(||)h(S)g(==)f(smtp) -g(||)h(...)f(\))-150 2549 y(else)g(if)h(\()g(H)f(==)h(nntp.lbl.gov)e -(\))9 2627 y(if)i(\()g(S)f(==)h(nntp)f(\))-150 2706 y(...)-150 -2889 y Fs(we)21 b(can)f(simply)f(use:)-150 3051 y Ff(if)40 -b(\()f([S,)h(H])f(in)h(allowed_services)d(\))49 3130 -y(...)j(it's)f(okay)g(...)-150 3313 y Fs(The)23 b Fm(in)h -Fs(operation)d(translates)j(into)f(a)h(single)f(hash)g(table)h(lookup,) --150 3412 y(a)n(v)n(oiding)17 b(the)i(cascaded)f Fm(if)p -Fs(')-5 b(s)19 b(and)f(clearly)g(sho)n(wing)g(the)h(intent)f(of)-150 -3512 y(the)i(test.)-150 3750 y Fh(3.4)99 b(Statements)-150 -3906 y Fm(Bro)26 b Fs(currently)e(supports)h(only)g(a)i(modest)e(group) -f(of)i(statements,)-150 4005 y(which)g(we)i(ha)n(v)o(e)e(so)h(f)o(ar)g -(found)e(suf)n(\002cient.)45 b(Along)26 b(with)h(C-style)-150 -4105 y Fm(if)17 b Fs(and)g Fm(return)g Fs(and)g(e)o(xpression)e(e)n(v)n -(aluation,)h(other)g(statements)-150 4204 y(are:)38 b -Fm(print)27 b Fs(a)g(list)h(of)e(e)o(xpressions)g(to)g(a)i -Fm(file)e Fs(\()p Fr(stdout)i Fs(by)e(de-)-150 4304 y(f)o(ault\);)f -Fm(log)e Fs(a)h(list)h(of)e(e)o(xpressions;)h Fm(add)g -Fs(an)f(element)g(to)h(a)f Fm(set)p Fs(;)-150 4404 y -Fm(delete)g Fs(an)h(element)f(from)g(a)h Fm(set)g Fs(or)f(a)i -Fm(table)p Fs(;)g(and)e Fm(event)p Fs(,)-150 4503 y(which)d(generates)f -(a)i(ne)n(w)f(e)n(v)o(ent.)-67 4603 y(In)h(particular)m(,)e(the)h -(language)g(does)g(not)h(support)e(looping)g(using)-150 -4703 y(a)27 b Fm(for)p Fs(-style)g(construct.)43 b(W)-7 -b(e)28 b(are)f(w)o(ary)g(of)f(loops)h(in)g(e)n(v)o(ent)e(han-)-150 -4802 y(dlers)33 b(because)f(the)o(y)f(can)i(lead)f(to)h(arbitrarily)e -(lar)o(ge)h(processing)-150 4902 y(delays,)c(which)e(in)h(turn)f(could) -g(lead)g(to)h(pack)o(et)g(\002lter)g(drops.)43 b(W)-7 -b(e)-150 5001 y(w)o(anted)23 b(to)g(see)h(whether)e(we)i(could)e(still) -i(adequately)e(e)o(xpress)g(se-)-150 5101 y(curity)g(policies)g(in)g -Fm(Bro)g Fs(without)g(resorting)f(to)i(loops;)f(if)h(so,)g(then)-150 -5201 y(we)17 b(ha)n(v)o(e)e(some)h(con\002dence)f(that)h(e)n(v)o(ery)f -(e)n(v)o(ent)g(is)i(handled)e(quickly)-5 b(.)-150 5300 -y(So)23 b(f)o(ar)m(,)g(this)g(e)o(xperiment)e(has)i(been)f(successful.) -33 b(Looping)21 b(is)i(still)-150 5400 y(possible)29 -b(via)g(recursion)f(\(either)g(functions)g(calling)h(themselv)o(es,) -2049 -104 y(or)23 b(e)n(v)o(ent)g(handlers)f(generating)g(their)h(o)n -(wn)g(e)n(v)o(ents\),)h(b)n(ut)f(we)h(ha)n(v)o(e)2049 --5 y(not)c(found)e(a)j(need)e(to)i(resort)f(to)g(it.)2132 -96 y(Lik)o(e)i(in)h(C,)g(we)g(can)f(group)f(sets)j(of)e(statements)g -(into)g Fr(bloc)n(ks)h Fs(by)2049 196 y(enclosing)c(them)h(within)g -Fi(fg)p Fs(')-5 b(s.)25 b(Function)19 b(de\002nitions)g(look)g(lik)o -(e:)2049 367 y Ff(function)39 b(endpoint_id\(h:)e(addr,)j(p:)f(port\):) -g(string)2169 445 y({)2169 524 y(if)g(\()h(p)g(in)f(port_names)f(\)) -2288 603 y(return)h(fmt\("\045s/\045s",)f(h,)i(port_names[p]\);)2169 -682 y(else)2288 761 y(return)f(fmt\("\045s/\045d",)f(h,)i(p\);)2169 -840 y(})2049 1029 y Fs(Ev)o(ent)63 b(handler)f(de\002nitions)h(look)f -(the)i(same)g(e)o(xcept)e(that)2049 1129 y Fm(function)18 -b Fs(is)i(replaced)d(by)i Fm(event)f Fs(and)g(the)o(y)g(cannot)g -(specify)g(a)2049 1229 y(return)h(type.)24 b(See)d(Appendix)d(A)j(for)f -(an)g(e)o(xample.)2132 1330 y(Functions)f(are)i(in)m(v)n(ok)o(ed)d(the) -j(usual)f(w)o(ay)-5 b(,)20 b(as)h(e)o(xpressions)e(spec-)2049 -1430 y(i\002ed)28 b(by)f(the)g(function')-5 b(s)26 b(name)h(follo)n -(wed)f(by)h(its)i(ar)o(guments)c(en-)2049 1529 y(closed)d(within)f -(parentheses.)29 b(Ev)o(ents)21 b(are)h(generated)e(in)i(a)g(similar) -2049 1629 y(f)o(ashion,)31 b(e)o(xcept)d(using)h(the)g(k)o(e)o(yw)o -(ord)f Fm(event)h Fs(before)f(the)h(han-)2049 1728 y(dler')-5 -b(s)30 b(name)g(and)f(ar)o(gument)f(list.)56 b(Since)31 -b(e)n(v)o(ents)e(do)h(not)g(return)2049 1828 y(v)n(alues)17 -b(\(the)o(y)f(can')o(t,)h(since)g(the)o(y)g(are)g(processed)f -(asynchronously\),)2049 1928 y(e)n(v)o(ent)g(generation)e(is)k(a)e -(statement)h(in)f Fm(Bro)h Fs(and)f(not)g(an)g(e)o(xpression.)2132 -2029 y Fm(Bro)22 b Fs(also)f(allo)n(ws)h(\223global\224)f(statements)g -(that)h(are)f(not)h(part)f(of)g(a)2049 2129 y(function)15 -b(or)i(e)n(v)o(ent)f(handler)f(de\002nition.)23 b(These)16 -b(are)h(e)o(x)o(ecuted)e(after)2049 2228 y(parsing)30 -b(the)g(full)h(script,)i(and)d(can)h(of)g(course)f(in)m(v)n(ok)o(e)f -(functions)2049 2328 y(or)e(generate)e(e)n(v)o(ents.)45 -b(The)26 b(e)n(v)o(ent)g(engine)g(also)h(generates)f(e)n(v)o(ents)2049 -2427 y(during)21 b(dif)n(ferent)f(phases)j(of)f(its)h(operation:)28 -b Fm(bro)p 3555 2427 V 29 w(init)22 b Fs(when)g(it)2049 -2527 y(is)27 b(about)f(to)g(be)o(gin)f(operation,)h Fm(bro)p -3162 2527 V 29 w(done)g Fs(when)g(it)h(is)g(about)e(to)2049 -2627 y(terminate,)18 b(and)f Fm(bro)p 2696 2627 V 30 -w(signal)h Fs(when)f(it)j(recei)n(v)o(es)d(a)i(Unix)f(signal.)2132 -2728 y(One)32 b(dif)n(ference)e(between)h(de\002ning)g(functions)f(and) -i(de\002ning)2049 2828 y(e)n(v)o(ent)24 b(handlers)f(is)i(that)g -Fm(Bro)f Fs(allo)n(ws)h(multiple,)f(dif)n(ferent)f(de\002ni-)2049 -2927 y(tions)j(for)g(a)h(gi)n(v)o(en)e(e)n(v)o(ent)h(handler)-5 -b(.)42 b(Whene)n(v)o(er)25 b(an)i(e)n(v)o(ent)e(is)i(gen-)2049 -3027 y(erated,)f(each)f(instance)h(of)f(a)h(handler)e(is)j(in)m(v)n(ok) -o(ed)c(in)j(turn)f(\(in)h(the)2049 3127 y(order)g(the)o(y)h(appear)f -(in)h(the)h(script\).)46 b(So,)29 b(for)e(e)o(xample,)g(dif)n(ferent) -2049 3226 y(\(conceptual\))f(modules)i(can)g(each)g(de\002ne)g -Fm(bro)p 3516 3226 V 29 w(init)h Fs(handlers)2049 3326 -y(to)23 b(tak)o(e)f(care)g(of)h(their)f(initialization.)31 -b(W)-7 b(e)24 b(\002nd)e(this)h(considerably)2049 3425 -y(simpli\002es)17 b(the)g(task)h(of)e(creating)g(modular)f(sets)j(of)f -(e)n(v)o(ent)f(handlers,)2049 3525 y(b)n(ut)21 b(we)h(anticipate)f -(requiring)e(greater)i(control)f(in)h(the)h(future)e(o)o(v)o(er)2049 -3625 y(the)g(e)o(xact)g(order)f(in)h(which)g Fm(Bro)g -Fs(in)m(v)n(ok)o(es)f(multiple)h(handlers.)2049 3914 -y Ft(4)119 b(Implementation)30 b(issues)2049 4103 y Fs(W)-7 -b(e)24 b(implemented)c(the)j(Bro)g(e)n(v)o(ent)e(engine)h(and)g(script) -g(interpreter)2049 4203 y(in)35 b(C++,)k(currently)33 -b(about)g(27,000)g(lines.)69 b(In)34 b(this)i(section)e(we)2049 -4302 y(discuss)40 b(some)f(of)g(the)g(signi\002cant)g(implementation)e -(decisions)2049 4402 y(and)29 b(tradeof)n(fs.)53 b(W)-7 -b(e)31 b(defer)e(to)h Fi(x)g Fs(5)g(discussion)f(of)h(ho)n(w)f(Bro)h -(de-)2049 4502 y(fends)i(against)f(attacks)h(on)g(the)g(monitoring)e -(system,)35 b(and)d(post-)2049 4601 y(pone)23 b(application-speci\002c) -f(issues)k(until)e Fi(x)g Fs(6,)i(as)f(that)f(discussion)2049 -4701 y(bene\002ts)c(from)f(notions)g(de)n(v)o(eloped)f(in)i -Fi(x)h Fs(5.)2132 4802 y Fl(Use)26 b(of)f(C++.)41 b Fs(Our)25 -b(use)g(of)g(C++)h(w)o(as)g(moti)n(v)n(ated)d(by)i(our)g(suc-)2049 -4902 y(cessful)33 b(e)o(xperience)d(with)j(using)f(it)h(for)f -(implementing)e(another)2049 5001 y(e)n(v)o(ent-oriented)j(script)j -(interpreter)m(,)i(the)e(Glish)g(\223softw)o(are)f(b)n(us\224)2049 -5101 y([PS93)o(].)29 b(F)o(or)21 b(Bro,)h(this)g(has)f(been)g(a)h -(clear)f(success.)29 b(Class)23 b(hierar)n(-)2049 5201 -y(chies)g(map)f(well)i(to)e(protocol)f(layers,)i(which)g(then)f -(simpli\002es)h(e)o(x-)2049 5300 y(tending)e(the)i(e)n(v)o(ent)e -(engine)h(and)g(script)g(interpreter)-5 b(.)31 b(W)-7 -b(e)24 b(ha)n(v)o(e)e(not)2049 5400 y(percei)n(v)o(ed)17 -b(an)o(y)h(performance)e(problems)i(related)g(to)i(the)f(choice)f(of) -1929 5649 y(8)p eop -%%Page: 9 9 -9 8 bop -150 -104 a Fs(C++;)19 b(the)e(choice)g(of)g(interpreting)e(v)o -(ersus)i(compiling)f(\(see)i(belo)n(w\))-150 -5 y(is)j(clearly)f(a)g -(more)g(dominant)e(ef)n(fect.)-67 99 y Fl(Single-thr)o(eaded)k(design.) -37 b Fs(Since)23 b(e)n(v)o(ent)g(handling)f(lies)i(at)h(the)-150 -199 y(heart)20 b(of)g(the)g(system,)h(it)g(is)g(natural)f(to)g -(consider)f(a)i(multi-threaded)-150 298 y(design,)e(with)h(one)f -(thread)g(per)h(acti)n(v)o(e)f(e)n(v)o(ent)g(handler)-5 -b(.)24 b(W)-7 b(e)21 b(ha)n(v)o(e)e(so)-150 398 y(f)o(ar)25 -b(resisted)g(this)g(approach,)e(because)h(of)h(concerns)e(that)i(it)h -(could)-150 498 y(lead)20 b(to)g(subtle)h(race)e(conditions)g(in)i -Fm(Bro)f Fs(scripts.)-67 602 y(An)25 b(important)f(consequence)e(of)j -(a)h(single-threaded)c(design)j(is)-150 701 y(that)j(the)g(system)g -(must)g(be)g(careful)f(before)g(initiating)g(an)o(y)g(acti)n(v-)-150 -801 y(ity)h(that)g(may)f(potentially)f(block)h(w)o(aiting)h(for)f(a)h -(resource,)g(lead-)-150 900 y(ing)d(to)h(pack)o(et)f(\002lter)h(drops)e -(as)j(the)e(engine)g(f)o(ails)h(to)g(consume)e(in-)-150 -1000 y(coming)g(traf)n(\002c.)41 b(A)26 b(particular)e(concern)g(is)i -(performing)d(Domain)-150 1100 y(Name)18 b(System)h(\(DNS\))f(lookups,) -f(which)h(can)g(tak)o(e)g(man)o(y)f(seconds)-150 1199 -y(to)24 b(complete)e(or)i(time)g(out.)35 b(Currently)-5 -b(,)22 b(Bro)i(only)f(performs)f(such)-150 1299 y(lookups)k(when)h -(parsing)g(its)i(input)e(\002le,)j(b)n(ut)e(we)g(w)o(ant)g(in)f(the)h -(fu-)-150 1399 y(ture)19 b(to)g(be)f(able)h(to)g(mak)o(e)f(address)h -(and)f(hostname)g(translations)g(on)-150 1498 y(the)23 -b(\003y)-5 b(,)22 b(both)g(to)h(generate)e(clearer)h(messages,)h(and)f -(to)h(detect)g(cer)n(-)-150 1598 y(tain)17 b(types)f(of)h(attacks.)24 -b(Consequently)-5 b(,)15 b(Bro)i(includes)f(customized)-150 -1697 y(non-blocking)d(DNS)18 b(routines)e(that)i(perform)d(DNS)j -(lookups)d(asyn-)-150 1797 y(chronously)-5 b(.)-67 1901 -y(W)e(e)22 b(may)e(yet)h(adopt)f(a)h(multi-threaded)d(design.)26 -b(A)c(more)e(lik)o(ely)-150 2001 y(possibility)42 b(is)h(e)n(v)n -(olving)e(Bro)h(to)n(w)o(ards)g(a)h(distrib)n(uted)e(design,)-150 -2100 y(in)28 b(which)f(loosely-coupled,)f(multiple)h(Bro')-5 -b(s)29 b(on)e(separate)g(hosts)-150 2200 y(monitor)17 -b(the)h(same)g(netw)o(ork)f(link.)24 b(Each)18 b(Bro)g(w)o(ould)f(w)o -(atch)i(a)f(dif-)-150 2299 y(ferent)k(type)f(of)i(traf)n(\002c)f -(\(e.g.,)f(HTTP)i(or)f(NFS\))h(and)f(communicate)-150 -2399 y(only)c(at)h(a)g(high)e(le)n(v)o(el,)i(to)f(con)m(v)o(e)o(y)e -(current)i(threat)g(information.)1732 2369 y Fn(3)1791 -2399 y Fs(A)-150 2499 y(further)i(e)o(xtension)f(of)i(this)h(notion)e -(is)i(a)g(more)e(general)g(distrib)n(uted)-150 2598 y(design,)25 -b(in)f(which)g(multiple)g(Bro')-5 b(s)25 b(w)o(atch)g(multiple)f -(links,)h(parti-)-150 2698 y(tioning)i(the)h(monitoring)d(w)o(orkload;) -30 b(and)e(also)g(interacting)e(with)-150 2798 y(host-based)18 -b(agents.)24 b(Others)19 b(ha)n(v)o(e)g(recently)f(also)i(be)o(gun)d -(pursuing)-150 2897 y(distrib)n(uted)i(architectures)g([Ci99)o(,)i -(In99)n(].)-67 3001 y Fl(Managing)27 b(timers.)49 b Fs(Bro)28 -b(uses)g(numerous)e(timers)i(internally)-150 3101 y(for)18 -b(operations)g(such)g(as)i(timing)f(out)f(a)i(connection)c -(establishment)-150 3200 y(attempt.)57 b(It)31 b(sometimes)g(has)g -(thousands)e(of)i(timers)g(pending)e(at)-150 3300 y(a)g(gi)n(v)o(en)f -(moment.)50 b(Consequently)-5 b(,)29 b(it)h(is)g(important)d(that)i -(timers)-150 3400 y(be)j(v)o(ery)g(lightweight:)49 b(quick)31 -b(to)i(set)g(and)f(to)h(e)o(xpire.)60 b(Our)33 b(ini-)-150 -3499 y(tial)f(implementation)e(used)h(a)h(single)f(priority)g(heap,)i -(which)e(we)-150 3599 y(found)d(attracti)n(v)o(e)h(since)h(insert)g -(and)f(delete)h(operations)e(both)h(re-)-150 3699 y(quire)19 -b(only)f Fj(O)r Fc(\(log)q(\()p Fj(N)9 b Fc(\)\))21 b -Fs(time)f(if)f(the)h(heap)f(contains)f Fj(N)29 b Fs(elements.)-150 -3798 y(Ho)n(we)n(v)o(er)m(,)22 b(we)i(found)e(that)h(when)g(the)h(heap) -f(gro)n(ws)f(quite)i(lar)o(ge\227)-150 3898 y(such)29 -b(as)g(during)f(a)h(hostile)g(port)f(scan)h(that)g(creates)g(hundreds)e -(of)-150 3997 y(ne)n(w)d(connections)e(each)i(second\227then)e(this)i -(o)o(v)o(erhead)e(becomes)-150 4097 y(signi\002cant.)43 -b(Consequently)-5 b(,)25 b(we)i(percei)n(v)o(ed)d(a)j(need)e(to)i -(redesign)-150 4197 y(timers)21 b(to)g(bring)e(the)i(o)o(v)o(erhead)d -(closer)i(to)h Fj(O)r Fc(\(1\))p Fs(.)28 b(T)-7 b(o)21 -b(achie)n(v)o(e)e(this,)-150 4296 y(Bro)h(no)n(w)g(uses)h(\223calendar) -d(queues\224)i(instead)g([Br88)n(].)-67 4400 y(A)36 b(related)e(issue)i -(with)f(managing)e(timers)j(concerns)d(e)o(xactly)-150 -4500 y(when)15 b(to)i(e)o(xpire)e(timers.)23 b(Bro)16 -b(deri)n(v)o(es)g(its)h(notion)d(of)i(time)h(from)e(the)-150 -4599 y(timestamps)28 b(pro)o(vided)d(by)j Fm(libpcap)g -Fs(with)g(each)g(pack)o(et)f(it)i(de-)-150 4699 y(li)n(v)o(ers.)d -(Whene)n(v)o(er)19 b(this)i(clock)f(adv)n(ances)g(to)h(a)g(time)g -(later)f(than)h(the)-150 4799 y(\002rst)e(element)e(on)g(the)h(timer)g -(queue,)e(Bro)i(be)o(gins)f(remo)o(ving)e(timers)-150 -4898 y(from)27 b(the)h(queue)f(and)g(processing)g(their)g(e)o -(xpiration,)h(continuing)-150 4998 y(until)22 b(the)h(queue)e(is)i -(empty)f(or)g(its)i(\002rst)f(element)f(has)g(a)h(timestamp)p --150 5086 801 4 v -65 5140 a Fk(3)-30 5163 y Fp(Some)c(systems,)g(such) -g(as)g(DIDS)g(and)h(CSM,)e(orchestrate)23 b(multiple)e(monitors)-150 -5242 y(w)o(atching)g(multiple)f(netw)o(ork)h(links,)e(in)g(order)g(to)g -(track)h(users)e(as)h(the)o(y)g(mo)o(v)o(e)g(from)-150 -5321 y(machine)d(to)e(machine)i([MHL94,)d(WFP96].)19 -b(These)c(dif)n(fer)g(from)f(what)g(we)h(en)m(vision)-150 -5400 y(for)i(Bro)g(in)h(that)g(the)o(y)g(require)g(each)h(host)e(in)g -(the)h(netw)o(ork)h(to)e(run)g(a)g(monitor)l(.)2049 -104 -y Fs(later)29 b(than)f(the)h(current)f(time.)51 b(This)29 -b(approach)d(is)k(\003a)o(wed,)g(ho)n(w-)2049 -5 y(e)n(v)o(er)m(,)i -(because)e(in)g(some)h(situations\227such)e(as)j(port)e(scans\227the) -2049 95 y(e)n(v)o(ent)23 b(engine)g(may)g(\002nd)h(it)g(needs)g(to)g(e) -o(xpire)e(hundreds)g(of)h(timers)2049 194 y(that)29 b(ha)n(v)o(e)e -(suddenly)g(become)g(due,)j(because)e(the)g(clock)g(has)h(ad-)2049 -294 y(v)n(anced)d(by)h(a)h(lar)o(ge)e(amount)g(due)h(to)g(a)h(lull)g -(in)f(incoming)f(traf)n(\002c.)2049 394 y(W)-7 b(e)23 -b(a)n(v)n(oid)f(incurring)f(a)h(lar)o(ge)g(processing)f(spik)o(e)h(in)g -(this)h(situation)2049 493 y(by)e(placing)f(an)h(upper)f(limit)i -Fj(k)j Fs(on)c(the)g(number)f(of)h(timers)g(e)o(xpired)2049 -593 y(for)16 b(an)o(y)g(single)g(adv)n(ance)f(of)i(the)f(clock.)24 -b(Doing)15 b(so)i(trades)g(of)n(f)f(timer)2049 693 y(e)o(xactness)j -(for)h(spreading)e(out)h(load.)25 b(Since)20 b(we)g(do)f(not)h(percei)n -(v)o(e)e(a)2049 792 y(requirement)e(for)i(precise)h(timers,)g(this)g -(is)h(an)e(acceptable)g(compro-)2049 892 y(mise.)2132 -996 y Fl(Implementing)28 b(r)o(egular)f(expr)o(essions.)47 -b Fs(Bro)28 b(uses)g(a)g(custom)2049 1095 y(re)o(gular)n(-e)o -(xpression)e(matching)i(library)-5 b(,)30 b(rather)e(than)h(reusing)g -(an)2049 1195 y(e)o(xisting)d(one,)i(for)f(tw)o(o)g(reasons.)46 -b(First,)29 b(we)e(were)g(unable)f(to)i(lo-)2049 1294 -y(cate)33 b(a)h(high)e(performance)f(re)o(gular)g(e)o(xpression)h -(library)g(with)h(a)2049 1394 y(redistrib)n(ution)25 -b(license)h(we)h(found)e(acceptable.)43 b(In)26 b(addition,)h(in-)2049 -1494 y(trusion)20 b(detection)f(pattern-matching)e(dif)n(fers)j(from)f -(more)h(typical)2049 1593 y(te)o(xt)g(matching)f(in)h(tw)o(o)h(w)o -(ays.)2132 1697 y(First,)26 b(we)g(w)o(ant)e(the)h(ability)g(to)g -(match)f(te)o(xt)g(piecemeal,)h(so)g(we)2049 1797 y(can)19 -b(feed)f(the)h(matcher)e(ne)n(w)i(chunks)e(of)i(te)o(xt)g(as)g(the)o(y) -f(arri)n(v)o(e,)g(with-)2049 1896 y(out)23 b(ha)n(ving)g(to)h -(construct)f(a)h(cop)o(y)f(of)g(the)h(entire)f(string)g(to)h(match.) -2049 1996 y(Second,)31 b(we)e(anticipate)g(matching)f(sets)j(of)e -(patterns)g(and)g(w)o(ant-)2049 2096 y(ing)g(to)h(kno)n(w)f(which)g -(subset)h(were)f(matched)g(by)g(a)h(gi)n(v)o(en)e(set)j(of)2049 -2195 y(te)o(xt,)26 b(and)f(for)g(performance)e(reasons)i(we)h(w)o(ant)g -(to)f(do)h(the)f(match)2049 2295 y(with)20 b(a)f(single)h(\002nite)f -(automaton)f(rather)g(than)h(trying)f(each)h(pattern)2049 -2395 y(sequentially)-5 b(.)2132 2498 y(Since)22 b(we)h(had)f(e)o -(xperience)e(writing)h(a)i(high)e(performance)f(re)o(g-)2049 -2598 y(ular)28 b(e)o(xpression)e(compiler)h([P)o(a96)n(],)j(and)e(one)f -(that)h(already)f(sup-)2049 2698 y(ported)22 b(the)i(second)e(of)h(the) -h(abo)o(v)o(e)d(requirements,)h(we)i(decided)e(to)2049 -2797 y(tak)o(e)f(that)g(compiler)f(and)g(reimplement)f(it)j(in)f(C++)g -(to)g(\002t)h(into)f(Bro.)2049 2897 y(Doing)k(so)h(w)o(as)g(actually)f -(considerably)e(easier)j(than)f(anticipated,)2049 2996 -y(and)30 b(the)g(only)g(remaining)f(piece)h(for)g(supporting)e(the)i -(abo)o(v)o(e)f(re-)2049 3096 y(quirements)19 b(no)n(w)g(is)i(the)f -(corresponding)d(Bro)j(interpreter)f(modi\002-)2049 3196 -y(cations.)2132 3300 y(One)24 b(\002nal)h(f)o(acet)f(of)g(implementing) -e(re)o(gular)h(e)o(xpressions)f(con-)2049 3399 y(cerns)36 -b(caching:)55 b(we)36 b(emplo)o(y)f(a)h(lar)o(ge)f(number)f(of)h -(patterns)g(in)2049 3499 y(our)29 b(analysis)g(\(particularly)f(for)h -(scanning)f(interacti)n(v)o(e)g(sessions,)2049 3598 y(as)33 -b(discussed)f(in)g Fi(x)h Fs(6.5\).)60 b(These)32 b(can)g(tak)o(e)g(a)h -(lar)o(ge)e(amount)g(of)2049 3698 y(CPU)24 b(time)e(\(minutes\))g(to)h -(compile,)f(which)g(is)h(problematic)e(when)2049 3798 -y(we)j(w)o(ant)f(to)h(start)g(up)f(the)g(monitor)f(quickly)-5 -b(.)33 b(Consequently)-5 b(,)21 b(Bro)2049 3897 y(maintains)36 -b(a)g(cache)g(of)g(pre)n(viously-compiled)c(re)o(gular)j(e)o(xpres-) -2049 3997 y(sions,)d(and)d(if)h(called)f(upon)f(to)i(compile)f(one)g -(that)g(is)i(already)d(in)2049 4097 y(the)j(cache,)j(simply)d(loads)g -(the)g(compiled)f(v)o(ersion,)i(taking)f(v)o(ery)2049 -4196 y(little)21 b(time.)2132 4300 y Fl(Inter)o(pr)o(eting)g(vs.)31 -b(compiling)o(.)g Fs(Presently)-5 b(,)21 b(Bro)h(interprets)g(the)2049 -4400 y(polic)o(y)j(script:)38 b(that)27 b(is,)i(it)e(parses)g(the)f -(script)h(into)f(a)h(tree)g(of)f(C++)2049 4499 y(objects)i(that)h -(re\003ect)f(an)g(abstract)g(syntax)g(tree)g(\(AST\),)g(and)g(then)2049 -4599 y(e)o(x)o(ecutes)i(portions)g(of)h(the)g(tree)g(as)h(needed)e(by)h -(in)m(v)n(oking)e(a)j(vir)n(-)2049 4698 y(tual)27 b(e)n(v)n(aluation)f -(method)f(at)j(the)f(root)f(of)h(a)h(gi)n(v)o(en)d(subtree.)45 -b(This)2049 4798 y(method)17 b(in)h(turn)g(recursi)n(v)o(ely)e(in)m(v)n -(ok)o(es)i(e)n(v)n(aluation)e(methods)i(on)g(its)2049 -4898 y(children.)2132 5001 y(Such)32 b(a)g(design)g(has)g(the)g -(virtues)g(of)g(simplicity)g(and)f(ease)i(of)2049 5101 -y(deb)n(ugging,)24 b(b)n(ut)h(comes)g(at)h(the)f(cost)h(of)f -(considerable)e(o)o(v)o(erhead.)2049 5201 y(From)h(its)h(inception,)f -(we)h(intended)e Fm(Bro)h Fs(to)h(readily)e(admit)h(com-)2049 -5300 y(pilation)29 b(to)h(a)f(lo)n(w-le)n(v)o(el)g(virtual)g(machine.) -51 b(Ex)o(ecution)28 b(pro\002les)2049 5400 y(of)h(the)f(current)g -(implementation)f(indicate)h(that)h(the)g(interpreti)n(v)o(e)1929 -5649 y(9)p eop -%%Page: 10 10 -10 9 bop -150 -104 a Fs(o)o(v)o(erhead)17 b(is)j(indeed)e -(signi\002cant,)h(so)h(we)g(anticipate)f(de)n(v)o(eloping)d(a)-150 --5 y(compiler)23 b(and)h(optimizer)-5 b(.)36 b(\(The)23 -b(current)g(interpreter)g(does)h(some)-150 95 y(simple)40 -b(constant)f(folding)g(and)g(peephole)g(optimization)f(when)-150 -194 y(b)n(uilding)19 b(the)h(AST)-6 b(,)20 b(b)n(ut)g(no)g(more.\))-67 -298 y(Using)25 b(an)f(interpreter)f(also)i(inadv)o(ertently)d -(introduced)g(an)j(im-)-150 398 y(plementation)k(problem.)55 -b(By)31 b(structuring)e(the)i(interpreter)e(such)-150 -497 y(that)23 b(it)h(recursi)n(v)o(ely)d(in)m(v)n(ok)o(es)h(virtual)g -(e)n(v)n(aluation)f(methods)h(on)h(the)-150 597 y(AST)-6 -b(,)23 b(we)h(wind)e(up)h(intricately)f(tying)h(the)g -Fm(Bro)g Fs(e)n(v)n(aluation)e(stack)-150 697 y(with)i(the)h(C++)f -(run-time)f(stack.)34 b(Consequently)-5 b(,)22 b(we)h(cannot)f(eas-) --150 796 y(ily)f(b)n(undle)e(up)h(a)h Fm(Bro)f Fs(function')-5 -b(s)19 b(e)o(x)o(ecution)f(state)j(into)f(a)h(closure)-150 -896 y(to)i(e)o(x)o(ecute)f(at)i(some)f(later)g(point)f(in)i(time.)34 -b(Y)-8 b(et)23 b(we)h(w)o(ould)e(lik)o(e)h(to)-150 996 -y(ha)n(v)o(e)g(this)g(functionality)-5 b(,)21 b(so)j -Fm(Bro)f Fs(scripts)g(ha)n(v)o(e)g(timers)g(a)n(v)n(ailable)-150 -1095 y(to)e(them;)f(the)h(semantics)f(of)h(these)f(timers)h(are)g(to)f -(e)o(x)o(ecute)g(a)h(block)-150 1195 y(of)k(statements)h(when)f(a)i -(timer)e(e)o(xpires,)h(including)e(access)j(to)f(the)-150 -1294 y(local)j(v)n(ariables)g(of)g(the)h(function)e(or)h(e)n(v)o(ent)f -(handler)g(scheduling)-150 1394 y(the)23 b(timer)-5 b(.)35 -b(Therefore,)22 b(adding)g(timers)h(to)h Fm(Bro)f Fs(will)h(require)e -(at)i(a)-150 1494 y(minimum)g(implementing)g(an)i(e)o(x)o(ecution)d -(stack)j(for)f Fm(Bro)h Fs(scripts)-150 1593 y(separate)20 -b(from)f(that)h(of)g(the)g(interpreter)-5 b(.)-67 1697 -y Fl(Checkpointing)o(.)30 b Fs(W)-7 b(e)23 b(run)e(Bro)h(continuously)e -(to)i(monitor)e(our)-150 1797 y(DMZ)d(netw)o(ork.)22 -b(Ho)n(we)n(v)o(er)m(,)16 b(we)h(need)f(to)h(periodically)e(checkpoint) --150 1896 y(its)24 b(operation,)e(both)h(to)g(reclaim)g(memory)f(tied)h -(up)g(in)g(remember)n(-)-150 1996 y(ing)16 b(state)h(for)f -(long-dormant)d(connections)h(\(because)h(we)i(don')o(t)e(yet)-150 -2096 y(ha)n(v)o(e)j(timers)i(in)f(the)g(scripting)f(language;)g(see)h -(abo)o(v)o(e\),)e(and)i(to)g(col-)-150 2195 y(lect)i(a)f(snapshot)f -(for)h(archi)n(ving)e(and)h(of)n(f-line)g(analysis)h(\(discussed)-150 -2295 y(belo)n(w\).)-67 2399 y(Checkpointing)15 b(is)j(currently)e(a)i -(three-stage)e(process.)24 b(First,)18 b(we)-150 2498 -y(run)27 b(a)g(ne)n(w)h(instance)f(of)g(Bro)g(that)h(parses)f(the)g -(polic)o(y)g(script)g(and)-150 2598 y(resolv)o(es)d(all)h(of)f(the)g -(DNS)h(names)f(in)h(it.)38 b(Because)24 b(we)h(ha)n(v)o(e)f(non-)-150 -2698 y(blocking)e(DNS)j(routines,)f(Bro)h(can)f(perform)e(a)j(lar)o(ge) -e(number)g(of)-150 2797 y(lookups)30 b(in)h(parallel,)i(as)f(well)f(as) -h(timing)f(out)f(lookup)g(attempts)-150 2897 y(whene)n(v)o(er)c(it)i -(chooses.)47 b(F)o(or)27 b(each)h(lookup,)f(it)i(compares)d(the)i(re-) --150 2996 y(sults)e(with)e(an)o(y)g(it)i(may)e(ha)n(v)o(e)g(pre)n -(viously)f(cached)g(and)i(generates)-150 3096 y(corresponding)19 -b(e)n(v)o(ents)k(\(mapping)d(v)n(alid,)j(mapping)e(un)m(v)o(eri\002ed)f -(if)-150 3196 y(it)25 b(had)e(to)i(time)f(out)g(the)g(lookup,)f(or)h -(mapping)e(changed\).)35 b(It)24 b(then)-150 3295 y(updates)19 -b(the)i(DNS)f(cache)g(\002le)h(and)f(e)o(xits.)-67 3399 -y(In)25 b(the)h(second)e(stage,)j(we)f(run)e(another)g(instance)h(of)g -(Bro,)i(this)-150 3499 y(time)j(specifying)e(that)i(it)g(should)e(only) -h(consult)g(the)h(DNS)g(cache)-150 3598 y(and)15 b(not)g(perform)f -(lookups.)21 b(Because)16 b(it)g(w)o(orks)f(directly)g(out)g(of)h(the) --150 3698 y(cache,)27 b(it)g(starts)g(v)o(ery)e(quickly)-5 -b(.)42 b(After)26 b(w)o(aiting)g(a)h(short)f(interv)n(al,)-150 -3798 y(we)k(then)e(send)h(a)h(signal)f(to)g(the)g(long-running)c(Bro)30 -b(telling)f(it)g(to)-150 3897 y(terminate.)24 b(When)c(it)h(e)o(xits,)f -(the)g(checkpointing)d(is)22 b(complete.)-67 4001 y(W)-7 -b(e)31 b(\002nd)f(the)g(checkpointing)d(de\002cient)j(in)g(tw)o(o)h(w)o -(ays.)55 b(First,)-150 4101 y(it)26 b(w)o(ould)f(be)h(simpler)f(to)h -(coordinate)e(a)i(checkpoint)d(if)j(a)g(ne)n(w)g(in-)-150 -4200 y(stance)33 b(of)g(Bro)g(could)f(directly)g(signal)h(an)g(old)g -(instance)g(to)g(an-)-150 4300 y(nounce)20 b(that)h(it)i(is)f(ready)f -(to)g(tak)o(e)h(o)o(v)o(er)e(monitoring.)27 b(Second,)20 -b(and)-150 4400 y(more)25 b(important,)g(currently)f(no)h(state)i -(survi)n(v)o(es)d(the)i(checkpoint-)-150 4499 y(ing.)43 -b(In)26 b(particular)m(,)h(if)f(the)h(older)e(Bro)i(has)f(identi\002ed) -g(some)g(sus-)-150 4599 y(pect)f(acti)n(vity)g(and)g(is)i(w)o(atching)e -(it)h(particularly)e(closely)h(\(say)-5 b(,)26 b(by)-150 -4698 y(recording)16 b(all)i(of)g(its)h(pack)o(ets\),)f(this)h -(information)c(is)k(lost)g(when)f(the)-150 4798 y(ne)n(w)i(Bro)g(tak)o -(es)h(o)o(v)o(er)-5 b(.)24 b(Clearly)-5 b(,)19 b(we)i(need)e(to)i -(\002x)f(this.)-67 4902 y Fl(Off-line)30 b(analysis.)56 -b Fs(As)31 b(mentioned)e(abo)o(v)o(e,)i(one)f(reason)g(for)-150 -5001 y(checkpointing)j(the)i(system)h(is)h(to)f(f)o(acilitate)g(of)n -(f-line)e(analysis.)-150 5101 y(The)24 b(\002rst)i(step)f(of)f(this)h -(analysis)g(is)g(to)g(cop)o(y)f(the)g Fm(libpcap)g Fs(sa)n(v)o(e)-150 -5201 y(\002le)k(and)g(an)o(y)e(\002les)j(generated)d(by)h(the)h(polic)o -(y)f(script)h(to)f(an)h(anal-)-150 5300 y(ysis)h(machine.)46 -b(Our)28 b(polic)o(y)f(script)h(generates)f(six)h(such)g(\002les:)41 -b(a)-150 5400 y(summary)24 b(of)h(all)h(connection)d(acti)n(vity)-5 -b(,)25 b(including)f(starting)h(time,)2049 -104 y(duration,)c(size)i -(in)f(each)g(direction,)f(protocol,)g(IP)h(addresses,)g(con-)2049 --5 y(nection)i(state,)j(and)e(an)o(y)f(additional)g(information)f -(\(such)i(as)h(user)n(-)2049 95 y(name,)21 b(when)g(identi\002ed\);)h -(a)g(summary)e(of)h(the)h(netw)o(ork)e(interf)o(ace)2049 -194 y(and)30 b(pack)o(et)g(\002lter)i(statistics;)37 -b(a)31 b(list)h(of)f(all)g(generated)e(log)i(mes-)2049 -294 y(sages;)f(summaries)c(of)g(Finger)f(and)h(FTP)h(commands;)h(and)e -(a)g(list)2049 394 y(of)20 b(all)h(unusual)e(netw)o(orking)f(e)n(v)o -(ents.)2132 498 y(Re)o(garding)k(this)j(last,)h(the)e(e)n(v)o(ent)g -(engine)f(identi\002es)i(more)e(than)2049 598 y(70)17 -b(dif)n(ferent)f(types)h(of)g(unusual)f(beha)n(vior)m(,)f(such)j(as)g -(incorrect)d(con-)2049 697 y(nection)h(initiations)h(and)f -(terminations,)g(checksum)g(errors,)g(pack)o(et)2049 -797 y(length)h(mismatches,)h(and)f(protocol)f(violations.)24 -b(F)o(or)17 b(each,)h(it)g(gen-)2049 896 y(erates)g(a)h -Fm(conn)p 2522 896 25 4 v 29 w(weird)f Fs(or)g Fm(net)p -3057 896 V 29 w(weird)g Fs(e)n(v)o(ent,)f(identifying)g(the)2049 -996 y(beha)n(vior)25 b(with)j(a)f(prede\002ned)e(string.)46 -b(Our)26 b(polic)o(y)g(script)i(uses)f(a)2049 1096 y -Fm(table[string])47 b(of)j(count)19 b Fs(to)h(map)f(these)h(strings)f -(to)h(one)2049 1195 y(of)j(\223ignore,)-6 b(\224)22 b(\223\002le,)-6 -b(\224)24 b(\223log)e(al)o(w)o(ays,)-6 b(\224)24 b(\223log)f(once)f -(per)h(connection,)-6 b(\224)2049 1295 y(and)26 b(\223log)f(once)h(per) -g(originating)e(source)h(address,)-6 b(\224)27 b(meaning)e(ig-)2049 -1395 y(nore)e(the)i(beha)n(vior)e(entirely)-5 b(,)23 -b(record)g(it)i(to)g(the)f(anomaly)f(\002le,)j(log)2049 -1494 y(it)f(\(real-time)f(noti\002cation\))f(and)h(record)f(it)j(to)f -(the)f(\002le,)i(and)f(log)f(it)2049 1594 y(b)n(ut)i(only)g(the)g -(\002rst)h(time)f(it)h(occurs)f(for)f(the)i(gi)n(v)o(en)e(connection)f -(or)2049 1693 y(the)16 b(gi)n(v)o(en)e(source)i(address.)23 -b(Some)15 b(anomalies)g(pro)o(v)o(e)f(surprisingly)2049 -1793 y(common,)j(and)i(on)g(a)g(typical)g(day)g(the)g(anomaly)e(\002le) -j(contains)f(se)n(v-)2049 1893 y(eral)k(thousand)e(entries,)j(e)n(v)o -(en)e(though)f(our)i(script)g(suppresses)f(du-)2049 1992 -y(plicate)h(messages.)32 b(\(See)23 b Fi(x)g Fs(7.3)f(belo)n(w)g(for)g -(further)f(discussion)h(of)2049 2092 y(anomalies.\))2132 -2196 y(All)i(of)e(the)h(copied)f(\002les)h(thus)g(form)f(an)h(archi)n -(v)n(al)f(record)f(of)i(the)2049 2296 y(day')-5 b(s)17 -b(traf)n(\002c.)23 b(W)-7 b(e)18 b(k)o(eep)e(these)h(\002les)h -(inde\002nitely)-5 b(.)22 b(The)o(y)16 b(can)g(pro)o(v)o(e)2049 -2395 y(in)m(v)n(aluable)28 b(when)i(we)h(disco)o(v)o(er)e(a)h(break-in) -f(that)h(\002rst)i(occurred)2049 2495 y(weeks)19 b(or)f(months)g(in)h -(the)g(past.)25 b(In)18 b(addition,)g(once)g(we)h(ha)n(v)o(e)f(iden-) -2049 2595 y(ti\002ed)25 b(an)f(attacking)g(site,)i(we)f(can)f(run)g(it) -h(through)e(the)h(archi)n(v)o(e)f(to)2049 2694 y(\002nd)c(an)o(y)f -(other)h(hosts)g(it)h(may)f(ha)n(v)o(e)g(attack)o(ed)f(that)i(the)f -(monitoring)2049 2794 y(f)o(ailed)j(to)g(detect)g(\(for)f(e)o(xample,)g -(the)h(attack)o(er)f(has)i(obtained)d(a)i(list)2049 2894 -y(of)e(passw)o(ords)g(using)f(a)i(passw)o(ord-snif)n(fer\).)2132 -2998 y(Finally)-5 b(,)28 b(the)f(of)n(f-line)f(analysis)h(generates)f -(a)i(traf)n(\002c)f(summary)2049 3097 y(highlighting)14 -b(the)i(b)n(usiest)h(hosts)f(and)g(gi)n(ving)e(the)j(v)n(olume)e -(\(number)2049 3197 y(of)23 b(connections)e(and)i(bytes)g -(transferred\))e(due)i(to)h(dif)n(ferent)d(appli-)2049 -3297 y(cations.)27 b(As)22 b(of)f(this)g(writing,)g(on)f(a)i(typical)e -(day)h(our)f(site)i(engages)2049 3396 y(in)k(about)e(1,200,000)f -(connections)g(transferring)h(40)h(GB)i(of)e(data.)2049 -3496 y(The)e(great)g(majority)g(\(75\22680\045\))e(of)i(the)h -(connections)e(are)h(HTTP;)2049 3596 y(the)28 b(highest)f(byte)g(v)n -(olume)f(comes)h(from)g(HTTP)-9 b(,)27 b(FTP)h(data,)h(and)2049 -3695 y(sometimes)20 b(the)g(NFS)h(netw)o(ork)e(\002le)i(system.)2049 -4001 y Ft(5)119 b(Attacks)30 b(on)g(the)g(monitor)2049 -4195 y Fs(In)21 b(this)i(section)e(we)h(discuss)g(the)g(dif)n(\002cult) -f(problem)f(of)h(defending)2049 4295 y(the)h(monitor)f(against)h -(attacks)h(upon)e(itself.)32 b(W)-7 b(e)24 b(defer)d(discussion)2049 -4394 y(of)26 b(Bro')-5 b(s)27 b(application-speci\002c)d(processing)h -(until)h(after)g(this)h(sec-)2049 4494 y(tion,)c(because)g(elements)g -(of)g(that)g(processing)f(re\003ect)h(attempts)g(to)2049 -4594 y(defeat)d(the)g(types)g(of)g(attacks)g(we)h(describe)e(here.)2132 -4698 y(As)28 b(discussed)f(in)g Fi(x)g Fs(1,)i(we)e(assume)g(that)h -(such)e(attack)o(ers)h(ha)n(v)o(e)2049 4798 y(full)c(access)g(to)h(the) -f(monitor')-5 b(s)21 b(algorithms)h(and)h(source)f(code;)i(b)n(ut)2049 -4897 y(also)e(that)f(the)o(y)g(ha)n(v)o(e)g(control)f(o)o(v)o(er)g -(only)h(one)g(of)g(the)h(tw)o(o)f(connec-)2049 4997 y(tion)g -(endpoints.)26 b(In)21 b(addition,)f(we)i(assume)f(that)g(the)h(crack)o -(er)e(does)2049 5096 y Fr(not)f Fs(ha)n(v)o(e)e(access)h(to)g(the)g -Fm(Bro)f Fs(polic)o(y)g(script,)h(which)f(each)g(site)i(will)2049 -5196 y(ha)n(v)o(e)h(customized,)e(and)i(should)f(k)o(eep)h(well)g -(protected.)2132 5300 y(While)c(pre)n(vious)f(w)o(ork)g(has)h -(addressed)f(the)h(general)f(problem)f(of)2049 5400 y(testing)29 -b(intrusion)g(detection)f(systems)i([PZCMO96)o(],)h(this)f(w)o(ork)1908 -5649 y(10)p eop -%%Page: 11 11 -11 10 bop -150 -104 a Fs(has)19 b(focused)e(on)h(correctness)f(of)h -(the)g(system)h(in)f(terms)h(of)f(whether)-150 -5 y(it)23 -b(does)f(indeed)f(recognize)f(the)j(attacks)f(claimed.)30 -b(T)-7 b(o)22 b(our)g(kno)n(wl-)-150 95 y(edge,)i(the)h(\002rst)g -(discussion)f(in)g(the)g(literature)g(speci\002cally)g(aimed)-150 -194 y(at)16 b(the)f(problem)e(of)i(attack)o(ers)g(sub)o(v)o(erting)e(a) -j(netw)o(ork)e(intrusion)g(de-)-150 294 y(tection)24 -b(system)h(w)o(as)h(the)f(concurrent)d(publication)h(of)i(the)g -(earlier)-150 394 y(v)o(ersion)16 b(of)h(this)h(paper)e([P)o(a98)o(])i -(and)e(that)i(of)f(Ptacek)g(and)g(Ne)n(wsham)-150 493 -y([PN98)o(].)-67 595 y(The)34 b(second)f(of)h(these)g(is)h(the)f(more)g -(thorough,)g(being)f(com-)-150 695 y(pletely)17 b(de)n(v)n(oted)f(to)h -(the)g(topic.)24 b(The)17 b(authors)f(consider)g(three)h(types)-150 -794 y(of)i(attacks,)g(\223insertion,)-6 b(\224)18 b(in)h(which)g(the)g -(attack)o(er)f(attempts)h(to)g(mis-)-150 894 y(lead)32 -b(the)h(monitor)e(into)h(accepting)f(traf)n(\002c)i(that)f(the)h -(destination)-150 994 y(end-system)24 b(rejects;)j(\223e)n(v)n(asion,) --6 b(\224)25 b(in)g(which)f(the)h(monitor)e(f)o(ails)i(to)-150 -1093 y(accept)31 b(traf)n(\002c)g(that)h(the)f(end-system)f(does)h(in)h -(f)o(act)f(accept;)37 b(and)-150 1193 y(denial-of-service,)28 -b(in)i(which)f(the)g(attack)o(er)g(attempts)g(to)h(e)o(xploit)-150 -1293 y(a)21 b(monitor')-5 b(s)20 b(proacti)n(v)o(e)f(mechanisms)h -(\(such)h(as)g(terminating)e(con-)-150 1392 y(nections)i(belonging)f -(to)i(an)g(apparent)e(attack\))i(in)g(order)e(to)i(disrupt)-150 -1492 y(le)o(gitimate)e(uses)g(of)g(the)g(netw)o(ork.)-67 -1594 y(F)o(or)k(our)f(purposes,)h(ho)n(we)n(v)o(er)m(,)e(we)j(use)f(a)h -(dif)n(ferent)d(attack)i(tax-)-150 1693 y(onomy)-5 b(,)34 -b(because)f(we)h(focus)e(on)h(designing)f(monitors)g(to)i(resist)-150 -1793 y(these)18 b(attacks.)25 b(W)-7 b(e)19 b(classify)g(netw)o(ork)e -(monitor)g(attacks)h(into)g(three)-150 1893 y(cate)o(gories:)31 -b Fr(o)o(verload)p Fs(,)23 b Fr(cr)o(ash)p Fs(,)h(and)f -Fr(subterfug)o(e)p Fs(.)35 b(The)23 b(remainder)-150 -1992 y(of)17 b(this)g(section)g(de\002nes)g(each)f(cate)o(gory)f(and)i -(brie\003y)f(discusses)i(the)-150 2092 y(de)o(gree)h(to)h(which)g(Bro)g -(meets)g(that)h(class)g(of)f(threat.)-150 2342 y Fh(5.1)99 -b(Ov)o(erload)25 b(attacks)-150 2502 y Fs(W)-7 b(e)24 -b(term)e(an)g(attack)h(as)g(an)f Fr(o)o(verload)i Fs(if)f(the)f(goal)g -(of)h(the)f(attack)h(is)-150 2601 y(to)f(o)o(v)o(erb)n(urden)d(the)j -(monitor)f(to)h(the)g(point)g(where)f(it)i(f)o(ails)g(to)f(k)o(eep)-150 -2701 y(up)h(with)g(the)g(data)g(stream)g(it)g(must)h(process.)32 -b(The)23 b(attack)g(has)g(tw)o(o)-150 2801 y(phases,)k(the)g(\002rst)f -(in)h(which)e(the)i(attack)o(er)e(dri)n(v)o(es)h(the)g(monitor)e(to) --150 2900 y(the)i(point)f(of)h(o)o(v)o(erload,)f(and)h(the)g(second)f -(in)h(which)g(the)g(attack)o(er)-150 3000 y(attempts)c(a)h(netw)o(ork)e -(intrusion.)30 b(The)22 b(monitor)f(w)o(ould)h(ordinarily)-150 -3100 y(detect)i(this)g(second)f(phase,)h(b)n(ut)f(f)o(ails)i(to)f(do)f -(so\227or)g(at)h(least)h(f)o(ails)-150 3199 y(to)20 b(do)f(so)h(with)g -(some)g(non-ne)o(gligible)c(probability\227because)g(it)21 -b(is)-150 3299 y(no)27 b(longer)e(tracking)h(all)h(of)g(the)g(data)g -(necessary)f(to)h(detect)g(e)n(v)o(ery)-150 3398 y(current)19 -b(threat.)-67 3500 y(It)40 b(is)g(this)g(last)h(consideration,)h(that)e -(the)f(attack)g(might)g(still)-150 3600 y(be)30 b(detected)e(because)h -(the)h(monitor)e(w)o(as)j(not)e(suf)n(\002ciently)g(o)o(v)o(er)n(-)-150 -3700 y(whelmed,)18 b(that)g(complicates)g(the)g(use)h(of)f(o)o(v)o -(erload)e(attacks;)j(so,)g(in)-150 3799 y(turn,)d(this)i(pro)o(vides)d -(a)i(defensi)n(v)o(e)e(strate)o(gy)-5 b(,)16 b(namely)f(to)i(lea)n(v)o -(e)g(some)-150 3899 y(doubt)i(as)i(to)f(the)g(e)o(xact)g(po)n(wer)f -(and)h(typical)g(load)f(of)h(the)g(monitor)-5 b(.)-67 -4001 y(Another)19 b(defensi)n(v)o(e)g(strate)o(gy)g(is)j(for)d(the)i -(monitor)e(to)h Fr(shed)g(load)-150 4100 y Fs(when)26 -b(it)h(becomes)f(unduly)f(stressed)i(\(see)f([CT94)o(])h(for)f(a)h -(discus-)-150 4200 y(sion)f(of)g(shedding)f(load)h(in)g(a)h(dif)n -(ferent)e(conte)o(xt\).)41 b(F)o(or)26 b(e)o(xample,)-150 -4300 y(the)21 b(monitor)f(might)h(decide)f(to)i(cease)f(to)h(capture)e -(HTTP)h(pack)o(ets,)-150 4399 y(as)26 b(these)g(form)e(a)i(high)e -(proportion)f(of)i(the)g(traf)n(\002c.)40 b(Of)26 b(course,)f(if)-150 -4499 y(the)31 b(attack)o(er)f(kno)n(ws)h(the)g(form)f(of)g -(load-shedding)e(used)j(by)g(the)-150 4598 y(monitor)m(,)24 -b(then)h(the)o(y)f(can)h(e)o(xploit)f(its)i(consequent)d(blindness)h -(and)-150 4698 y(launch)19 b(a)i(no)n(w-undetected)c(attack.)-67 -4800 y(F)o(or)29 b(Bro)g(in)h(particular)m(,)f(to)h(de)n(v)o(elop)d(an) -i(o)o(v)o(erload)e(attack)i(one)-150 4900 y(might)16 -b(be)o(gin)g(by)g(inspecting)g(Figure)g(1)h(to)g(see)h(ho)n(w)e(to)h -(increase)g(the)-150 4999 y(data)22 b(\003o)n(w)-5 b(.)32 -b(One)23 b(step)g(is)g(to)g(send)f(pack)o(ets)h(that)f(match)h(the)f -(pack)o(et)-150 5099 y(\002lter;)35 b(another)m(,)30 -b(pack)o(et)f(streams)h(that)g(in)g(turn)f(generate)f(e)n(v)o(ents;) --150 5198 y(and)20 b(a)g(third,)g(e)n(v)o(ents)f(that)h(lead)h(to)f -(logging)e(or)i(recording)e(to)i(disk.)-67 5300 y(The)55 -b(\002rst)h(of)f(these)g(is)h(particularly)e(easy)-5 -b(,)63 b(because)55 b(the)-150 5400 y Fm(libpcap)26 b -Fs(\002lter)i(used)f(by)g(Bro)g(is)h(\002x)o(ed.)45 b(One)27 -b(defense)f(against)2049 -104 y(it)32 b(is)g(to)f(use)g(a)g(hardw)o -(are)f(platform)f(with)i(suf)n(\002cient)g(processing)2049 --5 y(po)n(wer)23 b(to)h(k)o(eep)g(up)f(with)h(a)h(high)e(v)n(olume)g -(of)h(\002ltered)g(traf)n(\002c,)g(and)2049 95 y(it)c(w)o(as)h(this)f -(consideration)e(that)i(lead)g(to)f(our)g(elaborating)f(the)i(goal)2049 -194 y(of)f(\223no)h(pack)o(et)f(\002lter)h(drops\224)e(in)i -Fi(x)g Fs(1.)25 b(The)19 b(second)g(le)n(v)o(el)h(of)f(attack,)2049 -294 y(causing)h(the)i(engine)e(to)h(generate)f(a)h(lar)o(ge)g(v)n -(olume)f(of)h(e)n(v)o(ents,)f(is)i(a)2049 394 y(bit)d(more)f(dif)n -(\002cult)g(to)h(achie)n(v)o(e)f(because)g(Bro)h(e)n(v)o(ents)f(are)h -(designed)2049 493 y(to)30 b(be)g(lightweight.)53 b(It)30 -b(is)h(only)e(the)h(e)n(v)o(ents)g(for)f(which)g(the)h(pol-)2049 -593 y(ic)o(y)24 b(speci\002es)g(quite)g(a)g(bit)h(of)f(w)o(ork)f(that)h -(pro)o(vide)e(much)h(le)n(v)o(erage)2049 693 y(for)31 -b(an)h(attack)f(at)i(this)f(le)n(v)o(el,)i(and)d(we)i(do)e -Fr(not)i Fs(assume)f(that)g(the)2049 792 y(attack)o(er)24 -b(has)i(access)f(to)g(the)g(polic)o(y)f(scripts.)39 b(This)25 -b(same)h(consid-)2049 892 y(eration)20 b(mak)o(es)i(an)f(attack)g(at)h -(the)f(\002nal)h(le)n(v)o(el\227ele)n(v)n(ating)d(the)i(log-)2049 -991 y(ging)27 b(or)g(recording)e(rate\227dif)n(\002cult,)j(because)f -(the)h(attack)o(er)f(does)2049 1091 y(not)20 b(necessarily)f(kno)n(w)h -(which)f(e)n(v)o(ents)h(lead)g(to)g(logging.)2132 1193 -y(Finally)-5 b(,)55 b(to)49 b(help)f(defend)f(against)h(o)o(v)o(erload) -e(attacks,)56 b(the)2049 1293 y(e)n(v)o(ent)18 b(engine)g(periodically) -g(generates)g(a)i Fm(net)p 3448 1293 25 4 v 29 w(stats)p -3727 1293 V 29 w(update)2049 1393 y Fs(e)n(v)o(ent.)59 -b(The)31 b(v)n(alue)g(of)g(this)i(e)n(v)o(ent)d(gi)n(v)o(es)i(the)f -(number)f(of)i(pack-)2049 1492 y(ets)24 b(recei)n(v)o(ed,)f(the)g -(number)f(dropped)f(by)i(the)h(pack)o(et)f(\002lter)g(due)g(to)2049 -1592 y(insuf)n(\002cient)h(b)n(uf)n(fer)m(,)g(and)g(the)h(number)e -(reported)h(dropped)e(by)j(the)2049 1691 y(netw)o(ork)18 -b(interf)o(ace)g(because)g(the)h(k)o(ernel)f(f)o(ailed)g(to)h(consume)f -(them)2049 1791 y(quickly)27 b(enough.)48 b(Thus,)30 -b Fm(Bro)f Fs(scripts)g(at)g(least)h(ha)n(v)o(e)e(some)g(ba-)2049 -1891 y(sic)g(information)d(a)n(v)n(ailable)i(to)h(them)f(to)h -(determine)e(whether)h(the)2049 1990 y(monitor)19 b(is)i(becoming)d(o)o -(v)o(erloaded.)2049 2243 y Fh(5.2)99 b(Crash)25 b(attacks)2049 -2403 y Fr(Cr)o(ash)30 b Fs(attacks)f(aim)g(to)h(knock)d(the)j(monitor)d -(completely)h(out)h(of)2049 2503 y(action)17 b(by)h(causing)f(it)i(to)f -(either)f(f)o(ault)h(or)g(run)f(out)h(of)g(resources.)23 -b(As)2049 2603 y(with)e(an)g(o)o(v)o(erload)d(attack,)j(the)g(crash)g -(attack)f(has)i(tw)o(o)f(phases,)g(the)2049 2702 y(\002rst)27 -b(during)d(which)i(the)g(attack)o(er)f(crashes)h(the)h(monitor)m(,)e -(and)h(the)2049 2802 y(second)19 b(during)g(which)g(the)o(y)h(then)g -(proceed)e(with)j(an)f(intrusion.)2132 2904 y(Crash)25 -b(attacks)g(can)g(be)f(much)g(more)g(subtle)h(than)f(o)o(v)o(erload)e -(at-)2049 3004 y(tacks,)32 b(though.)52 b(By)30 b(careful)f(source)g -(code)g(analysis,)j(it)e(may)g(be)2049 3103 y(possible)g(to)g(\002nd)g -(a)h(series)f(of)g(pack)o(ets,)i(or)e(e)n(v)o(en)f(just)i(one,)h(that,) -2049 3203 y(when)18 b(recei)n(v)o(ed)f(by)h(the)h(monitor)m(,)e(causes) -i(it)g(to)g(f)o(ault)g(due)f(to)g(a)h(cod-)2049 3303 -y(ing)h(error)-5 b(.)24 b(The)c(ef)n(fect)g(can)g(be)g(immediate)f(and) -h(violent.)2132 3405 y(W)-7 b(e)29 b(can)e(perhaps)f(defend)g(against)g -(this)i(form)f(of)g(crash)g(attack)2049 3504 y(by)22 -b(careful)g(coding)g(and)g(testing.)33 b(Another)21 b(type)i(of)f -(crash)h(attack,)2049 3604 y(harder)15 b(to)j(defend)d(against,)i(is)g -(one)g(that)g(causes)g(the)g(monitor)e(to)i(e)o(x-)2049 -3704 y(haust)f(its)h(a)n(v)n(ailable)e(resources:)23 -b(dynamic)14 b(memory)g(or)i(disk)g(space.)2049 3803 -y(Ev)o(en)28 b(if)i(the)f(monitor)f(has)h(no)g(memory)f(leaks,)j(it)f -(still)h(needs)d(to)2049 3903 y(maintain)21 b(state)h(for)g(an)o(y)e -(acti)n(v)o(e)i(traf)n(\002c.)29 b(Therefore,)20 b(one)h(attack)h(is) -2049 4003 y(to)d(create)f(traf)n(\002c)h(that)g(consumes)f(a)h(lar)o -(ge)f(amount)f(of)i(state.)25 b(When)2049 4102 y Fm(Bro)k -Fs(supports)f(timers)h(for)g(polic)o(y)e(scripts,)32 -b(this)d(attack)g(will)h(be-)2049 4202 y(come)23 b(more)g(dif)n -(\002cult,)h(because)f(it)h(will)h(be)e(harder)g(to)h(predict)f(the) -2049 4301 y(necessary)k(le)n(v)o(el)g(of)h(bogus)f(traf)n(\002c.)47 -b(Attacks)28 b(on)f(disk)h(space)g(are)2049 4401 y(lik)o(e)n(wise)33 -b(dif)n(\002cult,)h(unless)f(one)f(kno)n(ws)f(the)h(a)n(v)n(ailable)g -(disk)h(ca-)2049 4501 y(pacity)-5 b(.)39 b(In)25 b(addition,)g(the)g -(monitor)f(might)g(continue)g(to)h(run)g(e)n(v)o(en)2049 -4600 y(with)j(no)g(disk)g(space)g(a)n(v)n(ailable,)h(sacri\002cing)f -(an)g(archi)n(v)n(al)f(record)2049 4700 y(b)n(ut)20 b(still)h -(producing)c(real-time)i(noti\002cations,)g(so)h(a)g(disk)g(space)f -(at-)2049 4800 y(tack)h(might)g(f)o(ail)g(to)h(mask)f(a)g(follo)n(w-on) -e(attack.)2132 4902 y(Bro)30 b(pro)o(vides)e(tw)o(o)i(features)f(to)g -(aid)h(with)g(defending)d(against)2049 5001 y(crash)k(attacks.)57 -b(First,)34 b(the)d(e)n(v)o(ent)f(engine)f(maintains)i(a)g(\223w)o -(atch-)2049 5101 y(dog\224)23 b(timer)i(that)f(e)o(xpires)g(e)n(v)o -(ery)f Fj(T)36 b Fs(seconds.)i(\(This)24 b(timer)g(is)i(not)2049 -5201 y(a)c(Bro)g(internal)f(timer)m(,)h(b)n(ut)g(rather)f(a)h(Unix)g -(\223alarm.)-6 b(\224\))29 b(Upon)21 b(e)o(xpi-)2049 -5300 y(ration,)d(the)g(w)o(atchdog)g(handler)f(checks)h(to)g(see)h -(whether)f(the)g(e)n(v)o(ent)2049 5400 y(engine)28 b(has)i(f)o(ailed)f -(to)g(\002nish)h(processing)e(the)h(pack)o(et)g(\(and)f(sub-)1908 -5649 y(11)p eop -%%Page: 12 12 -12 11 bop -150 -104 a Fs(sequent)24 b(e)n(v)o(ents\))h(it)g(w)o(as)h(w) -o(orking)e(on)h Fj(T)36 b Fs(seconds)25 b(before.)38 -b(If)25 b(so,)-150 -5 y(then)16 b(the)g(w)o(atchdog)f(presumes)g(that)h -(the)h(engine)e(is)i(in)f(some)h(sort)f(of)-150 95 y(processing)24 -b(jam)h(\(perhaps)e(due)i(to)g(a)g(coding)f(error)m(,)g(perhaps)g(due) --150 194 y(to)i(e)o(xcessi)n(v)o(e)f(time)h(spent)g(managing)d(o)o(v)o -(erb)n(urdened)f(resources\),)-150 294 y(and)d(terminates)f(the)h -(monitor)f(process)h(\(\002rst)g(logging)f(this)i(f)o(act,)f(of)-150 -394 y(course,)g(and)h(generating)e(a)j(core)e(image)h(for)f(later)i -(analysis\).)-67 496 y(This)d(feature)g(might)f(not)h(seem)h -(particularly)d(useful,)i(e)o(xcept)f(for)-150 596 y(the)28 -b(f)o(act)h(that)g(it)g(is)g(coupled)e(with)i(a)g(second)e(feature:)41 -b(the)29 b(script)-150 695 y(that)d(runs)f(Bro)g(also)h(detects)g(if)f -(it)i(e)n(v)o(er)d(unduly)g(e)o(xits,)j(and,)f(if)f(so,)-150 -795 y(logs)e(this)g(f)o(act)f(and)h(e)o(x)o(ecutes)e(a)i(cop)o(y)f(of)g -Fm(tcpdump)g Fs(that)h(records)-150 894 y(the)d(same)g(traf)n(\002c)g -(that)g(the)g(monitor)e(w)o(ould)i(ha)n(v)o(e)f(captured.)k(Thus,)-150 -994 y(crash)k(attacks)h(are)g(\(1\))f(logged,)h(and)f(\(2\))g(do)h(not) -f(allo)n(w)h(a)g(subse-)-150 1094 y(quent)18 b(intrusion)g(attempt)h -(to)g(go)f(unrecorded,)e(only)j(to)g(e)n(v)n(ade)f(real-)-150 -1193 y(time)26 b(detection.)42 b(Ho)n(we)n(v)o(er)m(,)25 -b(there)h(is)h(a)g(windo)n(w)e(of)h(opportunity)-150 -1293 y(between)i(the)g(time)h(when)f(the)h(Bro)g(monitor)e(crashes)h -(and)g(when)-150 1393 y Fm(tcpdump)21 b Fs(runs.)29 b(If)22 -b(an)f(attack)o(er)h(can)f(predict)g(e)o(xactly)g(when)g(this)-150 -1492 y(windo)n(w)i(occurs,)h(then)f(the)o(y)g(can)h(still)h(e)n(v)n -(ade)e(detection.)35 b(But)24 b(de-)-150 1592 y(termining)g(the)h -(windo)n(w)g(is)h(dif)n(\002cult)f(without)g(kno)n(wledge)e(of)j(the) --150 1691 y(e)o(xact)h(con\002guration)f(of)h(the)h(monitoring)e -(system.)48 b(One)28 b(w)o(ay)g(of)-150 1791 y(closing)21 -b(this)g(windo)n(w)f(is)j(to)e(emplo)o(y)f(a)h(second,)g(\223shado)n -(w\224)f(moni-)-150 1891 y(toring)d(machine)g(that)h(simply)g(records)f -(to)h(disk)g(the)g(same)g(traf)n(\002c)g(as)-150 1990 -y(the)i(Bro)g(monitor)f(inspects.)-150 2243 y Fh(5.3)99 -b(Subterfuge)27 b(attacks)-150 2403 y Fs(In)j(a)h Fr(subterfug)o(e)e -Fs(attack,)k(an)d(attack)o(er)g(attempts)g(to)g(mislead)h(the)-150 -2503 y(monitor)26 b(as)i(to)g(the)f(meaning)f(of)h(the)g(traf)n(\002c)h -(it)g(analyzes.)46 b(These)-150 2603 y(attacks)30 b(are)g(particularly) -e(dif)n(\002cult)i(to)g(defend)f(against,)i(because)-150 -2702 y(\(1\))26 b(unlik)o(e)g(o)o(v)o(erload)e(and)i(crash)h(attacks,)h -(if)f(successful)f(the)o(y)g(do)-150 2802 y(not)e(lea)n(v)o(e)g(an)o(y) -f(traces)i(that)f(the)o(y)f(ha)n(v)o(e)h(occurred,)f(and)h(\(2\))f(the) -h(at-)-150 2901 y(tacks)32 b(can)f(be)g(quite)g(subtle.)59 -b(Access)32 b(to)g(the)f(monitor')-5 b(s)30 b(source)-150 -3001 y(code)20 b(particularly)e(aids)i(with)h(de)n(vising)e(subterfuge) -f(attacks.)-67 3103 y(W)-7 b(e)33 b(brie\003y)f(discussed)g(an)g(e)o -(xample)e(of)i(a)h(subterfuge)d(attack)-150 3203 y(in)24 -b Fi(x)g Fs(3.1,)g(in)g(which)f(the)h(attack)o(er)g(sends)f(te)o(xt)h -(with)g(an)g(embedded)-150 3303 y(NUL)d(in)g(the)f(hope)g(that)h(the)f -(monitor)f(will)j(miss)f(the)g(te)o(xt)f(after)h(the)-150 -3402 y(NUL.)c(Another)g(form)f(of)h(subterfuge)f(attack)h(is)i(using)e -(fragmented)-150 3502 y(IP)24 b(datagrams)e(in)h(an)h(attempt)f(to)g -(elude)g(monitors)f(that)i(f)o(ail)f(to)h(re-)-150 3601 -y(assemble)d(IP)h(fragments)e(\(an)h(attack)g(well-kno)n(wn)e(to)j(the) -f(\002re)n(w)o(all)-150 3701 y(community)-5 b(,)14 b(and)h(one)g(we)i -(ha)n(v)o(e)e(increasingly)f(detected)h(in)h(our)f(on-)-150 -3801 y(going)k(operation)f(of)i(Bro\).)k(The)c(k)o(e)o(y)g(principle)e -(is)j(to)g(\002nd)e(a)i(traf)n(\002c)-150 3900 y(pattern)f(interpreted) -f(by)h(the)h(monitor)e(in)i(a)g(dif)n(ferent)e(f)o(ashion)h(than)-150 -4000 y(by)25 b(the)h(recei)n(ving)f(endpoint,)g(and)g(then)g(to)h(le)n -(v)o(erage)f(this)h(into)g(an)-150 4100 y(insertion)19 -b(or)h(e)n(v)n(asion)f(attack,)h(as)h(discussed)f(abo)o(v)o(e.)-67 -4202 y(T)-7 b(o)23 b(thw)o(art)f(subterfuge)e(attacks,)j(as)g(we)f(de)n -(v)o(eloped)e(Bro)j(we)f(at-)-150 4301 y(tempted)d(at)i(each)f(stage)h -(to)f(analyze)f(the)i(e)o(xplicit)e(and)h(implicit)g(as-)-150 -4401 y(sumptions)h(made)g(by)h(the)f(system,)i(and)e(ho)n(w)-5 -b(,)21 b(by)h(violating)e(them,)-150 4501 y(an)31 b(attack)g(might)f -(successfully)g(elude)h(detection.)56 b(This)31 b(can)g(be)-150 -4600 y(a)26 b(dif)n(\002cult)g(process,)h(though,)e(and)g(we)i(mak)o(e) -e(no)h(claims)g(to)g(ha)n(v)o(e)-150 4700 y(found)17 -b(them)h(all!)25 b(In)19 b(the)g(remainder)d(of)j(this)g(section,)g(we) -g(focus)f(on)-150 4800 y(subterfuge)k(attacks)i(on)g(the)g(inte)o -(grity)f(of)h(the)g(byte)g(stream)g(moni-)-150 4899 y(tored)e(for)h(a)g -(TCP)h(connection.)31 b(Then,)23 b(in)g Fi(x)g Fs(6.5,)g(we)g(look)g -(at)g(sub-)-150 4999 y(terfuge)c(attacks)h(aimed)g(at)h(hiding)d(k)o(e) -o(yw)o(ords)h(in)h(interacti)n(v)o(e)f(te)o(xt.)-67 5101 -y(T)-7 b(o)27 b(analyze)f(a)h(TCP)g(connection)e(at)i(the)f -(application)g(le)n(v)o(el)g(re-)-150 5201 y(quires)17 -b(e)o(xtracting)f(the)i(payload)e(data)h(from)f(each)i(TCP)g(pack)o(et) -f(and)-150 5300 y(reassembling)j(it)h(into)g(its)h(proper)d(sequence.) -26 b(W)-7 b(e)22 b(no)n(w)e(consider)g(a)-150 5400 y(spectrum)k(of)i -(approaches)d(to)j(this)g(problem,)e(ranging)g(from)g(sim-)2049 --104 y(plest)d(and)e(easiest)i(to)g(defeat,)e(to)h(increasingly)f -(resilient.)2132 -1 y(Scanning)28 b(the)h(data)h(in)f(indi)n(vidual)f -(pack)o(ets)h(without)g(remem-)2049 99 y(bering)20 b(an)o(y)h -(connection)f(state,)i(while)g(easiest,)h(ob)o(viously)c(suf)n(fers) -2049 199 y(from)24 b(major)g(problems:)33 b(an)o(y)24 -b(time)g(the)h(te)o(xt)g(of)f(interest)h(happens)2049 -298 y(to)e(straddle)g(the)g(boundary)d(between)i(the)h(end)f(of)h(one)g -(pack)o(et)f(and)2049 398 y(the)g(be)o(ginning)d(of)i(the)h(ne)o(xt,)f -(the)g(te)o(xt)h(will)g(go)g(unobserv)o(ed.)k(Such)2049 -497 y(a)e(split)f(can)g(happen)e(simply)i(by)g(accident,)g(and)f -(certainly)g(by)h(ma-)2049 597 y(licious)d(intent.)2132 -701 y(Some)48 b(systems)h(address)f(this)h(problem)e(by)h(remembering) -2049 801 y(pre)n(viously-seen)16 b(te)o(xt)j(up)f(to)h(a)h(certain)e -(de)o(gree)f(\(perhaps)h(from)g(the)2049 900 y(be)o(ginning)25 -b(of)i(the)g(current)g(line\).)46 b(This)28 b(approach)d(f)o(ails)j(as) -g(soon)2049 1000 y(as)g(a)g(sequence)e(\223hole\224)h(appears:)39 -b(that)28 b(is,)i(an)o(y)c(time)i(a)g(pack)o(et)f(is)2049 -1099 y(missing\227due)d(to)i(loss)g(or)g(out-of-order)21 -b(deli)n(v)o(ery\227then)i(the)j(re-)2049 1199 y(sulting)g -(discontinuity)f(in)i(the)f(data)h(stream)f(again)g(can)g(mask)h(the) -2049 1299 y(presence)19 b(of)h(k)o(e)o(y)g(te)o(xt)g(that)g(is)h(only)e -(partially)h(present.)2132 1402 y(The)i(ne)o(xt)h(step)g(is)g(to)g -(fully)g(reassemble)f(the)h(TCP)g(data)g(stream,)2049 -1502 y(based)c(on)g(the)g(sequence)g(numbers)f(associated)h(with)g -(each)g(pack)o(et.)2049 1602 y(Doing)42 b(so)h(requires)e(maintaining)g -(a)i(list)h(of)e(contiguous)f(data)2049 1701 y(blocks)27 -b(recei)n(v)o(ed)f(so)i(f)o(ar)m(,)h(and)e(\002tting)g(the)h(data)g -(from)e(ne)n(w)i(pack-)2049 1801 y(ets)23 b(into)e(the)h(blocks,)g(mer) -o(ging)e(no)n(w-adjacent)f(blocks)j(when)f(pos-)2049 -1901 y(sible.)26 b(At)21 b(an)o(y)e(gi)n(v)o(en)h(moment,)f(one)g(can)i -(then)e(scan)i(the)f(te)o(xt)h(from)2049 2000 y(the)28 -b(be)o(ginning)e(of)i(the)h(connection)d(to)i(the)h(highest)e -(in-sequence)2049 2100 y(byte)20 b(recei)n(v)o(ed.)2132 -2204 y(Unless)54 b(we)g(are)f(careful,)60 b(e)n(v)o(en)53 -b(k)o(eeping)f(track)h(of)g(non-)2049 2303 y(contiguous)31 -b(data)i(blocks)g(does)g(not)g(suf)n(\002ce)g(to)h(pre)n(v)o(ent)d(a)j -(TCP)2049 2403 y(subterfuge)29 b(attack.)57 b(The)31 -b(k)o(e)o(y)f(observ)n(ation)f(is)j(that)f(an)g(attack)o(er)2049 -2502 y(can)20 b(manipulate)e(the)i(pack)o(ets)f(their)h(TCP)g(sends)g -(so)g(that)g(the)g(mon-)2049 2602 y(itor)i(sees)i(a)f(particular)e -(pack)o(et,)i(b)n(ut)f(the)h(endpoint)e(does)h(not.)32 -b(One)2049 2702 y(w)o(ay)h(of)g(doing)f(so)h(is)h(to)g(transmit)f(the)g -(pack)o(et)f(with)i(an)f(in)m(v)n(alid)2049 2801 y(TCP)23 -b(checksum.)31 b(\(This)23 b(particular)e(attack)i(can)f(be)h(dealt)f -(with)h(by)2049 2901 y(checksumming)g(e)n(v)o(ery)g(pack)o(et,)j(and)f -(discarding)f(those)h(that)g(f)o(ail;)2049 3001 y(a)e(monitor)d(needs)i -(to)h(do)e(this)i(an)o(yw)o(ay)e(so)i(that)f(it)h(correctly)e(tracks) -2049 3100 y(the)30 b(endpoint')-5 b(s)29 b(state)i(in)f(the)g(presence) -f(of)h(honest)g(data)g(corrup-)2049 3200 y(tion)18 b(errors,)g(which)g -(are)g(not)g(particularly)f(rare)g([P)o(a97a)o(].\))24 -b(Another)2049 3300 y(w)o(ay)18 b(is)g(to)g(launch)e(the)i(pack)o(et)f -(with)g(an)h(IP)g(\223T)m(ime)f(T)-7 b(o)18 b(Li)n(v)o(e\224)f(\(TTL\)) -2049 3399 y(\002eld)22 b(suf)n(\002cient)f(to)g(carry)g(the)g(pack)o -(et)g(past)h(the)f(monitoring)f(point,)2049 3499 y(b)n(ut)30 -b(insuf)n(\002cient)f(to)h(carry)g(it)g(all)h(the)f(w)o(ay)g(to)g(the)g -(endpoint.)53 b(\(If)2049 3598 y(the)28 b(site)h(has)f(a)g(comple)o(x)e -(topology)-5 b(,)27 b(it)i(may)e(be)h(dif)n(\002cult)f(for)h(the)2049 -3698 y(monitor)19 b(to)h(detect)g(this)h(attack.\))j(A)d(third)e(w)o -(ay)i(becomes)e(possible)2049 3798 y(if)27 b(the)f(\002nal)h(path)f(to) -h(the)g(attack)o(ed)f(endpoint)e(happens)h(to)i(ha)n(v)o(e)f(a)2049 -3897 y(smaller)21 b(Maximum)f(T)m(ransmission)g(Unit)h(\(MTU\))g(than)f -(the)h(Inter)n(-)2049 3997 y(net)c(path)f(from)g(the)h(attack)o(er')-5 -b(s)17 b(host)g(to)g(the)g(monitoring)e(point.)23 b(The)2049 -4097 y(attack)o(er)c(then)h(sends)g(a)g(pack)o(et)g(with)g(a)g(size)h -(e)o(xceeding)d(this)j(MTU)2049 4196 y(and)c(with)h(the)g(IP)g -(\223Don')o(t)e(Fragment\224)g(header)h(bit)g(set.)25 -b(This)18 b(pack)o(et)2049 4296 y(will)25 b(then)f(transit)g(past)h -(the)f(monitoring)e(point,)i(b)n(ut)h(be)f(discarded)2049 -4395 y(by)c(the)g(router)f(at)i(the)f(point)f(where)h(the)g(MTU)g -(narro)n(ws.)2132 4499 y(By)28 b(manipulating)e(pack)o(ets)i(in)g(this) -h(f)o(ashion,)f(an)g(attack)o(er)g(can)2049 4599 y(send)38 -b(innocuous)f(te)o(xt)h(for)g(the)h(bene\002t)f(of)g(the)h(monitor)m(,) -i(such)2049 4698 y(as)27 b(\223)p Fm(USER)49 b(nice)p -Fs(\224,)26 b(and)g(then)f(retransmit)g(\(using)g(the)h(same)g(se-)2049 -4798 y(quence)d(numbers\))g(attack)i(te)o(xt)f(\(\223)p -Fm(USER)49 b(root)p Fs(\224\),)24 b(this)i(time)e(al-)2049 -4898 y(lo)n(wing)k(the)i(pack)o(ets)f(to)g(tra)n(v)o(erse)g(all)h(the)f -(w)o(ay)h(to)f(the)h(endpoint.)2049 4997 y(If)19 b(the)h(monitor)e -(simply)h(discards)g(retransmitted)g(data)g(without)g(in-)2049 -5097 y(specting)k(it,)j(then)d(it)i(will)g(mistak)o(enly)e(belie)n(v)o -(e)g(that)h(the)g(endpoint)2049 5197 y(recei)n(v)o(ed)19 -b(the)h(innocuous)e(te)o(xt,)i(and)f(f)o(ail)i(to)f(detect)g(the)g -(attack.)2132 5300 y(Figure)29 b(2)h(illustrates)g(this)g(attack.)53 -b(Here,)32 b(the)d(attack)o(er)h(sends)2049 5400 y(the)19 -b(te)o(xt)g(\223)p Fm(USER)p Fs(\224)g(with)g(an)g(initial)h(TTL)e(of)h -(20)g(hops,)g(co)o(v)o(ering)d(se-)1908 5649 y(12)p eop -%%Page: 13 13 -13 12 bop -125 -187 a - 15392931 10313261 5788794 18945146 34930114 38613893 startTexFig - -125 -187 a -%%BeginDocument: evasion.idraw - -/arrowhead { -0 begin -transform originalCTM itransform -/taily exch def -/tailx exch def -transform originalCTM itransform -/tipy exch def -/tipx exch def -/dy tipy taily sub def -/dx tipx tailx sub def -/angle dx 0 ne dy 0 ne or { dy dx atan } { 90 } ifelse def -gsave -originalCTM setmatrix -tipx tipy translate -angle rotate -newpath -arrowHeight neg arrowWidth 2 div moveto -0 0 lineto -arrowHeight neg arrowWidth 2 div neg lineto -patternNone not { -originalCTM setmatrix -/padtip arrowHeight 2 exp 0.25 arrowWidth 2 exp mul add sqrt brushWidth mul -arrowWidth div def -/padtail brushWidth 2 div def -tipx tipy translate -angle rotate -padtip 0 translate -arrowHeight padtip add padtail add arrowHeight div dup scale -arrowheadpath -ifill -} if -brushNone not { -originalCTM setmatrix -tipx tipy translate -angle rotate -arrowheadpath -istroke -} if -grestore -end -} dup 0 9 dict put def - -/arrowheadpath { -newpath -arrowHeight neg arrowWidth 2 div moveto -0 0 lineto -arrowHeight neg arrowWidth 2 div neg lineto -} def - -/leftarrow { -0 begin -y exch get /taily exch def -x exch get /tailx exch def -y exch get /tipy exch def -x exch get /tipx exch def -brushLeftArrow { tipx tipy tailx taily arrowhead } if -end -} dup 0 4 dict put def - -/rightarrow { -0 begin -y exch get /tipy exch def -x exch get /tipx exch def -y exch get /taily exch def -x exch get /tailx exch def -brushRightArrow { tipx tipy tailx taily arrowhead } if -end -} dup 0 4 dict put def - - -/arrowHeight 8 def -/arrowWidth 4 def - -/IdrawDict 54 dict def -IdrawDict begin - -/reencodeISO { -dup dup findfont dup length dict begin -{ 1 index /FID ne { def }{ pop pop } ifelse } forall -/Encoding ISOLatin1Encoding def -currentdict end definefont -} def - -/ISOLatin1Encoding [ -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright -/parenleft/parenright/asterisk/plus/comma/minus/period/slash -/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon -/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N -/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright -/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m -/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef -/.notdef/dotlessi/grave/acute/circumflex/tilde/macron/breve -/dotaccent/dieresis/.notdef/ring/cedilla/.notdef/hungarumlaut -/ogonek/caron/space/exclamdown/cent/sterling/currency/yen/brokenbar -/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot -/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior -/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine -/guillemotright/onequarter/onehalf/threequarters/questiondown -/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla -/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex -/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis -/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute -/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis -/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave -/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex -/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis -/yacute/thorn/ydieresis -] def -/Helvetica-Bold reencodeISO def -/Times-Roman reencodeISO def -/Courier-Bold reencodeISO def -/Helvetica-Oblique reencodeISO def - -/none null def -/numGraphicParameters 17 def -/stringLimit 65535 def - -/Begin { -save -numGraphicParameters dict begin -} def - -/End { -end -restore -} def - -/SetB { -dup type /nulltype eq { -pop -false /brushRightArrow idef -false /brushLeftArrow idef -true /brushNone idef -} { -/brushDashOffset idef -/brushDashArray idef -0 ne /brushRightArrow idef -0 ne /brushLeftArrow idef -/brushWidth idef -false /brushNone idef -} ifelse -} def - -/SetCFg { -/fgblue idef -/fggreen idef -/fgred idef -} def - -/SetCBg { -/bgblue idef -/bggreen idef -/bgred idef -} def - -/SetF { -/printSize idef -/printFont idef -} def - -/SetP { -dup type /nulltype eq { -pop true /patternNone idef -} { -dup -1 eq { -/patternGrayLevel idef -/patternString idef -} { -/patternGrayLevel idef -} ifelse -false /patternNone idef -} ifelse -} def - -/BSpl { -0 begin -storexyn -newpath -n 1 gt { -0 0 0 0 0 0 1 1 true subspline -n 2 gt { -0 0 0 0 1 1 2 2 false subspline -1 1 n 3 sub { -/i exch def -i 1 sub dup i dup i 1 add dup i 2 add dup false subspline -} for -n 3 sub dup n 2 sub dup n 1 sub dup 2 copy false subspline -} if -n 2 sub dup n 1 sub dup 2 copy 2 copy false subspline -patternNone not brushLeftArrow not brushRightArrow not and and { ifill } if -brushNone not { istroke } if -0 0 1 1 leftarrow -n 2 sub dup n 1 sub dup rightarrow -} if -end -} dup 0 4 dict put def - -/Circ { -newpath -0 360 arc -patternNone not { ifill } if -brushNone not { istroke } if -} def - -/CBSpl { -0 begin -dup 2 gt { -storexyn -newpath -n 1 sub dup 0 0 1 1 2 2 true subspline -1 1 n 3 sub { -/i exch def -i 1 sub dup i dup i 1 add dup i 2 add dup false subspline -} for -n 3 sub dup n 2 sub dup n 1 sub dup 0 0 false subspline -n 2 sub dup n 1 sub dup 0 0 1 1 false subspline -patternNone not { ifill } if -brushNone not { istroke } if -} { -Poly -} ifelse -end -} dup 0 4 dict put def - -/Elli { -0 begin -newpath -4 2 roll -translate -scale -0 0 1 0 360 arc -patternNone not { ifill } if -brushNone not { istroke } if -end -} dup 0 1 dict put def - -/Line { -0 begin -2 storexyn -newpath -x 0 get y 0 get moveto -x 1 get y 1 get lineto -brushNone not { istroke } if -0 0 1 1 leftarrow -0 0 1 1 rightarrow -end -} dup 0 4 dict put def - -/MLine { -0 begin -storexyn -newpath -n 1 gt { -x 0 get y 0 get moveto -1 1 n 1 sub { -/i exch def -x i get y i get lineto -} for -patternNone not brushLeftArrow not brushRightArrow not and and { ifill } if -brushNone not { istroke } if -0 0 1 1 leftarrow -n 2 sub dup n 1 sub dup rightarrow -} if -end -} dup 0 4 dict put def - -/Poly { -3 1 roll -newpath -moveto --1 add -{ lineto } repeat -closepath -patternNone not { ifill } if -brushNone not { istroke } if -} def - -/Rect { -0 begin -/t exch def -/r exch def -/b exch def -/l exch def -newpath -l b moveto -l t lineto -r t lineto -r b lineto -closepath -patternNone not { ifill } if -brushNone not { istroke } if -end -} dup 0 4 dict put def - -/Text { -ishow -} def - -/idef { -dup where { pop pop pop } { exch def } ifelse -} def - -/ifill { -0 begin -gsave -patternGrayLevel -1 ne { -fgred bgred fgred sub patternGrayLevel mul add -fggreen bggreen fggreen sub patternGrayLevel mul add -fgblue bgblue fgblue sub patternGrayLevel mul add setrgbcolor -eofill -} { -eoclip -originalCTM setmatrix -pathbbox /t exch def /r exch def /b exch def /l exch def -/w r l sub ceiling cvi def -/h t b sub ceiling cvi def -/imageByteWidth w 8 div ceiling cvi def -/imageHeight h def -bgred bggreen bgblue setrgbcolor -eofill -fgred fggreen fgblue setrgbcolor -w 0 gt h 0 gt and { -l w add b translate w neg h scale -w h true [w 0 0 h neg 0 h] { patternproc } imagemask -} if -} ifelse -grestore -end -} dup 0 8 dict put def - -/istroke { -gsave -brushDashOffset -1 eq { -[] 0 setdash -1 setgray -} { -brushDashArray brushDashOffset setdash -fgred fggreen fgblue setrgbcolor -} ifelse -brushWidth setlinewidth -originalCTM setmatrix -stroke -grestore -} def - -/ishow { -0 begin -gsave -fgred fggreen fgblue setrgbcolor -/fontDict printFont printSize scalefont dup setfont def -/descender fontDict begin 0 [FontBBox] 1 get FontMatrix end -transform exch pop def -/vertoffset 1 printSize sub descender sub def { -0 vertoffset moveto show -/vertoffset vertoffset printSize sub def -} forall -grestore -end -} dup 0 3 dict put def -/patternproc { -0 begin -/patternByteLength patternString length def -/patternHeight patternByteLength 8 mul sqrt cvi def -/patternWidth patternHeight def -/patternByteWidth patternWidth 8 idiv def -/imageByteMaxLength imageByteWidth imageHeight mul -stringLimit patternByteWidth sub min def -/imageMaxHeight imageByteMaxLength imageByteWidth idiv patternHeight idiv -patternHeight mul patternHeight max def -/imageHeight imageHeight imageMaxHeight sub store -/imageString imageByteWidth imageMaxHeight mul patternByteWidth add string def -0 1 imageMaxHeight 1 sub { -/y exch def -/patternRow y patternByteWidth mul patternByteLength mod def -/patternRowString patternString patternRow patternByteWidth getinterval def -/imageRow y imageByteWidth mul def -0 patternByteWidth imageByteWidth 1 sub { -/x exch def -imageString imageRow x add patternRowString putinterval -} for -} for -imageString -end -} dup 0 12 dict put def - -/min { -dup 3 2 roll dup 4 3 roll lt { exch } if pop -} def - -/max { -dup 3 2 roll dup 4 3 roll gt { exch } if pop -} def - -/midpoint { -0 begin -/y1 exch def -/x1 exch def -/y0 exch def -/x0 exch def -x0 x1 add 2 div -y0 y1 add 2 div -end -} dup 0 4 dict put def - -/thirdpoint { -0 begin -/y1 exch def -/x1 exch def -/y0 exch def -/x0 exch def -x0 2 mul x1 add 3 div -y0 2 mul y1 add 3 div -end -} dup 0 4 dict put def - -/subspline { -0 begin -/movetoNeeded exch def -y exch get /y3 exch def -x exch get /x3 exch def -y exch get /y2 exch def -x exch get /x2 exch def -y exch get /y1 exch def -x exch get /x1 exch def -y exch get /y0 exch def -x exch get /x0 exch def -x1 y1 x2 y2 thirdpoint -/p1y exch def -/p1x exch def -x2 y2 x1 y1 thirdpoint -/p2y exch def -/p2x exch def -x1 y1 x0 y0 thirdpoint -p1x p1y midpoint -/p0y exch def -/p0x exch def -x2 y2 x3 y3 thirdpoint -p2x p2y midpoint -/p3y exch def -/p3x exch def -movetoNeeded { p0x p0y moveto } if -p1x p1y p2x p2y p3x p3y curveto -end -} dup 0 17 dict put def - -/storexyn { -/n exch def -/y n array def -/x n array def -n 1 sub -1 0 { -/i exch def -y i 3 2 roll put -x i 3 2 roll put -} for -} def - -/SSten { -fgred fggreen fgblue setrgbcolor -dup true exch 1 0 0 -1 0 6 -1 roll matrix astore -} def - -/FSten { -dup 3 -1 roll dup 4 1 roll exch -newpath -0 0 moveto -dup 0 exch lineto -exch dup 3 1 roll exch lineto -0 lineto -closepath -bgred bggreen bgblue setrgbcolor -eofill -SSten -} def - -/Rast { -exch dup 3 1 roll 1 0 0 -1 0 6 -1 roll matrix astore -} def - - -%I Idraw 10 Grid 3 3 - - -Begin -%I b u -%I cfg u -%I cbg u -%I f u -%I p u -%I t -[ 0.955325 0 0 0.955325 0 0 ] concat -/originalCTM matrix currentmatrix def - -Begin %I Line -%I b 65520 -0 0 0 [12 4] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 -0 -0 1 117 149 ] concat -%I -228 226 228 451 Line -%I 1 -End - -Begin %I Line -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 -0 -0 1 117 149 ] concat -%I -213 211 228 181 Line -%I 1 -End - -Begin %I Line -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -%I p -0 SetP -%I t -[ 1 -0 -0 1 117 149 ] concat -%I -228 181 243 211 Line -%I 1 -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-* -Helvetica-Bold 14 SetF -%I t -[ 1 0 0 1 322 317 ] concat -%I -[ -(Monitor) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 0.92 0 0 0.92 355.92 609.68 ] concat -%I -[ -(\(10 hops\)) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 473 580 ] concat -%I -[ -(\(18 hops\)) -] Text -End - -Begin %I Rect -%I b 65535 -1 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 0 0 1 58.25 112.5 ] concat -%I -105 437 146 462 Rect -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-* -Courier-Bold 12 SetF -%I t -[ 1 0 0 1 170.25 566.5 ] concat -%I -[ -(USER) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 145 590 ] concat -%I -[ -(seq= 6 ... 9) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 129.25 566.5 ] concat -%I -[ -(ttl=20) -] Text -End - -Begin %I Rect -%I b 65535 -1 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 0 0 1 103.25 67.5 ] concat -%I -105 437 146 462 Rect -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 173.25 522 ] concat -%I -[ -(ttl=12) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 211 545 ] concat -%I -[ -(10 .. 13) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-* -Courier-Bold 12 SetF -%I t -[ 1 0 0 1 215.25 521.5 ] concat -%I -[ -(nice) -] Text -End - -Begin %I Rect -%I b 65535 -1 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 0 0 1 103.25 8.50003 ] concat -%I -105 437 146 462 Rect -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 211 486 ] concat -%I -[ -(10 .. 13) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 173.25 463 ] concat -%I -[ -(ttl=20) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-* -Courier-Bold 12 SetF -%I t -[ 1 0 0 1 215.25 463 ] concat -%I -[ -(root) -] Text -End - -Begin %I Line -%I b 65535 -2 0 1 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 -0 -0 1 172.25 248.5 ] concat -%I -88 211 308 212 Line -%I 1 -End - -Begin %I Line -%I b 65535 -2 0 1 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 -0 -0 1 169.25 246.5 ] concat -%I -93 271 206 272 Line -%I 1 -End - -Begin %I Pict -%I b u -%I cfg u -%I cbg u -%I f u -%I p u -%I t -[ 1 0 0 1 5 0.5 ] concat - -Begin %I Pict -%I b u -%I cfg u -%I cbg u -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I p u -%I t -[ 0.214567 0 0 0.214567 300.249 408.973 ] concat - -Begin %I Line -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 0.125 -0 -0 0.125 346 477.5 ] concat -%I -329 115 40 403 Line -%I 8 -End - -Begin %I Line -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 0.125 -0 -0 0.125 346 477.5 ] concat -%I -41 115 329 403 Line -%I 8 -End - -End %I eop - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-times-medium-r-normal-*-12-*-*-*-*-*-*-* -Times-Roman 12 SetF -%I t -[ 1 0 0 1 374.75 510.25 ] concat -%I -[ -(ttl expires) -] Text -End - -End %I eop - -Begin %I Rect -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1.7938 0 0 0.865636 184.784 -12.9233 ] concat -%I -105 437 146 462 Rect -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-* -Courier-Bold 12 SetF -%I t -[ 1 0 0 1 378.906 380.68 ] concat -%I -[ -(USER nice) -] Text -End - -Begin %I Line -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 -0 -0 1 118.906 247.18 ] concat -%I -291 118 291 140 Line -%I 1 -End - -Begin %I Rect -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1.7938 0 0 0.865636 184.784 -38.4233 ] concat -%I -105 437 146 462 Rect -End - -Begin %I Line -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 0 0 1 118.906 221.68 ] concat -%I -291 118 291 140 Line -%I 1 -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-* -Courier-Bold 12 SetF -%I t -[ 1 0 0 1 378.906 355.18 ] concat -%I -[ -(USER root) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-helvetica-medium-o-normal-*-14-*-*-*-*-*-*-* -Helvetica-Oblique 14 SetF -%I t -[ 1 0 0 1 453 382 ] concat -%I -[ -(?) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-helvetica-medium-o-normal-*-14-*-*-*-*-*-*-* -Helvetica-Oblique 14 SetF -%I t -[ 1 0 0 1 453 357 ] concat -%I -[ -(?) -] Text -End - -Begin %I Rect -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1.7938 0 0 0.865636 292.284 104.577 ] concat -%I -105 437 146 462 Rect -End - -Begin %I Line -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 1 0 0 1 226.406 364.68 ] concat -%I -291 118 291 140 Line -%I 1 -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-courier-bold-r-normal-*-12-*-*-*-*-*-*-* -Courier-Bold 12 SetF -%I t -[ 1 0 0 1 486.406 498.18 ] concat -%I -[ -(USER root) -] Text -End - -Begin %I Line -%I b 65535 -2 0 1 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 0.5 -0 -0 0.5 338.25 314.5 ] concat -%I --246 496 287 494 Line -%I 2 -End - -Begin %I Pict -%I b u -%I cfg u -%I cbg u -%I f u -%I p u -%I t -[ 1 0 0 1 6 32 ] concat - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-* -Helvetica-Bold 14 SetF -%I t -[ 1 0 0 1 477 493 ] concat -%I -[ -(Victim) -] Text -End - -Begin %I Text -%I cfg Black -0 0 0 SetCFg -%I f -*-helvetica-bold-r-normal-*-14-*-*-*-*-*-*-* -Helvetica-Bold 14 SetF -%I t -[ 1 0 0 1 89 494 ] concat -%I -[ -(Attacker) -] Text -End - -End %I eop - -Begin %I BSpl -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -none SetP %I p n -%I t -[ 0.25 -0 -0 0.25 313.75 281.5 ] concat -%I 3 -89 266 -126 302 -160 267 -3 BSpl -%I 4 -End - -Begin %I BSpl -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -%I p -0 SetP -%I t -[ 0.25 -0 -0 0.25 313.75 281.5 ] concat -%I 3 -106 279 -125 269 -145 282 -3 BSpl -%I 4 -End - -Begin %I BSpl -%I b 65535 -0 0 0 [] 0 SetB -%I cfg Black -0 0 0 SetCFg -%I cbg White -1 1 1 SetCBg -%I p -0 SetP -%I t -[ 0.25 -0 -0 0.25 313.75 281.5 ] concat -%I 3 -145 281 -125 291 -106 281 -3 BSpl -%I 4 -End - -End %I eop - -showpage - - -end -%%EndDocument - - endTexFig - -150 1302 a Fs(Figure)19 b(2:)24 b(A)c(TTL-based)e(e)n(v)n(asion)g -(attack)h(on)g(an)g(intrusion)f(detec-)-150 1401 y(tion)i(system)-150 -1691 y(quence)27 b(numbers)f(6)i(through)e(9)i(in)g(the)g(TCP)h(data)e -(stream.)48 b(It)29 b(is)-150 1791 y(18)f(hops)h(to)g(the)g(victim)f -(and)h(10)f(hops)g(to)h(the)g(monitor)m(,)g(so)g(both)-150 -1890 y(see)g(this)g(te)o(xt)g(and)f(accept)g(it.)51 b(The)29 -b(attack)o(er)f(ne)o(xt)g(transmits)h(the)-150 1990 y(te)o(xt)g(\223)p -Fm(nice)p Fs(\224)f(co)o(v)o(ering)f(the)i(ne)o(xt)f(consecuti)n(v)o(e) -f(span)i(of)f(the)h(se-)-150 2090 y(quence)34 b(space,)40 -b(10)35 b(through)e(13,)39 b(b)n(ut)d(with)g(an)f(initial)h(TTL)g(of) --150 2189 y(only)19 b(12,)f(which)h(suf)n(\002ces)h(for)f(the)g(pack)o -(et)g(to)g(tra)n(v)o(el)h(past)f(the)h(mon-)-150 2289 -y(itor)m(,)35 b(b)n(ut)e(not)g(all)g(the)g(w)o(ay)g(to)g(the)g(victim.) -62 b(Hence,)36 b(the)d(moni-)-150 2388 y(tor)28 b(sees)h(this)g(te)o -(xt)f(b)n(ut)g(the)g(victim)g(does)g(not.)49 b(The)28 -b(attack)o(er)g(the)-150 2488 y(sends)e(the)g(te)o(xt)g(\223)p -Fm(root)p Fs(\224)g(with)g(the)g(same)g(sequence)f(numbers)g(as)-150 -2588 y(\223)p Fm(nice)p Fs(\224,)20 b(b)n(ut)h(this)g(time)g(with)g -(enough)d(TTL)j(to)f(reach)g(the)h(victim.)-150 2687 -y(The)26 b(victim)f(will)i(thus)f(only)f(see)h(the)g(te)o(xt)g(\223)p -Fm(USER)p Fs(\224)f(follo)n(wed)g(by)-150 2787 y(\223)p -Fm(root)p Fs(\224,)d(while)h(the)f(monitor)f(will)i(see)g(tw)o(o)g(v)o -(ersions)e(of)h(the)h(te)o(xt)-150 2887 y(for)17 b(sequence)g(numbers)f -(10)i(through)d(13,)j(and)f(will)i(ha)n(v)o(e)e(to)h(decide)-150 -2986 y(which)i(to)h(assume)f(w)o(as)i(also)f(recei)n(v)o(ed)e(by)h(the) -g(victim)h(\(if,)f(indeed,)-150 3086 y(it)e(e)n(v)o(en)f(detects)h -(that)g(the)f(data)h(stream)f(includes)g(an)h(inconsistenc)o(y)-5 -b(,)-150 3185 y(which)25 b(requires)f(e)o(xtra)h(w)o(ork)f(on)h(the)h -(monitor')-5 b(s)24 b(part\).)40 b(While)25 b(in)-150 -3285 y(this)c(case)g(by)f(inspecting)f(the)h(TTLs)h(it)g -Fr(may)f Fs(be)g(able)g(to)h(determine)-150 3385 y(which)c(of)g(the)g -(tw)o(o)g(v)o(ersions)g(the)g(victim)g(will)h(ha)n(v)o(e)e(seen,)i -(there)f(are)-150 3484 y(man)o(y)28 b(other)g(w)o(ays)h(\(windo)n(w)e -(checks,)j(the)f(MTU)g(attack)f(abo)o(v)o(e,)-150 3584 -y(checksums,)e(ackno)n(wledgement)c(sequence)j(number)f(checks\))h(of) --150 3684 y(subtly)31 b(af)n(fecting)g(header)g(\002elds)h(such)g(that) -g(the)g(victim)f(will)i(re-)-150 3783 y(ject)21 b(one)f(or)g(the)g -(other)g(of)g(the)g(tw)o(o)h(v)o(ersions.)j(Fundamentally)-5 -b(,)18 b(the)-150 3883 y(monitor)j(cannot)h(con\002dently)f(kno)n(w)h -(which)h(of)f(the)h(tw)o(o)h(v)o(ersions)-150 3982 y(to)c(accept.)-67 -4093 y(A)27 b(partial)g(defense)e(against)h(this)h(attack)g(is)h(that)e -(when)g(we)h(ob-)-150 4193 y(serv)o(e)j(a)h(retransmitted)e(pack)o(et)h -(\(one)f(with)i(data)f(that)g(wholly)g(or)-150 4293 y(partially)21 -b(o)o(v)o(erlaps)g(pre)n(viously-seen)e(data\),)j(we)g(compare)f(it)h -(with)-150 4392 y(an)o(y)f(data)g(it)i(o)o(v)o(erlaps,)d(and)h(sound)g -(an)g(alarm)h(\(or)m(,)f(for)g(Bro,)h(gener)n(-)-150 -4492 y(ate)k(an)g(e)n(v)o(ent\))f(if)h(the)o(y)f(disagree.)41 -b(A)27 b(properly-functioning)20 b(TCP)-150 4592 y(will)31 -b(al)o(w)o(ays)f(retransmit)f(the)h(same)g(data)f(as)i(originally)d -(sent,)k(so)-150 4691 y(an)o(y)23 b(disagreement)f(is)j(either)f(due)f -(to)h(a)h(brok)o(en)d(TCP)-9 b(,)24 b(undetected)-150 -4791 y(data)19 b(corruption)d(\(i.e.,)j(corruption)e(the)i(checksum)e -(f)o(ails)j(to)f(catch\),)-150 4890 y(or)h(an)g(attack.)-67 -5001 y(W)-7 b(e)28 b(ha)n(v)o(e)e(ar)o(gued)f(that)i(the)g(monitor)e -(must)i(retain)f(a)h(record)f(of)-150 5101 y(pre)n(viously)34 -b(transmitted)i(data,)k(both)35 b(in-sequence)g(and)g(out-of-)-150 -5201 y(sequence.)30 b(The)22 b(question)f(no)n(w)g(arises)i(as)g(to)f -(ho)n(w)g(long)g(the)g(mon-)-150 5300 y(itor)f(must)g(k)o(eep)g(this)g -(data)g(around.)26 b(If)21 b(it)h(k)o(eeps)e(it)i(for)f(the)g(lifetime) --150 5400 y(of)d(the)h(connection,)d(then)i(it)i(may)e(require)f -(prodigious)f(amounts)i(of)2049 -104 y(memory)25 b(an)o(y)g(time)i(it)g -(happens)e(upon)g(a)h(particularly)f(lar)o(ge)g(con-)2049 --5 y(nection;)i(these)e(are)g(not)g(infrequent)e([P)o(a94)n(].)40 -b(W)-7 b(e)26 b(instead)f(w)o(ould)2049 95 y(lik)o(e)31 -b(to)g(discard)f(data)h(blocks)f(as)h(soon)g(as)g(possible,)i(to)e -(reclaim)2049 194 y(the)g(associated)g(memory)-5 b(.)55 -b(Clearly)-5 b(,)33 b(we)f(cannot)d(safely)i(discard)2049 -294 y(blocks)17 b(abo)o(v)o(e)f(a)j(sequencing)c(hole,)j(as)h(we)f -(then)f(lose)h(the)g(opportu-)2049 394 y(nity)i(to)h(scan)f(the)h(te)o -(xt)f(that)h(crosses)g(from)e(the)i(sequence)e(hole)h(into)2049 -493 y(the)h(block.)28 b(But)22 b(we)g(w)o(ould)e(lik)o(e)i(to)g -(determine)e(when)g(it)i(is)h(safe)e(to)2049 593 y(discard)f -(in-sequence)e(data.)2132 698 y(Here)i(we)h(can)f(mak)o(e)g(use)h(of)f -(our)f(assumption)g(that)i(the)f(attack)o(er)2049 798 -y(controls)j(only)f(one)h(of)h(the)f(connection)f(endpoints.)33 -b(Suppose)23 b(the)2049 897 y(stream)30 b(of)g(interest)g(\003o)n(ws)g -(from)f(host)h Fj(A)h Fs(to)f(host)g Fj(B)t Fs(.)55 b(If)29 -b(the)h(at-)2049 997 y(tack)o(er)i(controls)g Fj(B)t -Fs(,)k(then)c(the)o(y)g(are)g(unable)g(to)g(manipulate)g(the)2049 -1097 y(data)21 b(pack)o(ets)g(in)h(a)g(subterfuge)d(attack,)i(so)h(we)g -(can)f(safely)g(discard)2049 1196 y(the)h(data)h(once)e(it)i(is)g -(in-sequence)e(and)h(we)g(ha)n(v)o(e)g(had)g(an)g(opportu-)2049 -1296 y(nity)e(to)h(analyze)e(it.)26 b(On)21 b(the)f(other)g(hand,)f(if) -h(the)o(y)g(control)f Fj(A)p Fs(,)i(then,)2049 1395 y(from)i(our)f -(assumption,)h(an)o(y)g(traf)n(\002c)h(we)g(see)g(from)e -Fj(B)29 b Fs(re\003ects)24 b(the)2049 1495 y(correct)16 -b(functioning)f(of)i(its)i(TCP)f(\(this)f(assumes)h(that)f(we)h(use)g -(anti-)2049 1595 y(spoo\002ng)f(\002lters)j(so)f(that)g(the)g(attack)o -(er)f(cannot)g(for)o(ge)f(bogus)h(traf)n(\002c)2049 1694 -y(purportedly)g(coming)h(from)h Fj(B)t Fs(\).)27 b(In)21 -b(particular)m(,)e(we)i(can)f(trust)h(that)2049 1794 -y(if)f(we)g(see)h(an)f(ackno)n(wledgement)c(from)j Fj(B)24 -b Fs(for)c(sequence)e(number)2049 1894 y Fj(n)p Fs(,)26 -b(then)e(indeed)f Fj(B)29 b Fs(has)c(recei)n(v)o(ed)e(all)i(data)g(in)f -(sequence)g(up)g(to)g Fj(n)p Fs(.)2049 1993 y(At)d(this)f(point,)g -Fj(B)t Fs(')-5 b(s)21 b(TCP)g(will)g(deli)n(v)o(er)m(,)d(or)i(has)h -(already)e(deli)n(v)o(ered,)2049 2093 y(this)24 b(data)f(to)h(the)f -(application)f(running)f(on)i Fj(B)t Fs(.)35 b(In)23 -b(particular)m(,)f Fj(B)t Fs(')-5 b(s)2049 2192 y(TCP)31 -b(cannot)e(accept)h(an)o(y)f(retransmitted)g(data)h(belo)n(w)g -(sequence)2049 2292 y Fj(n)p Fs(,)24 b(as)g(it)f(has)h(already)e -(indicated)g(it)h(has)h(no)e(more)h(interest)g(in)g(such)2049 -2392 y(data.)h(Therefore,)15 b(when)h(the)i(monitor)d(sees)j(an)f -(ackno)n(wledgement)2049 2491 y(for)k Fj(n)p Fs(,)h(it)g(can)f(safely)h -(release)f(an)o(y)g(memory)f(associated)h(with)h(data)2049 -2591 y(up)e(to)g(sequence)f Fj(n)p Fs(.)2132 2696 y(While)d(this)g -(defense)e(w)o(orks)h(for)g(detecting)f(this)i(general)f(class)h(of) -2049 2796 y(insertion)k(attacks,)h(it)h(suf)n(fers)e(from)g(f)o(alse)h -(positi)n(v)o(es,)f(as)i(discussed)2049 2895 y(in)e Fi(x)h -Fs(7.3)f(belo)n(w)-5 b(.)2132 3000 y(Finally)g(,)33 b(we)f(note)e(a)i -(general)e(defense)h(against)f(certain)h(types)2049 3100 -y(of)22 b(subterfuge)e(attacks,)i(which)f(we)h(term)g(\223bifurcating)e -(analysis.)-6 b(\224)2049 3200 y(The)23 b(idea)g(is)h(that)f(when)g -(the)g(monitor)e(cannot)h(determine)g(ho)n(w)h(an)2049 -3299 y(endpoint)15 b(will)j(interpret)e(some)h(netw)o(ork)f(traf)n -(\002c)g(\(such)h(as)h(whether)2049 3399 y(it)25 b(will)h(accept)e -Fm(USER)49 b(nice)25 b Fs(or)f Fm(USER)49 b(root)p Fs(\),)25 -b(it)g(forms)f(mul-)2049 3499 y(tiple)c(threads)g(of)g(analysis,)g(e)o -(xamining)e(each)i(of)g(the)g(possibilities.)2049 3598 -y(W)-7 b(e)25 b(note)d(one)h(e)o(xample)f(of)h(doing)g(so)g(in)h -Fi(x)g Fs(6.5)e(belo)n(w)h(in)h(our)e(dis-)2049 3698 -y(cussion)e(of)g(analyzing)e(T)-6 b(elnet)20 b(and)g(Rlogin)g(traf)n -(\002c.)2049 4008 y Ft(6)119 b(A)m(pplication-speci\002c)33 -b(pr)n(ocessing)2049 4204 y Fs(W)-7 b(e)21 b(\002nish)g(our)e(o)o(v)o -(ervie)n(w)f(of)i(Bro)g(with)g(a)h(discussion)e(of)h(the)g(addi-)2049 -4304 y(tional)j(processing)f(it)i(does)g(for)e(the)i(six)g -(applications)e(it)i(currently)2049 4404 y(kno)n(ws)33 -b(about:)51 b(Finger)m(,)36 b(FTP)-9 b(,)33 b(Portmapper)m(,)i(Ident,)h -(T)-6 b(elnet)33 b(and)2049 4503 y(Rlogin.)e(Admittedly)21 -b(these)h(are)g(just)h(a)g(small)f(portion)f(of)h(the)g(dif-)2049 -4603 y(ferent)g(Internet)g(applications)g(used)g(in)h(attacks,)h(and)e -(Bro')-5 b(s)24 b(ef)n(fec-)2049 4703 y(ti)n(v)o(eness)e(will)h -(bene\002t)g(greatly)e(as)i(more)f(are)g(added.)31 b(F)o(ortunately)-5 -b(,)2049 4802 y(we)34 b(ha)n(v)o(e)f(in)h(general)f(found)f(that)i(the) -g(system)g(meets)g(our)f(goal)2049 4902 y(of)f(e)o(xtensibility)e(\()p -Fi(x)j Fs(1\),)h(and)d(adding)g(ne)n(w)h(applications)e(to)i(Bro)2049 -5001 y(is\227other)j(than)f(the)i(sometimes)f(major)f(headache)g(of)h -(rob)n(ustly)2049 5101 y(interpreting)d(the)j(application)e(protocol)f -(itself\227quite)i(straight-)2049 5201 y(forw)o(ard,)d(a)f(matter)g(of) -g(deri)n(ving)e(a)i(C++)h(class)g(to)f(analyze)f(each)2049 -5300 y(connection')-5 b(s)18 b(traf)n(\002c,)h(and)g(de)n(vising)g(a)h -(set)g(of)f(e)n(v)o(ents)g(correspond-)2049 5400 y(ing)h(to)g -(signi\002cant)g(elements)g(of)g(the)g(application.)1908 -5649 y(13)p eop -%%Page: 14 14 -14 13 bop -150 -104 a Fh(6.1)99 b(Finger)-150 51 y Fs(The)33 -b(\002rst)i(of)e(the)h(applications)f(is)h(the)g(Finger)f(\223User)h -(Informa-)-150 151 y(tion\224)22 b(service)f([Zi91)o(].)30 -b(Structurally)-5 b(,)20 b(Finger)h(is)i(v)o(ery)e(simple:)29 -b(the)-150 250 y(connection)i(originator)f(sends)j(a)g(single)g(line,)i -(terminated)d(by)g(a)-150 350 y(carriage-return)20 b(line-feed,)i -(specifying)f(the)i(user)g(for)f(which)g(the)o(y)-150 -450 y(request)28 b(information.)50 b(An)29 b(optional)f(\003ag)h -(requests)g(\223full\224)g(\(v)o(er)n(-)-150 549 y(bose\))g(output.)54 -b(The)29 b(responder)f(returns)h(whate)n(v)o(er)g(information)-150 -649 y(it)c(deems)f(appropriate)f(in)h(multiple)g(lines)h(of)f(te)o(xt,) -i(after)e(which)g(it)-150 749 y(closes)d(the)f(connection.)-67 -848 y(Bro)37 b(generates)f(a)h Fm(finger)p 825 848 25 -4 v 28 w(request)f Fs(e)n(v)o(ent)g(whene)n(v)o(er)f(it)-150 -948 y(monitors)18 b(a)i(complete)e(Finger)h(request.)24 -b(A)c(handler)e(for)h(this)g(e)n(v)o(ent)-150 1047 y(looks)h(lik)o(e:) --150 1191 y Ff(event)39 b(finger_request\(c:)e(connection,)687 -1270 y(user:)i(string,)g(full:)g(bool\))-150 1435 y Fs(Our)18 -b(site')-5 b(s)20 b(polic)o(y)d(for)h(Finger)g(requests)g(includes)g -(testing)g(for)g(pos-)-150 1534 y(sible)j(b)n(uf)n(fer)n(-o)o(v)o -(er\003o)n(w)16 b(attacks)21 b(and)e(checking)g(the)h(user)g(against)g -(a)-150 1634 y(list)27 b(of)e(sensiti)n(v)o(e)h(user)g(ID')-5 -b(s,)27 b(such)f(as)g(pri)n(vile)o(ged)e(accounts.)41 -b(See)-150 1734 y(Appendix)26 b(A)i(for)f(a)h(discussion)f(of)h(ho)n(w) -f(the)h(Finger)f(analysis)h(is)-150 1833 y(inte)o(grated)19 -b(into)g(Bro.)-67 1933 y(Bro)h(generates)g(an)g(analogous)e -Fm(finger)p 1174 1933 V 29 w(reply)i Fs(e)n(v)o(ent:)-150 -2077 y Ff(event)39 b(finger_reply\(c:)f(connection,)607 -2155 y(reply_line:)g(string\))-150 2320 y Fs(for)20 b(each)f(line)i(of) -f(the)g(reply)f(from)g(the)i(Finger)e(serv)o(er)-5 b(.)-67 -2420 y(A)19 b(\002nal)g(note:)24 b(if)19 b(the)f(e)n(v)o(ent)g(engine)f -(\002nds)i(that)g(the)f(polic)o(y)g(script)-150 2519 -y(does)29 b(not)g(de\002ne)f(a)i Fm(finger)p 772 2519 -V 29 w(request)e Fs(or)h Fm(finger)p 1578 2519 V 29 w(reply)-150 -2619 y Fs(handler)m(,)19 b(then)h(it)h(does)f(not)g(bother)f(creating)h -(Finger)n(-speci\002c)f(ana-)-150 2719 y(lyzers)j(for)g(ne)n(w)g -(Finger)g(connections.)30 b(In)22 b(general,)g(the)g(e)n(v)o(ent)g(en-) --150 2818 y(gine)g(tries)i(to)f(determine)e(as)j(early)f(as)g(possible) -g(whether)f(the)h(user)-150 2918 y(has)c(de\002ned)f(a)h(particular)e -(handler)m(,)g(and,)i(if)g(not,)f(a)n(v)n(oids)h(undertak-)-150 -3017 y(ing)29 b(the)g(w)o(ork)f(associated)h(with)h(generating)d(the)i -(corresponding)-150 3117 y(e)n(v)o(ent.)-150 3351 y Fh(6.2)99 -b(FTP)-150 3507 y Fs(The)30 b(File)h(T)m(ransfer)f(Protocol)f([PR85)o -(])i(is)g(much)f(more)f(comple)o(x)-150 3607 y(than)h(the)g(Finger)f -(protocol;)k(it)e(also,)h(ho)n(we)n(v)o(er)m(,)e(is)h(highly)e(struc-) --150 3706 y(tured)34 b(and)g(easy)h(to)g(parse,)j(so)d(interpreting)e -(an)h(FTP)i(dialog)e(is)-150 3806 y(straight-forw)o(ard.)-67 -3906 y(F)o(or)28 b(FTP)h(requests,)i(Bro)d(parses)h(each)f(line)h(sent) -g(by)f(the)g(con-)-150 4005 y(nection)22 b(originator)e(into)j(a)g -(command)e(\(\002rst)i(w)o(ord\))f(and)g(an)g(ar)o(gu-)-150 -4105 y(ment)28 b(\(the)g(remainder\),)f(splitting)h(the)h(tw)o(o)f(at)h -(the)f(\002rst)h(instance)-150 4204 y(of)f(whitespace)f(it)i(\002nds,)h -(and)e(con)m(v)o(erting)d(the)j(command)e(to)i(up-)-150 -4304 y(percase)20 b(\(to)g(circumv)o(ent)e(problems)g(such)i(as)h(a)g -(polic)o(y)e(script)h(test-)-150 4404 y(ing)i(for)g(\223store)g -(\002le\224)h(commands)e(as)i Fm(STOR)f Fs(or)h Fm(stor)p -Fs(,)f(and)g(an)g(at-)-150 4503 y(tack)o(er)j(instead)g(sending)f -Fm(stOR)p Fs(,)g(which)h(the)g(remote)g(FTP)g(serv)o(er)-150 -4603 y(will)32 b(happily)e(accept\).)57 b(It)31 b(then)g(generates)f -(an)h Fm(ftp)p 1478 4603 V 29 w(request)-150 4703 y Fs(e)n(v)o(ent)24 -b(with)h(these)g(and)f(the)h(corresponding)c(connection)i(as)i(ar)o -(gu-)-150 4802 y(ments.)-67 4902 y(FTP)20 b(replies)f(be)o(gin)g(with)g -(a)h(status)g(code)f(\(a)h(number\),)d(follo)n(wed)-150 -5001 y(by)f(an)o(y)g(accompan)o(ying)d(te)o(xt.)23 b(Replies)18 -b(also)e(can)h(indicate)f(whether)-150 5101 y(the)o(y)24 -b(continue)f(to)i(another)e(line.)38 b(Accordingly)-5 -b(,)23 b(for)h(each)g(line)h(of)-150 5201 y(reply)31 -b(the)i(e)n(v)o(ent)e(engine)g(generates)g(an)h Fm(ftp)p -1263 5201 V 29 w(reply)g Fs(with)h(the)-150 5300 y(code,)25 -b(the)f(te)o(xt,)h(a)g(\003ag)g(indicating)e(continuation,)g(and)h(the) -h(corre-)-150 5400 y(sponding)18 b(connection)g(as)j(ar)o(guments.)2132 --104 y(As)35 b(f)o(ar)f(as)h(the)f(e)n(v)o(ent)f(engine)g(is)i -(concerned,)g(that')-5 b(s)34 b(it\227100)2049 -5 y(lines)18 -b(of)g(straight-forw)o(ard)d(C++.)24 b(What)19 b(is)f(interesting)f -(about)g(FTP)2049 95 y(is)32 b(that)f(all)h(the)f(remaining)f(w)o(ork)g -(can)h(be)g(done)f(in)i Fm(Bro)f Fs(\(about)2049 194 -y(400)d(lines)g(for)g(our)g(site\).)50 b(The)29 b Fm(ftp)p -3182 194 V 29 w(request)f Fs(handler)f(k)o(eeps)2049 -294 y(track)k(of)f(distinct)i(FTP)f(sessions,)k(pulls)c(out)f -(usernames)g(to)i(test)2049 394 y(against)26 b(a)h(list)g(of)g(sensiti) -n(v)o(e)f(ID')-5 b(s)27 b(\(and)f(to)g(annotate)g(the)g(connec-)2049 -493 y(tion')-5 b(s)24 b(general)f(summary\),)g(and,)h(for)f(an)o(y)g -(FTP)i(request)e(that)h(ma-)2049 593 y(nipulates)29 b(a)i(\002le,)i -(checks)c(for)h(access)g(to)h(sensiti)n(v)o(e)e(\002les.)56 -b(Some)2049 693 y(of)23 b(these)g(checks)g(depend)e(on)i(conte)o(xt;)h -(for)e(e)o(xample,)h(a)g(guest)g(\(or)2049 792 y(\223anon)o -(ymous\224\))i(user)k(should)f(not)g(attempt)g(to)h(manipulate)f(user)n -(-)2049 892 y(con\002guration)18 b(\002les,)i(while)h(for)e(other)h -(users)g(doing)f(so)h(is)h(\002ne.)2132 998 y(One)f(subtlety)h(in)f -(the)h(FTP)g(analysis)g(is)g(being)f(careful)g(to)g(main-)2049 -1097 y(tain)32 b(a)h(notion)d(of)i(\223current)f(requests)g(a)o(w)o -(aiting)h(replies,)-6 b(\224)34 b(rather)2049 1197 y(than)f(just)h -(\223the)f(most)g(recently)g(seen)g(request.)-6 b(\224)64 -b(Doing)33 b(so)g(cir)n(-)2049 1297 y(cumv)o(ents)23 -b(an)h(attack)h(in)f(which)g(the)h(attack)o(er)e(pipelines)h(multiple) -2049 1396 y(requests\227rather)g(than)h(issuing)g(a)h(single)g(request) -e(at)i(a)g(time)g(and)2049 1496 y(a)o(w)o(aiting)18 b(its)i -(response\227and)c(confuses)i(the)h(monitor)e(as)i(to)g(which)2049 -1595 y(replies)h(go)g(with)g(which)g(requests.)2132 1701 -y(A)g(\002nal)g(analysis)f(step)h(for)f Fm(ftp)p 3093 -1701 V 29 w(request)g Fs(e)n(v)o(ents)g(is)h(to)g(parse)2049 -1801 y(an)o(y)i Fm(PORT)g Fs(request)g(to)h(e)o(xtract)f(the)g -(hostname)g(and)g(TCP)h(port)f(as-)2049 1901 y(sociated)f(with)g(an)h -(upcoming)c(transfer)-5 b(.)28 b(\(The)21 b(FTP)h(protocol)d(uses)2049 -2000 y(multiple)28 b(TCP)i(connections,)f(one)g(for)f(the)h(control)f -(information)2049 2100 y(such)g(as)h(user)f(requests,)i(and)e(others,)h -(dynamically)e(created,)i(for)2049 2199 y(each)34 b(data)f(transfer)-5 -b(.\))65 b(This)34 b(is)h(an)f(important)e(step,)38 b(because)33 -b(it)2049 2299 y(enables)27 b(the)g(script)g(to)g(tell)h(which)e -(subsequent)g(connections)f(be-)2049 2399 y(long)h(to)g(this)i(FTP)f -(session)g(and)f(which)g(do)g(not.)44 b(A)27 b(site')-5 -b(s)28 b(polic)o(y)2049 2498 y(might)d(allo)n(w)h(FTP)g(access)h(to)f -(particular)e(serv)o(ers,)j(b)n(ut)e(an)o(y)g(other)2049 -2598 y(access)f(to)f(those)g(serv)o(ers)f(merits)i(an)f(alarm;)h(b)n -(ut)f(without)g(parsing)2049 2698 y(the)c Fm(PORT)h Fs(request,)e(it)j -(can)e(be)g(impossible)g(to)h(distinguish)e(a)i(le)o(git-)2049 -2797 y(imate)j(FTP)g(data)f(transfer)g(connection)f(from)g(an)i -(illicit,)h(non-FTP)2049 2897 y(connection.)54 b(Consequently)-5 -b(,)30 b(the)h(script)f(k)o(eeps)h(track)f(of)g(pend-)2049 -2996 y(ing)23 b(data)h(transfer)e(connections,)g(and)h(when)g(it)h -(encounters)e(them,)2049 3096 y(marks)g(them)g(as)h Fm(ftp-data)f -Fs(applications,)f(e)n(v)o(en)g(if)i(the)o(y)f(do)g(not)2049 -3196 y(use)j(the)g(well-kno)n(wn)e(port)i(associated)g(with)g(such)f -(transfers)h(\(the)2049 3295 y(standard)19 b(does)h(not)g(require)f -(them)g(to)i(do)f(so\).)2132 3401 y(W)-7 b(e)18 b(also)f(note)f(that,)h -(in)g(addition)f(to)g(correctly)g(identifying)e(FTP-)2049 -3501 y(related)30 b(traf)n(\002c,)i(parsing)d Fm(PORT)h -Fs(requests)g(mak)o(es)g(it)h(possible)e(to)2049 3600 -y(detect)e(\223FTP)h(bounce\224)d(attacks.)47 b(In)27 -b(these)g(attacks,)i(a)f(malicious)2049 3700 y(FTP)j(client)g -(instructs)g(an)g(FTP)g(serv)o(er)g(to)g(open)e(a)j(data)e(transfer) -2049 3800 y(connection)f(not)i(back)f(to)i(it,)i(b)n(ut)d(to)h(a)f -(third,)i(victim)e(site.)59 b(The)2049 3899 y(client)25 -b(can)f(thus)h(manipulate)e(the)h(serv)o(er)g(into)h(uploading)d(data)i -(to)2049 3999 y(an)e(arbitrary)e(service)h(on)h(the)g(victim)f(site,)i -(or)f(to)g(ef)n(fecti)n(v)o(ely)e(port-)2049 4099 y(scan)h(the)g -(victim)g(site)h(\(which)e(the)h(client)g(does)g(by)g(using)f(multiple) -2049 4198 y(bogus)30 b Fm(PORT)g Fs(requests)h(and)f(observing)f(the)i -(completion)e(status)2049 4298 y(of)20 b(subsequent)f(data-transfer)g -(requests\).)25 b(Our)20 b(script)h(\003ags)g Fm(PORT)2049 -4397 y Fs(requests)d(that)g(attempt)f(an)o(y)h(redirection)e(of)h(the)h -(data)g(transfer)f(con-)2049 4497 y(nection.)23 b(Interestingly)-5 -b(,)16 b(we)j(added)e(this)i(check)e(mostly)h(because)g(it)2049 -4597 y(w)o(as)e(easy)g(to)g(do)f(so;)j(months)d(later)m(,)h(we)g -(monitored)d(the)j(\002rst)g(of)g(se)n(v-)2049 4696 y(eral)22 -b(subsequent)e(FTP)i(bounce)e(attacks.)30 b(This)22 b(form)f(of)g -(serendip-)2049 4796 y(itous)h(disco)o(v)o(ery)e(of)h(an)h -(unanticipated)e(type)h(of)h(attack)g(ar)o(gues)e(for)2049 -4896 y(emplo)o(ying)c(a)j(general)f(principle)f(of)h(\223sanity)h -(checking\224)d(the)j(mon-)2049 4995 y(itored)25 b(traf)n(\002c)g(as)h -(much)e(as)i(possible.)40 b(F)o(or)25 b(a)h(dif)n(\002culty)e(with)i -(this)2049 5095 y(principle,)19 b(ho)n(we)n(v)o(er)m(,)e(see)k -Fi(x)g Fs(7.3.)2132 5201 y(F)o(or)26 b Fm(ftp)p 2428 -5201 V 29 w(reply)f Fs(e)n(v)o(ents,)i(most)f(of)g(the)g(w)o(ork)f(is)i -(simply)e(for)n(-)2049 5300 y(matting)h(a)i(succinct)e(one-line)g -(summary)g(of)h(the)g(request)f(and)h(its)2049 5400 y(result)f(for)f -(recording)e(in)i(the)h(FTP)g(acti)n(vity)f(log.)41 b(In)25 -b(addition,)h(an)1908 5649 y(14)p eop -%%Page: 15 15 -15 14 bop -150 -104 a Fs(FTP)19 b Fm(PASV)f Fs(request)g(has)g(a)h -(structure)f(similar)g(to)h(a)f Fm(PORT)g Fs(request,)-150 --5 y(e)o(xcept)c(that)i(the)f(FTP)h(serv)o(er)f(instead)g(of)g(the)g -(client)g(determines)g(the)-150 95 y(speci\002cs)22 b(of)g(the)f -(subsequent)f(data)i(transfer)f(connection.)27 b(Conse-)-150 -194 y(quently)h(our)g(script)h(subjects)g Fm(PASV)g Fs(replies)g(to)g -(the)g(same)g(anal-)-150 294 y(ysis)f(as)h Fm(PORT)e -Fs(requests.)47 b(Finally)-5 b(,)28 b(there)f(is)i(nothing)d(to)h(pre)n -(v)o(ent)-150 394 y(a)f Fr(dif)o(fer)m(ent)g Fs(remote)e(host)i(from)e -(connecting)f(to)j(the)f(data)g(transfer)-150 493 y(port)c(of)n(fered)f -(by)i(a)g(serv)o(er)f(via)h(a)g Fm(PASV)g Fs(reply)-5 -b(.)29 b(It)22 b(may)g(be)f(hard)g(to)-150 593 y(see)i(why)e(this)i -(might)f(actually)f(occur)m(,)h(b)n(ut)g(putting)f(in)h(a)h(test)g(for) -f(it)-150 693 y(is)k(simple)f(\(unfortunately)-5 b(,)21 -b(there)k(are)g(some)f(f)o(alse)h(alarms)g(due)f(to)-150 -792 y(multi-homed)17 b(clients;)j(we)f(use)h(heuristics)f(to)g(reduce)f -(these\);)h(and,)-150 892 y(indeed,)32 b(se)n(v)o(eral)d(months)h -(after)g(adding)f(it,)k(it)f(triggered,)f(due)e(to)-150 -991 y(an)18 b(attack)o(er)g(using)g(3-w)o(ay)f(FTP)i(as)g(\(e)n -(vidently\))d(a)j(w)o(ay)f(to)h(disguise)-150 1091 y(their)d(trail,)i -(another)d(serendipitous)g(result)i(of)g(the)f(sanity-checking)-150 -1191 y(principle.)-150 1587 y Fh(6.3)99 b(P)n(ortmapper)-150 -1798 y Fs(Man)o(y)26 b(services)h(based)g(on)g(Remote)g(Procedure)e -(Call)k(\(RPC;)f(de-)-150 1897 y(\002ned)16 b(in)g([Sr95a)o(]\))g(do)f -(not)h(listen)h(for)e(requests)h(on)g(a)h(\223well-kno)n(wn\224)-150 -1997 y(port,)k(b)n(ut)g(rather)g(pick)g(an)g(arbitrary)f(port)h(when)f -(initialized.)29 b(The)o(y)-150 2096 y(then)22 b(re)o(gister)g(this)h -(port)f(with)h(a)g(Portmapper)d(service)j(running)d(on)-150 -2196 y(the)32 b(same)h(machine.)60 b(Only)32 b(the)g(Portmapper)e -(needs)i(to)g(run)g(on)-150 2296 y(a)24 b(well-kno)n(wn)e(port;)j(when) -f(clients)g(w)o(ant)g(access)g(to)g(the)g(service,)-150 -2395 y(the)o(y)16 b(\002rst)i(contact)f(the)g(Portmapper)m(,)e(and)h -(it)i(tells)g(them)f(which)f(port)-150 2495 y(the)o(y)24 -b(should)g(then)g(contact)g(in)h(order)e(to)i(reach)f(the)g(service.)38 -b(This)-150 2595 y(second)25 b(port)g(may)g(be)h(for)f(TCP)h(or)g(UDP)g -(access)g(\(depending)d(on)-150 2694 y(which)d(of)g(these)g(the)g -(client)g(requests)g(from)f(the)i(Portmapper\).)-67 2823 -y(Thus,)c(by)h(monitoring)d(Portmapper)g(traf)n(\002c,)j(we)g(can)f -(detect)g(an)o(y)-150 2922 y(attempted)e(access)i(to)g(a)f(number)f(of) -h(sensiti)n(v)o(e)g(RPC)i(services,)f(such)-150 3022 -y(as)j(NFS)h(and)e(YP)-9 b(,)19 b(e)o(xcept)g(in)g(cases)i(where)e(the) -g(attack)o(er)g(learns)h(the)-150 3122 y(port)g(for)f(those)h(services) -g(some)g(other)g(w)o(ay)g(\(e.g.,)f(port-scanning\).)-67 -3250 y(The)39 b(Portmapper)e(service)i(is)h(itself)g(b)n(uilt)g(on)e -(top)h(of)g(RPC,)-150 3350 y(which)29 b(in)i(turn)e(uses)h(the)g(XDR)h -(External)e(Data)h(Representation)-150 3449 y(Standard)23 -b([Sr95b)n(].)36 b(Furthermore,)23 b(one)g(can)h(use)g(RPC)i(on)d(top)h -(of)-150 3549 y(either)f(TCP)i(or)e(UDP)-9 b(,)24 b(and)f(typically)g -(the)h(Portmapper)e(listens)i(on)-150 3649 y(both)30 -b(a)i(well-kno)n(wn)d(TCP)j(port)e(and)h(a)g(well-kno)n(wn)f(UDP)h -(port)-150 3748 y(\(both)21 b(are)h(port)f(111\).)29 -b(Consequently)-5 b(,)20 b(adding)g(Portmapper)g(anal-)-150 -3848 y(ysis)29 b(to)g(Bro)f(required)f(adding)g(a)i(generic)e(RPC)j -(analyzer)m(,)f(TCP-)-150 3947 y(and)22 b(UDP-speci\002c)h(analyzers)f -(to)h(unwrap)e(the)i(dif)n(ferent)e(w)o(ays)i(in)-150 -4047 y(which)34 b(RPCs)i(are)e(embedded)e(in)i(TCP)h(and)f(UDP)g(pack)o -(ets,)k(an)-150 4147 y(XDR)21 b(analyzer)m(,)d(and)i(a)h(Portmapper)n -(-speci\002c)c(analyzer)-5 b(.)-67 4275 y(This)32 b(last)g(generates)f -(six)h(pairs)f(of)g(e)n(v)o(ents,)j(one)d(for)g(each)g(re-)-150 -4375 y(quest)23 b(and)f(reply)g(for)h(the)g(six)g(actions)g(the)g -(Portmapper)e(supports:)-150 4474 y(a)27 b(null)f(call;)j(add)d(a)h -(binding)d(between)h(a)i(service)f(and)g(a)g(port;)j(re-)-150 -4574 y(mo)o(v)o(e)21 b(a)h(binding;)f(look)h(up)f(a)i(binding;)e(dump)g -(the)h(entire)g(table)g(of)-150 4674 y(bindings;)c(and)f(both)h(look)f -(up)h(a)g(service)g(and)g(call)g(it)h(directly)f(with-)-150 -4773 y(out)h(requiring)f(a)i(second)e(connection.)23 -b(\(This)c(last)i(is)f(a)g(monitoring)-150 4873 y(headache)i(because)g -(it)i(means)f(an)o(y)f(RPC)j(service)e(can)g(potentially)-150 -4973 y(be)d(accessed)g(directly)g(through)e(a)i(Portmapper)e -(connection.\))-67 5101 y(Our)37 b(polic)o(y)f(script)i(for)f -(Portmapper)e(traf)n(\002c)i(again)g(is)h(f)o(airly)-150 -5201 y(lar)o(ge,)i(more)d(than)g(300)f(lines.)76 b(Most)38 -b(of)f(this)h(concerns)e(what)-150 5300 y(Portmapper)17 -b(requests)j(we)g(allo)n(w)f(between)g(which)g(pairs)g(of)h(hosts,)-150 -5400 y(particularly)e(for)i(NFS)h(access.)2049 -104 y -Fh(6.4)99 b(Ident)2049 63 y Fs(The)27 b(Identi\002cation)e(Protocol)h -(\(\223ident\224\))g(is)i(used)e(to)i(query)d(hosts)2049 -162 y(for)34 b(the)h(user)g(identity)f(associated)h(with)g(an)g(acti)n -(v)o(e)g(connection)2049 262 y([S-J93)o(].)52 b(The)29 -b(request)f(is)i(of)f(the)g(form)f(\223)p Fr(r)m(emote-port)i -Fm(:)43 b Fr(local-)2049 361 y(port)q Fs(\224.)c(If)24 -b(host)h Fj(A)h Fs(sends)e(such)h(a)g(request)f(to)h(the)g(ident)f -(serv)o(er)g(on)2049 461 y(host)19 b Fj(B)t Fs(,)g(then)f(the)h -(request)f(is)h(asking)f(for)g(the)h(identi\002cation)e(of)i(the)2049 -561 y(user)i(on)g(host)h Fj(B)k Fs(who)21 b(has)g(a)h(connection)e -(from)g(host)h Fj(B)t Fs(')-5 b(s)23 b Fr(r)m(emote-)2049 -660 y(port)c Fs(to)e(host)h Fj(A)p Fs(')-5 b(s)18 b Fr(local-port)p -Fs(.)23 b(The)17 b(reply)g(identi\002es)g(the)g(operating)2049 -760 y(system,)25 b(perhaps)d(a)i(language)f(encoding,)f(and)h(a)h -(username)f(\(or)g(a)2049 860 y(\223cookie\224)h(that)h(does)g(not)f -(directly)h(re)n(v)o(eal)f(the)h(username)f(b)n(ut)h(can)2049 -959 y(be)d(used)f(subsequently)f(by)h(an)h(administrator)e(of)h(host)h -Fj(B)27 b Fs(to)21 b(iden-)2049 1059 y(tify)f(the)g(user\).)2132 -1164 y(Bro)44 b(generates)f(three)g(e)n(v)o(ents,)49 -b Fm(ident)p 3404 1164 25 4 v 28 w(request)p Fs(,)g(which)2049 -1264 y(identi\002es)54 b(the)h Fr(r)m(emote-port)g Fs(and)f -Fr(local-port)g Fs(in)h(a)f(request,)2049 1364 y Fm(ident)p -2304 1364 V 29 w(reply)p Fs(,)33 b(which)d(includes)g(the)g(username)g -(and)g(the)g(op-)2049 1463 y(erating)i(system,)k(and)d -Fm(ident)p 3010 1463 V 29 w(error)p Fs(,)j(for)c(when)g(the)h(remote) -2049 1563 y(serv)o(er)22 b(declares)g(that)h(the)g(ident)g(request)f(w) -o(as)i(in)m(v)n(alid.)32 b(Our)22 b(site')-5 b(s)2049 -1663 y(polic)o(y)24 b(scripts)i(check)f(the)h(username)e(against)h(a)h -(list)g(of)g(sensiti)n(v)o(e)2049 1762 y(user)16 b(ID')-5 -b(s)17 b(\(such)f(as)i(\223)p Fm(rewt)p Fs(\224,)e(a)h(name)f(commonly) -e(used)j(for)f(back-)2049 1862 y(door)j(\223root\224)g(accounts\),)g -(and)g(annotates)h(the)g(corresponding)c(con-)2049 1961 -y(nection)j(record)g(with)h(the)h(username.)2049 2232 -y Fh(6.5)99 b(T)-9 b(elnet)26 b(and)g(Rlogin)2049 2399 -y Fs(The)38 b(\002nal)h(applications)e(currently)f(b)n(uilt)j(into)f -(Bro)g(are)h(T)-6 b(elnet)2049 2499 y(and)29 b(Rlogin,)h(services)g -(for)e(remote)h(interacti)n(v)o(e)e(access)j([PR83a)o(,)2049 -2598 y(Ka91)o(].)42 b(There)25 b(are)h(se)n(v)o(eral)f(signi\002cant)g -(dif)n(\002culties)h(with)g(moni-)2049 2698 y(toring)21 -b(interacti)n(v)o(e)g(traf)n(\002c.)30 b(The)21 b(\002rst)i(is)g(that,) -f(unlik)o(e)g(FTP)-9 b(,)22 b(T)-6 b(elnet)2049 2798 -y(and)17 b(Rlogin)g(traf)n(\002c)h(is)g(virtually)f(unstructured.)k -(There)c(are)h(no)f(nice)2049 2897 y(\223)p Fm(USER)49 -b(xyz)p Fs(\224)29 b(directi)n(v)o(es)f(that)i(mak)o(e)f(it)h(tri)n -(vial)f(to)g(identify)g(the)2049 2997 y(account)c(associated)g(with)h -(the)g(acti)n(vity;)j(instead,)e(one)e(must)h(em-)2049 -3097 y(plo)o(y)f(a)g(series)h(of)f(heuristics.)40 b(\(The)24 -b(Rlogin)h(protocol)f(includes)g(a)2049 3196 y(mechanism)g(for)g -(specifying)g(an)h(initial)g(username,)g(b)n(ut)g(does)g(not)2049 -3296 y(include)15 b(a)h(mechanism)f(for)g(indicating)g(that)h(the)g -(username)e(w)o(as)j(re-)2049 3395 y(jected,)j(so)g(the)g(situation)g -(is)h(virtually)e(identical)g(to)h(that)g(for)g(T)-6 -b(elnet)2049 3495 y(in)17 b(which)g(the)g(initial)g(name)g(is)h -(presumably)d(the)i(\002rst)h(te)o(xt)f(typed)f(by)2049 -3595 y(the)21 b(user)-5 b(.\))27 b(This)21 b(problem)e(mak)o(es)h -(interacti)n(v)o(e)g(traf)n(\002c)g(particularly)2049 -3694 y(susceptible)g(to)h(subterfuge)e(attacks,)i(since)g(if)g(the)g -(heuristics)f(ha)n(v)o(e)2049 3794 y(holes,)g(an)g(attack)o(er)g(can)g -(slip)g(through)e(them)i(undetected.)2132 3900 y(There)35 -b(are)i(tw)o(o)f(parts)g(to)h(the)f(analysis:)58 b(determining)34 -b(user)n(-)2049 3999 y(names)22 b(in)g(a)h(rob)n(ust)f(f)o(ashion,)f -(and)h(scanning)f(interacti)n(v)o(e)g(sessions)2049 4099 -y(for)j(strings)g(re\003ecting)f(questionable)g(acti)n(vity)-5 -b(.)36 b(W)-7 b(e)25 b(discuss)g(each)2049 4198 y(in)31 -b(turn.)55 b(Because)30 b(of)h(the)f(close)h(similarities)g(between)f -(analyz-)2049 4298 y(ing)f(T)-6 b(elnet)30 b(and)f(Rlogin)g(sessions,)k -(Bro)d(combines)e(them)i(into)f(a)2049 4398 y(generic)21 -b(\223Login\224)f(analyzer)m(,)g(which)h(is)i(the)e(term)h(we)g(use)f -(for)g(both)2049 4497 y(in)f(the)h(remainder)d(of)i(the)g(section.)2132 -4603 y Fl(Recognizing)29 b(the)h(authentication)e(dialog)o(.)53 -b Fs(The)30 b(\002rst)h(f)o(acet)2049 4703 y(of)26 b(analyzing)f(Login) -g(acti)n(vity)h(is)h(to)f(accurately)f(track)h(the)g(initial)2049 -4802 y(authentication)f(dialog)i(and)f(e)o(xtract)h(from)f(it)i(the)f -(usernames)f(as-)2049 4902 y(sociated)c(with)h(both)f(login)g(f)o -(ailures)h(and)f(successes.)33 b(Initially)22 b(we)2049 -5001 y(attempted)e(to)h(b)n(uild)g(a)g(state)h(machine)e(that)h(w)o -(ould)g(track)f(the)h(v)n(ari-)2049 5101 y(ous)e(authentication)f -(steps:)25 b(w)o(aiting)20 b(for)e(the)i(username,)e(scanning)2049 -5201 y(the)29 b(login)f(prompt)f(\(this)h(comes)h(after)f(the)h -(username,)g(since)g(the)2049 5300 y(processing)22 b(is)i -(line-oriented,)e(and)h(the)g(full,)h(ne)n(wline-terminated)2049 -5400 y(prompt)34 b(line)h(does)g(not)g(appear)f(until)h(after)g(the)g -(username)f(has)1908 5649 y(15)p eop -%%Page: 16 16 -16 15 bop -150 -104 a Fs(been)24 b(entered\),)g(w)o(aiting)h(for)f(the) -g(passw)o(ord,)h(scanning)f(the)g(pass-)-150 -5 y(w)o(ord)34 -b(prompt,)i(and)f(then)f(looking)f(for)h(an)g(indication)g(that)h(the) --150 95 y(passw)o(ord)29 b(w)o(as)j(rejected)d(\(in)h(which)g(case)g -(the)h(process)e(repeats\))-150 194 y(or)f(accepted.)48 -b(This)29 b(approach,)e(though,)i(founders)d(on)i(the)g(great)-150 -294 y(v)n(ariety)21 b(of)i(authentication)d(dialogs)i(used)g(by)g(dif)n -(ferent)e(operating)-150 394 y(systems,)25 b(some)e(of)g(which)h -(sometimes)f(do)g(not)g(prompt)f(for)h(pass-)-150 493 -y(w)o(ords,)k(or)f(re-prompt)e(for)h(passw)o(ords)h(rather)g(than)f -(login)h(names)-150 593 y(after)34 b(a)g(passw)o(ord)f(f)o(ailure,)k -(or)d(utilize)g(tw)o(o)g(steps)h(of)e(passw)o(ord)-150 -693 y(authentication,)20 b(or)h(e)o(xtract)g(usernames)f(from)h(en)m -(vironment)d(v)n(ari-)-150 792 y(ables,)25 b(and)e(so)h(on.)35 -b(W)-7 b(e)25 b(instead)f(use)g(a)g(simpler)g(approach,)e(based)-150 -892 y(on)h(associating)f(particular)g(strings)h(\(such)f(as)i(\223P)o -(assw)o(ord:\224\))29 b(with)-150 991 y(particular)g(information,)i -(and)f(not)g(attempting)f(to)h(track)g(the)h(au-)-150 -1091 y(thentication)16 b(states)j(e)o(xplicitly)-5 b(.)22 -b(It)c(w)o(orks)f(well,)h(although)e(not)h(per)n(-)-150 -1191 y(fectly)-5 b(,)19 b(and)h(its)h(w)o(orkings)e(are)h(certainly)f -(easier)i(to)f(follo)n(w)-5 b(.)-67 1297 y(The)40 b(Login)e(analyzer)h -(generates)g Fm(login)p 1272 1297 25 4 v 29 w(success)g -Fs(upon)-150 1396 y(determining)51 b(that)h(a)i(user)e(has)h -(successfully)g(authenticated,)-150 1496 y Fm(login)p -105 1496 V 29 w(failure)40 b Fs(when)g(a)h(user')-5 b(s)41 -b(attempt)g(to)g(authenticate)-150 1595 y(f)o(ails,)18 -b Fm(authentication)p 736 1595 V 27 w(skipped)e Fs(if)g(it)i -(recognizes)d(the)h(au-)-150 1695 y(thentication)28 b(dialog)h(as)i -(one)e(speci\002ed)g(by)h(the)f(polic)o(y)g(script)h(as)-150 -1795 y(not)17 b(requiring)f(further)g(analysis,)h(and)g -Fm(login)p 1240 1795 V 29 w(confused)g Fs(if)h(the)-150 -1894 y(analyzer)f(becomes)g(confused)f(re)o(garding)g(the)i -(authentication)e(dia-)-150 1994 y(log.)24 b(\(This)19 -b(last)g(could,)f(for)g(e)o(xample,)g(trigger)f(full-pack)o(et)g -(record-)-150 2094 y(ing)j(of)g(the)g(subsequent)f(session,)h(for)g -(later)g(manual)f(analysis.\))-67 2199 y Fl(T)-6 b(ype-ahead.)28 -b Fs(A)22 b(basic)g(dif)n(\002culty)e(that)i(complicates)f(the)g(anal-) --150 2299 y(ysis)j(is)g(type-ahead.)32 b(W)-7 b(e)24 -b(cannot)f(rely)g(on)f(the)i(most-recently)d(en-)-150 -2399 y(tered)h(string)g(as)i(corresponding)19 b(to)k(the)f(current)g -(prompt)f(line.)32 b(In-)-150 2498 y(stead,)24 b(we)f(k)o(eep)f(track)h -(of)g(user)f(input)h(lines)g(separately)-5 b(,)22 b(and)g(con-)-150 -2598 y(sume)27 b(them)h(as)g(we)g(observ)o(e)e(dif)n(ferent)g(prompts.) -46 b(F)o(or)27 b(e)o(xample,)-150 2698 y(if)20 b(the)g(analyzer)f -(scans)h(\223P)o(assw)o(ord:\224,)f(then)g(it)i(associates)g(with)f -(the)-150 2797 y(prompt)15 b(the)i(\002rst)h(unread)d(line)i(in)g(the)g -(user)g(type-ahead)d(b)n(uf)n(fer)m(,)i(and)-150 2897 -y(consumes)21 b(that)i(line.)31 b(The)22 b(hazard)f(of)h(this)h -(approach)d(is)j(if)f(the)h(lo-)-150 2996 y(gin)h(serv)o(er)f(e)n(v)o -(er)h(\003ushes)g(the)g(type-ahead)e(b)n(uf)n(fer)h(\(due)h(to)g(part)g -(of)-150 3096 y(its)f(authentication)c(dialog,)j(or)f(upon)f(an)i(e)o -(xplicit)f(signal)h(from)f(the)-150 3196 y(user\),)h(then)g(if)g(the)h -(monitor)d(misses)k(this)e(f)o(act)h(it)g(will)g(become)e(out)-150 -3295 y(of)29 b(sync.)50 b(This)29 b(opens)f(the)h(monitor)e(to)i(a)g -(subterfuge)e(attack,)j(in)-150 3395 y(which)c(an)h(attack)o(er)f -(passes)h(of)n(f)f(an)h(innocuous)d(string)i(as)i(a)f(user)n(-)-150 -3495 y(name,)20 b(and)g(the)h(polic)o(y)f(script)g(in)h(turn)f(f)o -(ails)i(to)f(recognize)e(that)i(the)-150 3594 y(attack)o(er)16 -b(in)h(f)o(act)f(has)h(authenticated)e(as)i(a)g(pri)n(vile)o(ged)d -(user)-5 b(.)24 b(One)16 b(\002x)-150 3694 y(to)21 b(this)h -(problem\227re\003ecting)c(a)j(strate)o(gy)f(we)i(adopt)e(for)g(the)h -(more)-150 3793 y(general)g(\223k)o(e)o(ystrok)o(e)f(editing\224)g -(problem)g(discussed)i(belo)n(w\227is)f(to)-150 3893 -y(test)29 b Fr(both)f Fs(usernames)f(and)h(passw)o(ords)g(against)g(an) -o(y)f(list)j(of)e(sen-)-150 3993 y(siti)n(v)o(e)d(usernames,)h(an)f(e)o -(xample)f(of)h(the)g(\223bifurcation\224)e(approach)-150 -4092 y(discussed)d(in)g Fi(x)h Fs(5.3)f(abo)o(v)o(e.)-67 -4198 y(Unless)37 b(we)f(are)g(careful,)j(type-ahead)34 -b(also)i(opens)g(the)g(door)-150 4298 y(to)28 b(another)e(subterfuge)g -(attack.)47 b(F)o(or)27 b(e)o(xample,)h(an)g(attack)o(er)f(can)-150 -4397 y(type-ahead)41 b(the)i(string)g(\223P)o(assw)o(ord:\224,)48 -b(which,)g(when)43 b(echoed)-150 4497 y(by)49 b(the)g(login)f(serv)o -(er)m(,)55 b(w)o(ould)49 b(be)g(interpreted)e(by)i(the)g(ana-)-150 -4597 y(lyzer)26 b(as)i(corresponding)23 b(to)k(a)g(passw)o(ord)g -(prompt,)f(when)g(in)h(f)o(act)-150 4696 y(the)40 b(dialog)f(is)i(in)f -(a)h(dif)n(ferent)d(state.)85 b(The)40 b(analyzer)f(defends)-150 -4796 y(against)32 b(these)i(attacks)f(by)f(checking)g(each)h -(typed-ahead)d(string)-150 4896 y(against)16 b(the)g(dif)n(ferent)f -(dialog)g(strings)h(it)h(kno)n(ws)f(about,)g(generating)-150 -4995 y Fm(possible)p 255 4995 V 28 w(login)p 533 4995 -V 29 w(ploy)k Fs(upon)f(a)i(match.)-67 5101 y Fl(K)n(eystr)o(ok)o(e)14 -b(editing)o(.)23 b Fs(Usernames)15 b(can)g(also)h(become)e(disguised) --150 5201 y(due)21 b(to)g(use)g(of)g(k)o(e)o(ystrok)o(e)e(editing.)27 -b(F)o(or)21 b(e)o(xample,)e(we)j(w)o(ould)e(lik)o(e)-150 -5300 y(to)29 b(recognize)d(that)j(\223)p Fm(rb<)p Fb(DEL)q -Fm(>oot)p Fs(\224)e(does)h(indeed)f(correspond)-150 5400 -y(to)22 b(a)g(username)e(of)h Fm(root)p Fs(,)h(assuming)f(that)g -Fm(<)p Fb(DEL)q Fm(>)g Fs(is)h(the)g(single-)2049 -104 -y(character)k(deletion)f(operator)-5 b(.)44 b(W)-7 b(e)28 -b(\002nd)e(this)h(assumption,)g(ho)n(w-)2049 -5 y(e)n(v)o(er)m(,)d -(problematic,)g(since)h(some)f(systems)h(use)g Fm(<)p -Fb(DEL)q Fm(>)f Fs(and)g(oth-)2049 95 y(ers)30 b(use)g -Fm(<)p Fb(BS)t Fm(>)p Fs(.)52 b(W)-7 b(e)31 b(address)e(this)h(problem) -e(by)h(applying)e(both)2049 194 y(forms)h(of)h(editing)f(to)g -(usernames,)i(yielding)e(possibly)g(three)g(dif-)2049 -294 y(ferent)21 b(strings,)g(each)g(of)h(which)f(the)g(script)h(then)f -(assesses)i(in)e(turn.)2049 394 y(So,)29 b(for)d(e)o(xample,)i(the)f -(string)g(\223)p Fm(rob<)p Fb(DEL)q Fm(><)p Fb(BS)t Fm(><)p -Fb(BS)t Fm(>ot)p Fs(\224)d(is)2049 493 y(tested)19 b(both)g(directly)-5 -b(,)18 b(as)h(\223)p Fm(ro<)p Fb(BS)t Fm(><)p Fb(BS)t -Fm(>ot)p Fs(\224,)f(and)g(as)i(\223)p Fm(root)p Fs(\224.)2049 -593 y(This)f(is)h(another)e(e)o(xample)f(of)i(using)f(bifurcation)f(to) -i(address)g(anal-)2049 693 y(ysis)i(ambiguities.)2132 -898 y(Editing)35 b(is)h(not)f(limited)h(to)f(deleting)g(indi)n(vidual)f -(characters,)2049 998 y(ho)n(we)n(v)o(er)-5 b(.)65 b(Some)34 -b(systems)g(support)f(deleting)g(entire)h(w)o(ords)g(or)2049 -1097 y(lines;)24 b(others)d(allo)n(w)i(access)g(to)f(pre)n -(viously-typed)c(lines)23 b(using)f(an)2049 1197 y(escape)f(sequence.) -26 b(W)-7 b(ord)21 b(and)g(line)g(deletion)f(do)h(not)f(allo)n(w)h(an)g -(at-)2049 1297 y(tack)o(er)d(to)g(hide)f(their)h(username,)f(if)h -(tests)h(for)f(sensiti)n(v)o(e)g(usernames)2049 1396 -y(check)k(for)g(an)o(y)g(embedded)e(occurrence)g(of)j(the)f(username)g -(within)2049 1496 y(the)35 b(input)f(te)o(xt.)68 b(\223History\224)35 -b(access)g(to)g(pre)n(vious)e(te)o(xt)i(is)g(more)2049 -1595 y(problematic;)28 b(presently)-5 b(,)27 b(the)g(analyzer)e -(recognizes)h(one)g(operat-)2049 1695 y(ing)18 b(system)g(that)g -(supports)f(this)h(\(VMS\))g(and,)f(for)h(it)g(only)-5 -b(,)17 b(e)o(xpands)2049 1795 y(the)j(escape)g(sequence)f(into)h(the)g -(te)o(xt)g(of)g(the)h(pre)n(vious)d(line.)2132 2000 y -Fl(T)-8 b(elnet)42 b(options.)88 b Fs(The)41 b(T)-6 b(elnet)42 -b(protocol)d(supports)h(a)i(rich,)2049 2100 y(comple)o(x)37 -b(mechanism)h(for)g(e)o(xchanging)e(options)i(between)h(the)2049 -2199 y(client)d(and)g(serv)o(er)g([PR83b)o(])g(\(there)g(are)g(more)g -(than)g(50)g(RFCs)2049 2299 y(discussing)27 b(dif)n(ferent)e(T)-6 -b(elnet)28 b(options\).)45 b(Unhappily)-5 b(,)26 b(we)i(cannot)2049 -2399 y(ignore)j(the)i(possible)g(presence)e(of)i(these)f(options)g(in)h -(our)f(anal-)2049 2498 y(ysis,)j(because)c(an)h(attack)o(er)f(can)h -(embed)e(one)h(in)h(the)g(middle)f(of)2049 2598 y(te)o(xt)d(the)o(y)g -(transmit)g(in)h(order)e(to)i(disguise)f(their)g(intent\227for)f(e)o -(x-)2049 2698 y(ample,)33 b(\223)p Fm(ro<)p Fr(option)p -Fm(>ot)p Fs(\224.)55 b(The)31 b(T)-6 b(elnet)31 b(serv)o(er)f(will)i -(dutifully)2049 2797 y(strip)25 b(out)f(the)h(option)e(before)g -(passing)i(along)e(the)i(remaining)e(te)o(xt)2049 2897 -y(to)h(the)f(authentication)f(system.)35 b(W)-7 b(e)25 -b(must)e(do)g(the)h(same.)35 b(On)24 b(the)2049 2996 -y(other)30 b(hand,)j(parsing)e(options)f(also)i(yields)f(some)g -(bene\002ts:)47 b(we)2049 3096 y(can)20 b(detect)g(connections)e(that)i -(successfully)f(ne)o(gotiate)g(to)h(encrypt)2049 3196 -y(the)29 b(data)h(session,)h(and)e(skip)h(subsequent)d(analysis)j -(\(rather)e(than)2049 3295 y(generating)16 b Fm(login)p -2673 3295 V 29 w(confused)h Fs(e)n(v)o(ents\),)g(as)i(well)f(as)h -(analyzing)2049 3395 y(options)j(used)g(for)g(authentication)e(\(for)i -(e)o(xample,)f(K)n(erberos\))g(and)2049 3495 y(to)27 -b(transmit)f(the)g(user')-5 b(s)27 b(en)m(vironment)c(v)n(ariables)j -(\(some)g(systems)2049 3594 y(use)j Fm($USER)e Fs(as)j(the)e(def)o -(ault)f(username)g(during)g(subsequent)g(au-)2049 3694 -y(thentication\).)2132 3899 y Fl(Scanning)h(the)g(session)h(contents.) -47 b Fs(The)27 b(last)i(form)d(of)i(Login)2049 3999 y(analysis,)c(and)g -(in)f(our)g(e)o(xperience)f(f)o(ar)h(and)h(a)o(w)o(ay)f(the)h(most)f -(po)n(w-)2049 4099 y(erful)18 b(for)h(detecting)f(break-ins,)f(is)j -(looking)d(at)j(the)f(contents)f(of)h(the)2049 4198 y(lines)h(sent)g -(by)g(the)g(user)g(\()p Fm(login)p 3048 4198 V 28 w(input)p -3326 4198 V 29 w(line)g Fs(e)n(v)o(ents\))f(and)g(by)2049 -4298 y(the)h(remote)g(serv)o(er)f(\()p Fm(login)p 2928 -4298 V 28 w(output)p 3256 4298 V 29 w(line)p Fs(\).)2132 -4503 y(F)o(or)33 b(input)f(lines,)37 b(some)c(of)f(the)h(patterns)g(we) -g(search)g(for)g(are)2049 4603 y(the)39 b(string)g(\223)p -Fm(eggdrop)p Fs(\224)g(\(an)g(Internet)f(Relay)i(Chat)f(tool)g(that) -2049 4703 y(man)o(y)34 b(attack)o(ers)i(install)g(upon)e(a)i -(break-in\),)h(\223)p Fm(loadmodule)p Fs(\224)2049 4802 -y(and)24 b(\223)p Fm(/bin/eject)p Fs(\224)f(\(used)h(in)g(b)n(uf)n(fer) -f(o)o(v)o(er\003o)n(w)g(attacks\),)i(and)2049 4902 y(access)34 -b(to)g(hidden)f(directories)f(with)i(names)g(lik)o(e)g(\223)p -Fm(...)p Fs(\224.)65 b(F)o(or)2049 5001 y(output)29 b(lines,)j(we)e -(look)f(for)g(\223)p Fm(ls)p Fs(\224)h(output)f(sho)n(wing)f -(setuid-root)2049 5101 y(v)o(ersions)f(of)h(command-line)d -(interpreters)i(lik)o(e)h Fr(csh)p Fs(,)i(and)e(strings)2049 -5201 y(lik)o(e)67 b(\223)p Fm(Jumping)48 b(to)i(address)p -Fs(\224)66 b(and)g(\223)p Fm(Log)49 b(started)2049 5300 -y(at)p Fs(\224)24 b(which)f(correspond)d(to)k(popular)e(b)n(uf)n(fer)n -(-o)o(v)o(er\003o)n(w)d(and)k(pass-)2049 5400 y(w)o(ord)d(snif)n(fer)f -(tools,)h(respecti)n(v)o(ely)-5 b(.)1908 5649 y(16)p -eop -%%Page: 17 17 -17 16 bop -150 -104 a Fh(6.6)124 b(Scan)26 b(detection)-150 -70 y Fs(W)-7 b(e)34 b(\002nish)f(with)g(a)h(discussion)e(of)h -(detecting)e(port)i(and)f(address)-150 170 y(scanning.)22 -b(While)17 b(not,)g(strictly)f(speaking,)g(a)h(form)e(of)h -(application-)-150 269 y(speci\002c)29 b(processing,)g(we)f(ha)n(v)o(e) -g(deferred)f(discussion)h(until)g(no)n(w)-150 369 y(so)21 -b(we)h(can)f(refer)f(to)h(the)g(pre)n(viously-de)n(v)o(eloped)16 -b(concepts)k(of)g(Bro)-150 469 y(language)e(mechanisms)i(and)f(attacks) -i(on)e(the)i(monitor)-5 b(.)-67 578 y(Scan)18 b(detection)e(is)j(all)f -(done)e(at)i(the)g(polic)o(y)e(script)i(le)n(v)o(el,)f(so)h(sites)-150 -678 y(may)j(of)g(course)g(tailor)g(the)g(detection)f(ho)n(we)n(v)o(er)g -(the)o(y)g(wish.)29 b(Ho)n(w-)-150 777 y(e)n(v)o(er)m(,)h(the)g(basic)f -(approach)e(we)j(use)g(is)g(to)f(maintain)g(pairs)g(of)g(ta-)-150 -877 y(bles.)38 b(F)o(or)24 b(detecting)f(address)h(scanning,)g(the)g -(\002rst)h(of)f(the)h(pair)f(of)-150 977 y(tables,)39 -b Fm(distinct)p 509 977 25 4 v 28 w(peers)p Fs(,)f(is)e(a)f -Fm(table[addr,)48 b(addr])-150 1076 y(of)h(bool)p Fs(.)67 -b(W)-7 b(e)36 b(inde)o(x)d(it)i(using)e(the)h(source)g(and)g -(destination)-150 1176 y(address)26 b(of)g(each)h(ne)n(wly-attempted)d -(connection.)42 b(If)26 b(the)h(pair)f(of)-150 1276 y(addresses)32 -b(is)h(not)e(in)i(the)f(table,)i(then)e(we)g(add)g(them)f(to)h(the)g -(ta-)-150 1375 y(ble,)23 b(and)f(increment)f Fm(num)p -649 1375 V 29 w(distinct)p 1078 1375 V 28 w(peers)p Fs(,)i(a)f -(correspond-)-150 1475 y(ing)k Fm(table[addr])48 b(of)h(count)p -Fs(.)42 b(This)27 b(second)e(table)h(k)o(eeps)-150 1574 -y(track)j(for)f(each)h(source)f(address)h(the)g(number)e(of)i(distinct) -h(desti-)-150 1674 y(nation)e(addresses)h(to)g(which)f(it)i(has)f -(attempted)f(to)h(connect.)50 b(As)-150 1774 y(that)19 -b(number)e(crosses)j(dif)n(ferent)d(thresholds,)h(the)h(script)h -(generates)-150 1873 y(a)26 b(series)h(of)e(real-time)h -(noti\002cations)f(indicating)f(that)i(an)g(address)-150 -1973 y(scan)31 b(is)h(underw)o(ay)-5 b(.)55 b(It)32 b(can)e(of)h -(course)g(tak)o(e)g(additional)e(action,)-150 2073 y(too,)e(such)e(as)h -(in)m(v)n(oking)e(via)i Fm(system\(\))e Fs(a)j(script)e(that)h(remo)o -(v)o(es)-150 2172 y(the)20 b(attacking)f(site')-5 b(s)22 -b(connecti)n(vity)c(to)i(the)g(local)h(site)g(\()p Fi(x)f -Fs(8\).)-67 2282 y(W)-7 b(e)60 b(detect)f(port)f(scanning)f(in)i(a)g -(similar)g(f)o(ashion,)68 b(us-)-150 2381 y(ing)51 b -Fm(distinct)p 413 2381 V 28 w(ports)p Fs(,)59 b(a)52 -b Fm(table[addr,)47 b(port])i(of)-150 2481 y(bool)24 -b Fs(inde)o(x)o(ed)e(by)i(source)g(address)g(and)g(destination)f(port)h -(num-)-150 2581 y(ber)m(,)32 b(and)f(a)g(companion)d(table)j -Fm(num)p 975 2581 V 29 w(distinct)p 1404 2581 V 28 w(ports)p -Fs(,)i(and)-150 2680 y(again)28 b(generate)f(noti\002cations)h(as)h -(the)g(distinct)f(port)g(count)g(for)g(a)-150 2780 y(gi)n(v)o(en)19 -b(address)h(crosses)g(dif)n(ferent)f(thresholds.)-67 -2889 y(Note)24 b(that)h(this)g(approach)d(does)i(not)h(ha)n(v)o(e)e(an) -o(y)h(restrictions)g(on)-150 2989 y(the)j Fr(or)m(der)i -Fs(in)e(which)f(addresses)h(or)f(ports)h(are)g(scanned,)g(nor)f(an)o(y) --150 3089 y(particular)14 b(requirements)f(for)i(ho)n(w)f(quickly)g -(the)o(y)h(are)g(scanned.)22 b(By)-150 3188 y(remo)o(ving)h(these)i -(sorts)h(of)f(restrictions,)h(we)f(can)g(detect)g(not)g(only)-150 -3288 y(simple)30 b(brute-force)c(scans,)33 b(b)n(ut)c(also)h(some)f -(forms)g(of)h(\223stealth\224)-150 3388 y(scanning,)19 -b(in)h(which)f(the)i(scan)f(is)h(done)e(slo)n(wly)h(across)g(a)h -(random-)-150 3487 y(ized)f(list)h(of)f(addresses.)-67 -3597 y(There)c(are)h(tw)o(o)g(problems)e(with)i(the)g(approach,)e(ho)n -(we)n(v)o(er)-5 b(.)22 b(First,)-150 3696 y(while)29 -b(the)g(abo)o(v)o(e)f(steps)h(do)g(indeed)f(detect)h(scanning)f(acti)n -(vities,)-150 3796 y(the)o(y)17 b(also)h(generate)f(f)o(alse)h(hits,)g -(because)g(some)f(services)h(naturally)-150 3896 y(result)25 -b(in)h(a)g(single)f(source)f(contacting)g(multiple)h(destination)f(ad-) --150 3995 y(dresses)32 b(\(for)e(e)o(xample,)j(a)f(single)f(client)g -(sur\002ng)g(multiple)g(W)-7 b(eb)-150 4095 y(serv)o(ers\),)36 -b(or)d(contacting)f(multiple)g(ports)h(on)g(the)h(same)f(remote)-150 -4195 y(host)24 b(\(an)g(FTP)g(serv)o(er)g(running)e(on)h(a)i -(non-standard)c(port,)j(so)g(Bro)-150 4294 y(does)k(not)f(kno)n(w)g(to) -i(track)e(its)i(POR)-5 b(T/P)d(ASV)30 b(directi)n(v)o(es)d(in)h(order) --150 4394 y(to)j(associate)h(connections)d(on)h(ephemeral)g(ports)h -(with)g(the)g(FTP)-150 4493 y(session\).)c(W)-7 b(e)22 -b(can)f(generally)f(deal)g(with)h(this)h(problem,)d(ho)n(we)n(v)o(er)m -(,)-150 4593 y(by)e(introducing)e(some)j(additional)e(polic)o(y)h -(elements)g(in)h(our)f(script,)-150 4693 y(such)25 b(as)g(a)h(list)g -(of)f(services)g(which)f(we)h(should)f(ignore)g(when)g(up-)-150 -4792 y(dating)19 b(the)i(tables)f(to)g(re\003ect)h(ne)n(wly)e -(attempted)g(connections.)-67 4902 y(The)28 b(second)f(dif)n(\002culty) -f(concerns)h(consumption)e(of)j(memory)-5 b(.)-150 5001 -y(Depending)37 b(on)i(a)h(site')-5 b(s)41 b(traf)n(\002c)e(patterns,)44 -b(the)39 b(scan-detection)-150 5101 y(tables)j(can)g(gro)n(w)f(quite)g -(lar)o(ge.)89 b(The)o(y)40 b(can)i(especially)f(gro)n(w)-150 -5201 y(lar)o(ge)34 b(if)i(an)f(attack)o(er)g(deliberately)f(tar)o(gets) -h(them)g(as)h(a)g(w)o(ay)f(to)-150 5300 y(attempt)44 -b(to)g(compromise)e(the)i(monitor)f(via)h(an)g(o)o(v)o(erload)d(at-) --150 5400 y(tack.)64 b(One)33 b(solution)g(for)g(addressing)f(this)h -(problem)f(w)o(ould)h(be)2049 -104 y(to)c(introduce)e(the)j(notion)d -(of)i(associating)g(timers)g(with)g(table)g(el-)2049 --5 y(ements.)60 b(W)m(ith)32 b(such)g(a)g(mechanism,)i(we)e(could,)i -(for)d(e)o(xample,)2049 95 y(o)o(v)o(er)i(time)h(remo)o(v)o(e)e -(elements)i(from)f Fm(distinct)p 3623 95 V 28 w(peers)h -Fs(and)2049 194 y Fm(num)p 2204 194 V 29 w(distinct)p -2633 194 V 29 w(peers)p Fs(.)73 b(Doing)36 b(so,)k(ho)n(we)n(v)o(er)m -(,)e(trades)e(of)n(f)2049 294 y(reco)o(v)o(ering)22 b(resources)i -(\(and)g(thus)h(impairing)e(an)i(attack)o(er')-5 b(s)25 -b(abil-)2049 394 y(ity)g(to)g(launch)f(an)h(o)o(v)o(erload)d(attack\))i -(with)h(f)o(ailing)g(to)g(detect)f(slo)n(w)2049 493 y(stealth)d(scans.) -2132 595 y(See)k Fi(x)g Fs(7.1)f(belo)n(w)f(for)h(a)h(brief)f -(discussion)g(of)g(our)f(e)o(xperiences)2049 695 y(with)d -(scan-detection.)2049 990 y Ft(7)119 b(Status)30 b(and)h(Experiences) -2049 1180 y Fs(Bro)26 b(has)g(operated)f(continuously)e(since)k(April)e -(1996)g(as)i(an)f(inte-)2049 1280 y(gral)i(part)g(of)h(our)e(site')-5 -b(s)30 b(security)e(system.)50 b(It)29 b(initially)f(included)2049 -1379 y(only)d(general)g(TCP/IP)i(analysis;)j(as)d(time)f(permitted,)g -(we)h(added)2049 1479 y(the)c(additional)f(modules)g(discussed)g(in)i -Fi(x)f Fs(6,)h(and)e(we)h(plan)g(to)g(add)2049 1579 y(man)o(y)h(more.) -39 b(In)25 b(this)g(section)g(we)g(sk)o(etch)g(its)i(current)c(status)j -(and)2049 1678 y(our)19 b(e)o(xperiences)g(with)h(operating)e(it.)2049 -1930 y Fh(7.1)99 b(Implementation)26 b(status)2049 2091 -y Fs(Presently)-5 b(,)26 b(the)g(implementation)d(is)j(about)f(27,000)f -(lines)i(of)f(C++)2049 2190 y(and)e(another)f(3,200)g(lines)i(of)g -Fm(Bro)f Fs(\(about)g(2,700)f(lines)i(of)f(which)2049 -2290 y(are)38 b(\223boilerplate\224)f(not)g(speci\002c)i(to)f(our)f -(site\).)80 b(It)38 b(runs)g(under)2049 2389 y(Digital)33 -b(Unix,)h(FreeBSD,)f(Linux,)h(and)e(Solaris)h(operating)d(sys-)2049 -2489 y(tems.)57 b(W)-7 b(e)32 b(use)f(the)g Fr(autoconf)41 -b Fs(auto-con\002guration)27 b(tool)k(as)g(our)2049 2589 -y(main)20 b(mechanism)f(for)g(abetting)h(portability)-5 -b(.)2132 2691 y(Bro)58 b(is)h(publicly)d(a)n(v)n(ailable)i(in)g -(source-code)d(form)i(\(see)2049 2791 y Fr(http://www-nr)m(g)o(.ee)o -(.lbl.go)o(v/br)l(o-info.html)19 b Fs(for)k(release)i(informa-)2049 -2890 y(tion\),)34 b(though)d(the)h(current)f(release)h(is)h(of)f -(\223alpha\224)f(quality)g(and)2049 2990 y(includes)19 -b(only)h(v)o(ery)f(limited)h(documentation.)2132 3092 -y(W)-7 b(e)32 b(hope)d(that)i(it)g(will)g(both)f(bene\002t)g(the)g -(community)e(and)i(in)2049 3192 y(turn)22 b(bene\002t)h(from)e -(community)g(ef)n(forts)h(to)h(enhance)e(it.)34 b(W)-7 -b(e)24 b(ha)n(v)o(e)2049 3291 y(set)c(up)f(a)g(mailing)g(list)h(for)f -(discussion\227see)g(the)g(abo)o(v)o(e)e(W)-7 b(eb)20 -b(page)2049 3391 y(for)g(subscription)e(information.)2132 -3493 y(In)29 b(our)f(on-going)e(operations,)j(Bro)g(generates)f(about)f -(85)i(MB)2049 3593 y(of)22 b(connection)f(summaries)h(each)h(day)-5 -b(,)22 b(and)g(around)f(40)h(real-time)2049 3692 y(noti\002cations,)28 -b(though)e(this)i(\002gure)f(v)n(aries)h(greatly)-5 b(.)45 -b(While)29 b(most)2049 3792 y(of)e(the)h(noti\002cations)e(are)i -(innocuous)d(\(and)i(if)h(we)g(were)f(not)g(also)2049 -3892 y(de)n(v)o(elopers)21 b(of)h(the)h(system,)g(we)g(w)o(ould)g -(suppress)f(these\),)h(we)g(not)2049 3991 y(infrequently)k(also)j -(detect)f(break-in)f(attempts,)j(and)e(we)h(a)n(v)o(erage)2049 -4091 y(4\2265)15 b(address)h(and)f(port)g(scans)i(each)e(day)-5 -b(.)23 b(Operation)15 b(of)g(the)h(system)2049 4191 y(has)33 -b(resulted)f(so)g(f)o(ar)h(in)f(4,000)f(email)i(messages,)i(150)d -(incident)2049 4290 y(reports)f(\002led)g(with)h(CIA)m(C)g(and)f(CER)-5 -b(T)f(,)32 b(a)g(number)d(of)j(accounts)2049 4390 y(deacti)n(v)n(ated) -24 b(by)i(other)f(sites,)k(and)c(a)h(couple)f(incidents)h(in)m(v)n -(olving)2049 4489 y(la)o(w)20 b(enforcement.)2049 4741 -y Fh(7.2)124 b(P)n(erf)n(ormance)2049 4902 y Fs(The)22 -b(system)h(generally)f(operates)g(without)g(incurring)e(an)o(y)i(pack)o -(et)2049 5001 y(drops.)50 b(The)29 b(FDDI)g(ring)f(it)i(runs)f(on)f(is) -i(f)o(airly)f(hea)n(vily)f(utilized:)2049 5101 y(a)e(January)-5 -b(,)26 b(1999)f(trace)h(of)f(a)i(14:30-15:30)22 b(b)n(usy)k(hour)f -(re\003ects)h(a)2049 5201 y(traf)n(\002c)j(le)n(v)o(el)g(of)g(11,900)e -(pack)o(ets/sec)i(\(34)g(Mbps\))f(sustained)h(for)2049 -5300 y(the)17 b(full)f(hour)m(,)g(with)h(peaks)f(of)h(18,000)e(pack)o -(ets/sec.)23 b(Ho)n(we)n(v)o(er)m(,)16 b(the)2049 5400 -y(pack)o(et)i(\002lter)h(discards)f(a)h(great)f(deal)g(of)h(this,)g -(both)e(due)h(to)h(\002ltering)1908 5649 y(17)p eop -%%Page: 18 18 -18 17 bop -150 -104 a Fs(primarily)30 b(on)g(SYN,)i(FIN,)f(or)g(RST)h -(control)e(bits,)k(and)c(because)-150 -5 y(only)f(about)g(20\045)g(of)g -(the)h(traf)n(\002c)f(belongs)g(to)h(netw)o(orks)e(that)i(we)-150 -95 y(routinely)d(monitor)g(\(the)i(link)f(is)i(shared)e(with)h(a)g(lar) -o(ge)f(neighbor)-150 194 y(institution\).)-67 296 y(T)-7 -b(o)24 b(test)h(the)f(system)g(under)e(stress,)k(we)e(ran)g(it)g(for)g -(a)g(40)f(minute)-150 396 y(period)g(without)h(the)g(\223interesting)g -(netw)o(orks\224)f(\002lter)m(,)j(resulting)d(in)-150 -495 y(a)j(much)e(higher)f(fraction)h(of)h(traf)n(\002c)g(accepted)f(by) -h(the)g(pack)o(et)f(\002l-)-150 595 y(ter)-5 b(.)31 b(During)20 -b(this)j(period,)d(the)i(\002lter)h(accepted)d(an)i(a)n(v)o(erage)f(of) -g(730)-150 694 y(pack)o(ets/sec,)36 b(with)d(peaks)g(o)o(v)o(er)e -(1,200)h(pack)o(ets/sec,)j(and)e(with-)-150 794 y(out)20 -b(dropping)e(an)o(y)i(pack)o(ets.)25 b(The)c(monitor)e(system)h(uses)i -(stripped)-150 894 y(disks)d(and)f(lar)o(ge)f(BPF)j(pack)o(et)e(b)n(uf) -n(fers)f([RLSSL)-6 b(W97)o(])19 b(to)g(impro)o(v)o(e)-150 -993 y(performance.)-150 1242 y Fh(7.3)124 b(Crud)26 b(seen)f(on)h(a)e -(DMZ)-150 1401 y Fs(An)k(important)e(and)h(sobering)g(aspect)g(of)h -(our)f(operational)f(e)o(xpe-)-150 1501 y(rience)21 b(with)h(Bro)f(w)o -(as)i(the)e(realization)g(of)g(ho)n(w)g(frequently)-5 -b(,)19 b(when)-150 1600 y(monitoring)c(a)j(lar)o(ge)f(v)n(olume)f(of)h -(netw)o(ork)g(traf)n(\002c,)g(le)o(gitimate)g(\(i.e.,)-150 -1700 y(non-attacking\))23 b(traf)n(\002c)j(e)o(xhibits)f(abnormal)g -(beha)n(vior)-5 b(.)42 b(W)-7 b(e)27 b(ha)n(v)o(e)-150 -1800 y(observ)o(ed)18 b(all)j(of)f(the)g(follo)n(wing:)-67 -1972 y Fi(\017)41 b Fs(\223Storms\224)23 b(of)g(10,000)f(FIN)h(or)h -(RST)g(pack)o(ets,)g(in)f(which)g(due)16 2071 y(to)h(a)f(protocol)f -(implementation)f(error)h(tw)o(o)i(hosts)g(e)o(xchange)16 -2171 y(FIN)d(or)e(RST)i(pack)o(ets)f(e)o(xtremely)f(rapidly)-5 -b(.)-67 2345 y Fi(\017)41 b Fs(Storms)20 b(due)g(to)g(foggy)f(days.)887 -2315 y Fn(4)-67 2519 y Fi(\017)41 b Fs(\223Pri)n(v)n(ate\224)19 -b(Internet)g(addresses)g([Re96)o(])h(leaking)f(out)g(into)h(the)16 -2618 y(public)39 b(Internet.)81 b(These)39 b(addresses)g(are)h -(inherently)d(un-)16 2718 y(routable,)21 b(and)g(should)g(ne)n(v)o(er)g -(be)h(used)g(by)f(a)i(public)e(Internet)16 2817 y(connection.)-67 -2991 y Fi(\017)41 b Fs(SYN)22 b(pack)o(ets)f(with)g(the)h(\223Ur)o -(gent\224)d(bit)j(set.)29 b(F)o(or)21 b(SYN)h(pack-)16 -3091 y(ets,)f(setting)f(\223ur)o(gent\224)e(does)i(not)g(mak)o(e)g(an)o -(y)g(sense,)g(since)h(the)16 3191 y(connection)c(is)k(not)e(yet)h -(established)f(and)g(hence)g(cannot)f(pos-)16 3290 y(sibly)24 -b(ha)n(v)o(e)g(ur)o(gent)f(data)h(to)h(send.)37 b(Such)24 -b(pack)o(ets)g(are)g(prob-)16 3390 y(lematic,)e(ho)n(we)n(v)o(er)m(,)e -(because)h(some)h(\002re)n(w)o(alls)g(and)g(monitors)16 -3489 y(that)29 b(are)g(not)f(carefully)f(coded)h(look)g(for)g(the)h(be) -o(ginning)d(of)16 3589 y(connections)17 b(to)h(be)g(indicated)g(by)f -(the)i(TCP)g(\223\003ags\224)f(\002eld)h(be-)16 3689 -y(ing)e(equal)h(to)f(the)h(SYN)g(\003ag,)g(rather)f(than)h(simply)f(ha) -n(ving)g(the)16 3788 y(SYN)k(\003ag)g(set.)27 b(When)20 -b(the)h(Ur)o(gent)e(bit)i(is)g(set,)g(the)g(\002eld)f(is)i(no)16 -3888 y(longer)d Fr(equal)g Fs(to)i(the)f(SYN)h(\003ag.)-67 -4062 y Fi(\017)41 b Fs(TCPs)28 b(that)f(when)f(retransmitting)f(data)h -(can)h(send)f(dif)n(ferent)16 4161 y(data)32 b(for)f(the)h(same)g -(sequence)e(numbers)h(as)h(the)o(y)f(sent)i(the)16 4261 -y(\002rst)21 b(time.)-67 4435 y Fi(\017)41 b Fs(TCPs)18 -b(that)f(sometimes)f(ackno)n(wledge)e(receipt)i(of)g(data)h(ne)n(v)o -(er)16 4535 y(sent.)-67 4708 y Fi(\017)41 b Fs(IP)20 -b(fragments)f(in)h(which)g(the)g(initial)g(fragment)e(is)j(v)o(ery)e -(small)16 4808 y(and)24 b(the)g(\002nal)g(fragment)e(is)j(lar)o(ge.)36 -b(Such)23 b(fragments)g(can)h(be)16 4908 y(used)33 b(to)g(attempt)f(to) -h(circumv)o(ent)e(\002re)n(w)o(alls)i(and)g(monitors)16 -5007 y(that)20 b(do)g(not)g(do)g(fragment)e(reassembly)-5 -b(.)p -150 5086 801 4 v -65 5140 a Fk(4)-30 5163 y Fp(One)20 -b(of)g(the)g(routers)h(on)f(our)g(DMZ)f(has)h(a)g(micro)n(w)o(a)o(v)o -(e)i(link)f(to)f(a)g(peer)h(on)f(the)-150 5242 y(other)15 -b(side)g(of)f(San)g(Francisco)i(Bay)l(.)k(On)14 b(foggy)g(days,)h(this) -g(link)g(sometimes)g(\223\003aps,)-5 b(\224)-150 5321 -y(leading)20 b(to)f(routing)g(loops)g(on)f(the)h(DMZ)e(in)i(which)g -(sets)f(of)g(pack)o(ets)j(enter)e(routing)-150 5400 y(loops)f(and)f -(cross)g(the)h(DMZ)e(10')l(s)h(or)g(100')l(s)h(of)f(times,)g(until)h -(their)h(TTLs)c(e)o(xpire.)2132 -104 y Fi(\017)41 b Fs(Fragments)30 -b(with)h(the)g(\223Don')o(t)f(Fragment\224)g(bit)h(set.)58 -b(While)2215 -5 y(allo)n(wed)26 b(by)g(the)g(IP)h(standard,)g(it)g(is)h -(dif)n(\002cult)d(to)i(en)m(vision)e(a)2215 95 y(situation)k(in)g -(which)g(such)g(fragments)e(can)i(be)h(le)o(gitimately)2215 -194 y(constructed,)e(yet)f(we)h(do)f(indeed)g(see)h(them)f(on)h -(clearly)f(in-)2215 294 y(nocuous)19 b(traf)n(\002c.)2132 -467 y Fi(\017)41 b Fs(Ov)o(erlapping)31 b(fragments,)36 -b(in)e(which)g(the)g(end)f(of)h(the)g(\002rst)2215 567 -y(fragment)21 b(is)j(common)d(with)i(the)g(be)o(ginning)d(of)j(the)g -(second.)2215 666 y(Such)h(fragments)f(are)i(also)f(used)g(for)g -(\223teardrop\224)f(denial-of-)2215 766 y(service)d(attacks.)2132 -939 y Fi(\017)41 b Fs(Ov)o(erlapping)36 b(fragments)g(for)i(which)f -(the)i(tw)o(o)f(fragments)2215 1039 y(disagree)19 b(on)h(the)g -(contents)g(of)g(the)g(o)o(v)o(erlapped)d(re)o(gion.)2049 -1210 y(W)-7 b(e)22 b(recount)d(these)i(pathologies)e(not)h(simply)g -(because)g(it)i(is)f(some-)2049 1310 y(what)27 b(f)o(ascinating)g(to)g -(see)h(what)f(a)h(broad)e(range)g(of)h(beha)n(vior)f(we)2049 -1410 y(can)i(observ)o(e)e(in)i(real)g(netw)o(ork)f(traf)n(\002c;)k(b)n -(ut)d(also)g(for)g(the)g(impor)n(-)2049 1509 y(tant)33 -b(reason)g(that)g Fr(many)g(of)g(these)h(patholo)o(gies)d(look)i(very)h -(sim-)2049 1609 y(ilar)i(to)f(g)o(enuine)f(attac)n(ks)p -Fs(.)70 b(Thus,)38 b(the)d(di)n(v)o(ersity)f(of)h(le)o(gitimate)2049 -1708 y(netw)o(ork)28 b(traf)n(\002c,)j(including)c(the)i -(implementation)e(errors)h(some-)2049 1808 y(times)22 -b(re\003ected)g(within)f(it,)i(leads)f(to)g(a)h(v)o(ery)d(real)i -(problem)e(for)i(in-)2049 1908 y(trusion)h(detection,)g(namely)f -(discerning)g(in)h(some)h(circumstances)2049 2007 y(between)k(a)i(true) -f(attack)g(v)o(ersus)g(an)g(innocuous)e(implementation)2049 -2107 y(error)-5 b(.)46 b(F)o(or)27 b(e)o(xample,)g(it)i(can)e(be)g(e)o -(xtremely)f(dif)n(\002cult)h(to)g(discern)2049 2207 y(between)18 -b(the)h(\223)p Fm(USER)49 b(nice)p Fs(\224)19 b(/)h(\223)p -Fm(USER)49 b(root)p Fs(\224)18 b(subterfuge)f(at-)2049 -2306 y(tack)28 b(discussed)g(in)g Fi(x)g Fs(5.3,)h(and)e(a)i(brok)o(en) -d(TCP)j(implementation)2049 2406 y(that)k(sometimes)f(retransmits)h -(dif)n(ferent)e(te)o(xt)h(than)h(it)g(originally)2049 -2505 y(sent.)58 b(More)30 b(generally)-5 b(,)32 b(we)g(cannot)e(rely)g -(on)h(\223clearly\224)f(brok)o(en)2049 2605 y(protocol)22 -b(beha)n(vior)g(as)i(de\002nitely)f(indicating)f(an)h(attack\227it)h(v) -o(ery)2049 2705 y(well)f(may)f(simply)g(re\003ect)h(the)f(operation)f -(of)h(an)g(incorrect)f(imple-)2049 2804 y(mentation)e(of)h(that)g -(protocol.)2132 2906 y(W)-7 b(e)17 b(\002nish)g(our)e(discussion)h(by)f -(noting)g(a)i(situation)f(that)g(does)g(not)2049 3005 -y(re\003ect)j(a)g(protocol)e(implementation)f(error)m(,)i(b)n(ut)g -(rather)g(a)h(common)2049 3105 y(real-w)o(orld)14 b(problem,)g(one)h -(that)h(greatly)f(complicates)f(monitoring.)2132 3206 -y(If)27 b(e)n(v)o(er)f(a)h(site')-5 b(s)29 b(netw)o(ork)c(topology)g -(includes)h(multiple)h(paths)2049 3306 y(from)19 b(the)h(site)h(to)g -(the)f(remainder)e(of)i(the)g(Internet,)f(then)g(the)i(moni-)2049 -3406 y(tor)g(may)f(observ)o(e)f(only)h(one)g(direction)g(of)g(a)i -(connection,)c(because)2049 3505 y(the)27 b(traf)n(\002c)f(for)g(the)g -(other)g(direction)f(transits)i(an)g(alternate)f(route.)2049 -3605 y(W)-7 b(e)35 b(term)f(this)h(situation)f(\223split)h(routing.)-6 -b(\224)65 b(\(In)34 b(the)g(Internet)f(at)2049 3705 y(lar)o(ge,)20 -b(asymmetric)g(routing)f(is)j(quite)f(common,)e(and)i(so)g(there)g(are) -2049 3804 y(numerous)32 b(monitoring)f(points)j(that)g(suf)n(fer)f -(from)g(split)h(routing)2049 3904 y([P)o(a97b)n(].)53 -b(Indi)n(vidual)27 b(sites,)33 b(ho)n(we)n(v)o(er)m(,)c(often)g(ha)n(v) -o(e)f(full)i(control)2049 4003 y(o)o(v)o(er)19 b(whether)g(the)o(y)h -(ha)n(v)o(e)g(multiple)f(Internet)g(connections.)24 b(Some)2049 -4103 y(pursue)e(multiple)g(connections)f(in)i(order)e(to)i(pro)o(vide)e -(redundanc)o(y)2049 4203 y(in)f(their)g(connecti)n(vity)e(to)j(protect) -e(against)h(occasional)f(outages.\))2132 4304 y(Split)28 -b(routing)d(can,)k(of)e(course,)g(lead)h(to)f(the)g(monitor)f(missing) -2049 4404 y(attacks)e(entirely)f(because)g(it)h(ne)n(v)o(er)f(sees)h -(the)g(traf)n(\002c)f(correspond-)2049 4503 y(ing)h(to)g(the)f(attack.) -36 b(Ev)o(en)23 b(if)h(a)g(site)h(runs)f(multiple)f(monitors,)g(one) -2049 4603 y(per)e(Internet)f(link,)i(a)f(subtle)h(problem)d(remains:)28 -b(the)21 b(split)h(routing)2049 4703 y(can)16 b(defeat)f(precautions)g -(tak)o(en)g(by)h(the)g(monitor)f(because)g(it)i(can)f(no)2049 -4802 y(longer)f(assume)g(that)h(it)h(sees)g(traf)n(\002c)e(from)g(at)i -(least)f(one)f(trustw)o(orthy)2049 4902 y(endpoint)22 -b(for)h(each)g(connection.)33 b(So,)24 b(for)f(e)o(xample,)g(the)g -(monitor)2049 5001 y(loses)i(the)g(ability)g(to)g(determine)e(when)h -(it)i(can)e(safely)h(discard)f(in-)2049 5101 y(sequence)i(data.)45 -b(Consequently)-5 b(,)26 b(unless)h(the)g(multiple)f(monitors)2049 -5201 y(communicate)19 b(with)j(one)e(another)g(concerning)f(connection) -g(state,)2049 5300 y(an)g(attack)o(er)f(who)g(disco)o(v)o(ers)g(a)h -(split-route)e(can)i(e)o(xploit)f(it)h(to)g(elude)2049 -5400 y(the)h(monitor)-5 b(.)1908 5649 y(18)p eop -%%Page: 19 19 -19 18 bop -67 -104 a Fs(F)o(ortunately)-5 b(,)37 b(split)f(routing)e -(is)j(at)f(least)g(easy)g(to)g(detect,)j(be-)-150 -5 -y(cause)32 b(the)g(monitor)e(observ)o(es)h(a)h(connection)e -(transmitting)g(uni-)-150 95 y(directional)d(traf)n(\002c)h(without)f -(ha)n(ving)g(\002rst)i(completed)e(the)h(initial)-150 -194 y(three-w)o(ay)17 b(SYN)h(handshak)o(e.)23 b(Whene)n(v)o(er)16 -b(Bro)i(detects)g(split)h(rout-)-150 294 y(ing,)h(it)h(generates)e(an)h -(e)n(v)o(ent)f(announcing)e(the)j(problem.)-150 569 y -Ft(8)119 b(Futur)n(e)31 b(dir)n(ections)-150 755 y Fs(In)16 -b(addition)g(to)g(de)n(v)o(eloping)e(more)i(application)f(analysis)i -(modules,)-150 854 y(we)42 b(see)h(a)f(number)e(of)h(a)n(v)o(enues)g -(for)g(future)g(w)o(ork.)89 b(As)42 b(dis-)-150 954 y(cussed)36 -b(abo)o(v)o(e,)h(compiling)e Fm(Bro)g Fs(scripts)h(and,)j(especially)-5 -b(,)39 b(de-)-150 1054 y(vising)f(mechanisms)f(to)h(distrib)n(ute)f -(monitoring)f(across)i(multi-)-150 1153 y(ple)e(hosts)f(of)n(fer)g(the) -g(promise)g(of)g(increasing)g(monitoring)e(per)n(-)-150 -1253 y(formance.)39 b(W)-7 b(e)27 b(are)e(also)h(v)o(ery)f(interested)g -(in)g(e)o(xtending)f(BPF)i(to)-150 1353 y(better)c(support)e -(monitoring,)g(such)i(as)h(adding)e(lookup)f(tables)i(and)-150 -1452 y(v)n(ariable-length)17 b(snapshots.)-67 1552 y(Another)f -(interesting)g(direction)g(is)i(adding)e(\223teeth\224)h(to)g(the)h -(mon-)-150 1651 y(itoring)i(in)h(the)f(form)g(of)h(acti)n(v)o(ely)e -(terminating)h(misbeha)n(ving)e(con-)-150 1751 y(nections)h(by)g -(sending)g(RST)h(pack)o(ets)g(to)g(their)f(endpoints,)f(or)h(com-)-150 -1851 y(municating)c(with)h(intermediary)f(routers,)h(as)h(some)f -(commercially)-150 1950 y(a)n(v)n(ailable)27 b(monitors)g(already)f -(do.)48 b(W)-7 b(e)28 b(ha)n(v)o(e)g(implemented)d(both)-150 -2050 y(of)20 b(these)g(for)g(Bro)g(and)g(are)g(no)n(w)g(e)o -(xperimenting)d(with)k(their)f(ef)n(fec-)-150 2150 y(ti)n(v)o(eness.)31 -b(The)22 b(ability)g(to)h(ask)f(a)h(router)e(to)i(drop)e(traf)n(\002c)h -(in)m(v)n(olving)-150 2249 y(a)i(particular)d(address)i(has)g(already)g -(pro)o(v)o(en)d(e)o(xtremely)i(useful,)h(as)-150 2349 -y(it)h(greatly)f(limits)h(the)g(information)d(that)j(attack)o(ers)f -(can)h(gather)e(by)-150 2449 y(scanning)29 b(our)h(site;)37 -b(once)30 b(Bro)g(recognizes)f(a)i(scan,)i(it)f(instructs)-150 -2548 y(the)i(border)f(router)g(to)h(drop)f(an)o(y)g(further)g(traf)n -(\002c)h(in)m(v)n(olving)e(the)-150 2648 y(gi)n(v)o(en)24 -b(site.)39 b(Some)25 b(open)e(issues)j(with)f(this)h(form)d(of)i -(reaction)f(are)-150 2747 y(the)e(impact)g(on)h(router)e(performance)e -(as)24 b(the)e(number)f(of)h(such)g(\002l-)-150 2847 -y(ters)e(increases,)g(and)f(attack)o(ers)h(for)o(ging)d(traf)n(\002c)j -(from)e(remote)h(sites)-150 2947 y(to)27 b(mislead)f(Bro)h(into)f -(dropping)f(them,)i(as)h(a)f(form)e(of)i(denial-of-)-150 -3046 y(service)20 b(attack.)-67 3146 y(More)34 b(generally)-5 -b(,)36 b(ho)n(we)n(v)o(er)m(,)g(we)f(ha)n(v)o(e)f(found)f(our)h(f)o -(airly)h(in-)-150 3246 y(depth)29 b(consideration)f(of)h(the)h(problem) -f(of)g(attacks)h(on)g(monitors)-150 3345 y(\()p Fi(x)i -Fs(5\))g(sobering.)59 b(Some)31 b(forms)h(of)f(subterfuge)f(attacks)i -(are)g(e)o(x-)-150 3445 y(tremely)41 b(dif)n(\002cult)g(to)h(defend)e -(against,)46 b(and)41 b(we)h(belie)n(v)o(e)f(it)i(is)-150 -3544 y(ine)n(vitable)33 b(that)h(attack)o(ers)g(will)h(de)n(vise)e(and) -h(share)f(toolkits)h(for)-150 3644 y(launching)16 b(such)h(attacks.)25 -b(This)18 b(in)g(turn)f(suggests)h(three)f(important)-150 -3744 y(areas)i(for)g(research)f(into)h(intrusion)f(detection:)24 -b Fr(\(i\))19 b Fs(further)f(e)o(xplor)n(-)-150 3843 -y(ing)28 b(the)g(notion)f(of)h(\223bifurcating)f(analysis\224)h -(discussed)g(in)g Fi(x)h Fs(5.3;)-150 3943 y Fr(\(ii\))24 -b Fs(studying)f(the)h(notion)f(of)h(traf)n(\002c)g(\223normalizers\224) -e(that)j(remo)o(v)o(e)-150 4043 y(ambiguities)g(from)f(traf)n(\002c)h -(streams)h(\(one)f(such)g(normalizer)f(is)j(an)-150 4142 -y(\223in-the-loop\224)16 b(monitor)m(,)i(one)g(that)h(must)g(appro)o(v) -o(e)e(the)i(forw)o(arding)-150 4242 y(of)d(an)o(y)f(pack)o(et)h(it)g -(recei)n(v)o(es\);)h(and)e Fr(\(iii\))h Fs(inte)o(grating)e(into)i(the) -g(system)-150 4341 y(monitor)27 b(\223sensors\224)g(that)i(run)e(on)g -(the)i(end)e(hosts.)49 b(Such)28 b(sensors)-150 4441 -y(can)16 b(analyze)f(netw)o(ork)g(traf)n(\002c)h(at)g(a)h(suf)n -(\002ciently)e(high)g(layer)h(in)g(their)-150 4541 y(host')-5 -b(s)19 b(netw)o(ork)e(stack)i(where)e(ambiguities)h(about)f(ho)n(w)h -(the)h(traf)n(\002c)-150 4640 y(will)32 b(be)f(interpreted)e(ha)n(v)o -(e)i(already)f(been)g(resolv)o(ed.)56 b(Our)31 b(near)n(-)-150 -4740 y(term)22 b(research)f(is)j(focussing)d(on)h(the)g(second)f(of)h -(these,)h(e)o(xploring)-150 4840 y(the)d(issues)h(associated)f(with)h -(b)n(uilding)e(traf)n(\002c)g(normalizers.)-150 5115 -y Ft(9)119 b(Ackno)o(wledgements)-150 5300 y Fs(W)-7 -b(e)17 b(gratefully)d(ackno)n(wledge)g(Digital)i(Equipment)d -(Corporation')-5 b(s)-150 5400 y(W)e(estern)17 b(Research)f(Laboratory) -e(for)i(contrib)n(uting)e(the)i(Alpha)g(sys-)2049 -104 -y(tem)24 b(that)g(made)f(de)n(v)o(eloping)e(and)i(operating)f(Bro)i(at) -h(high)e(speeds)2049 -5 y(possible.)30 b(I)22 b(w)o(ould)f -(particularly)f(lik)o(e)i(to)g(thank)f(Jef)n(f)h(Mogul,)f(who)2049 -95 y(w)o(as)26 b(instrumental)f(in)g(arranging)f(this)i(through)d(WRL) --8 b(')j(s)28 b(External)2049 194 y(Research)20 b(Program.)2132 -294 y(Man)o(y)49 b(thanks,)57 b(too,)h(to)50 b(Craig)g(Leres.)116 -b(Bro)50 b(has)h(bene-)2049 394 y(\002ted)32 b(greatly)e(from)h(man)o -(y)f(discussions)h(with)h(him.)59 b(Craig)31 b(also)2049 -493 y(wrote)i(the)g(calendar)e(queue)h(and)h(non-blocking)c(DNS)34 -b(routines)2049 593 y(discussed)e(in)g Fi(x)h Fs(4.)61 -b(Along)31 b(with)h(Craig)h(Leres,)i(I')l(d)c(lik)o(e)h(to)h(ac-)2049 -693 y(kno)n(wledge)19 b(the)j(on-going)c(feedback)i(I)i(recei)n(v)o(e)e -(from)g(Craig)i(Lant)2049 792 y(and)f(P)o(artha)h(Banerjee)f(on)h(the)f -(daily)h(operation)e(of)h(Bro,)i(and)e(their)2049 892 -y(ef)n(forts)e(at)i(analyzing)e(security)g(incidents)h(detected)f(by)h -(Bro.)2132 991 y(My)29 b(appreciation)e(to)i(Scott)g(Denton,)h(John)f -(Antonishek,)g(and)2049 1091 y(man)o(y)20 b(others)h(for)g -(alpha-testing)f(Bro)i(and)f(contrib)n(uting)e(portabil-)2049 -1191 y(ity)h(\002x)o(es)h(and)e(other)h(enhancements.)2132 -1290 y(Finally)-5 b(,)41 b(this)d(w)o(ork)e(w)o(ould)h(not)g(ha)n(v)o -(e)f(been)h(possible)g(with-)2049 1390 y(out)f(the)g(support)f(and)h -(enthusiasm)f(of)h(Mark)g(Rosenber)o(g,)i(V)-9 b(an)2049 -1490 y(Jacobson,)39 b(Jim)h(Rothfuss,)k(Stu)c(Lok)o(en)f(and)g(Da)n(v)o -(e)h(Ste)n(v)o(ens\227)2049 1589 y(much)19 b(appreciated!)2049 -1869 y Ft(A)120 b(Example:)36 b(tracking)31 b(Finger)g(traf\002c)2049 -2055 y Fs(In)d(this)i(appendix)c(we)k(gi)n(v)o(e)d(an)i(o)o(v)o(ervie)n -(w)e(of)h(ho)n(w)g(the)h(dif)n(ferent)2049 2155 y(elements)19 -b(of)g(Bro)h(come)f(together)f(for)h(monitoring)e(Finger)i(traf)n -(\002c.)2049 2254 y(F)o(or)27 b(the)g(e)n(v)o(ent)f(engine,)h(we)h(ha)n -(v)o(e)e(a)i(C++)f(class)h Fm(FingerConn)p Fs(,)2049 -2354 y(deri)n(v)o(ed)17 b(from)h(the)h(general-purpose)d -Fm(TCP)p 3326 2354 25 4 v 29 w(Connection)i Fs(class.)2049 -2453 y(When)f(Bro)h(encounters)d(a)j(ne)n(w)f(connection)e(with)j -(service)f(port)f(79,)2049 2553 y(it)j(instantiates)f(a)h -(corresponding)14 b Fm(FingerConn)j Fs(object,)h(instead)2049 -2653 y(of)24 b(a)g Fm(TCP)p 2359 2653 V 30 w(Connection)f -Fs(object)g(as)i(it)g(w)o(ould)e(for)h(an)g(unrecog-)2049 -2752 y(nized)c(port.)2132 2852 y Fm(FingerConn)129 b -Fs(rede\002nes)h(the)h(virtual)f(function)2049 2952 y -Fm(BuildEndpoints)p Fs(,)29 b(which)g(is)i(in)m(v)n(ok)o(ed)c(when)i(a) -h(connection)2049 3051 y(object)20 b(is)h(\002rst)g(created:)2049 -3213 y Ff(void)39 b(FingerConn::BuildEndpoints\(\))2169 -3292 y({)2169 3371 y(resp)g(=)h(new)f(TCP_EndpointLine\(this,)d(1,)k -(0,)g(1\);)2169 3449 y(orig)f(=)h(new)f(TCP_EndpointLine\(this,)d(0,)k -(0,)g(1\);)2169 3528 y(})2049 3711 y Fs(Here,)70 b Fm(resp)p -Fs(,)g(corresponding)57 b(to)k(the)f(responder)f(\(Finger)2049 -3810 y(serv)o(er\))28 b(side)i(of)f(the)g(connection,)g(is)h -(initialized)f(to)h(an)f(ordinary)2049 3910 y Fm(TCP)p -2204 3910 V 29 w(Endpoint)i Fs(object,)i(because)e(Bro)g(does)g(not)g -(\(presently\))2049 4010 y(look)20 b(inside)h(Finger)f(replies.)27 -b(But)21 b Fm(orig)p Fs(,)g(the)f(Finger)h(client)f(side,)2049 -4109 y(and)g Fm(resp)p Fs(,)h(the)f(responder)f(\(Finger)h(serv)o(er\)) -f(side)i(of)g(the)f(connec-)2049 4209 y(tion)31 b(are)h(both)f -(initialized)g(to)h Fm(TCP)p 3140 4209 V 29 w(EndpointLine)e -Fs(objects,)2049 4308 y(which)23 b(means)g(Bro)g(will)h(track)f(the)g -(contents)g(of)g(each)g(side)h(of)f(the)2049 4408 y(connection,)g(and,) -h(furthermore,)d(deli)n(v)o(er)i(the)h(contents)f(in)h(a)h(line-)2049 -4508 y(oriented)19 b(f)o(ashion)h(to)h Fm(FingerConn)p -Fs(')-5 b(s)19 b(virtual)h Fm(NewLine)g Fs(func-)2049 -4607 y(tion:)2049 4769 y Ff(int)39 b -(FingerConn::NewLine\(TCP_Endpoint*)c(/*)40 b(s)g(*/,)2806 -4848 y(double)f(/*)h(t)f(*/,)h(char*)f(line\))2169 4927 -y({)2169 5006 y(line)g(=)h(skip_whitespace\(line\);)2169 -5163 y(//)f(Check)g(for)h(/W.)2169 5242 y(int)f(is_long)g(=)g -(\(line[0])g(==)h('/')f(&&)2766 5321 y(toupper\(line[1]\))f(==)h -('W'\);)2169 5400 y(if)g(\()h(is_long)f(\))1908 5649 -y Fs(19)p eop -%%Page: 20 20 -20 19 bop 89 -104 a Ff(line)39 b(=)h(skip_whitespace\(line+2\);)-30 -53 y(val_list*)e(vl)i(=)f(new)h(val_list;)-30 132 y -(vl->append\(BuildConnVal\(\)\);)-30 211 y(vl->append\(new)d -(StringVal\(line\)\);)-30 290 y(vl->append\(new)g(Val\(is_long,)h -(TYPE_BOOL\)\);)-30 448 y(mgr.QueueEvent\(finger_request,)d(vl\);)-30 -526 y(return)k(0;)-30 605 y(})-150 773 y Fs(\(F)o(or)89 -b(bre)n(vity)-5 b(,)104 b(we)90 b(sho)n(w)f Fm(NewLine)f -Fs(only)h(for)g(the)-150 872 y Fm(finger)p 155 872 25 -4 v 29 w(request)66 b Fs(case.\))165 b Fm(NewLine)66 -b Fs(skips)i(whites-)-150 972 y(pace)29 b(in)g(the)g(request,)i(scans)e -(it)h(for)e(the)i(\223)p Fm(/W)p Fs(\224)f(indicator)e(\(which)-150 -1072 y(requests)18 b(v)o(erbose)f(Finger)g(output\),)g(and)h(mo)o(v)o -(es)f(past)h(it)h(if)f(present.)-150 1171 y(It)34 b(then)f(creates)h(a) -h Fm(val)p 604 1171 V 29 w(list)f Fs(object,)i(which)d(holds)h(a)g -(list)h(of)-150 1271 y(generic)i(Bro)h Fm(Val)g Fs(objects.)78 -b(The)38 b(\002rst)g(of)g(these)g(is)h(assigned)-150 -1371 y(to)i(a)g(generic)f(connection-identi\002er)d(v)n(alue)j(\(see)g -(belo)n(w\);)51 b(the)-150 1470 y(second,)39 b(to)d(a)g(Bro)g -Fm(string)f Fs(containing)f(the)i(Finger)f(request,)-150 -1570 y(and)41 b(the)h(third)f(to)h(a)h Fm(bool)e Fs(indicating)g -(whether)f(the)i(request)-150 1669 y(w)o(as)37 b(v)o(erbose)e(or)h -(not.)74 b(The)36 b(penultimate)f(line)h(queues)g(a)h(ne)n(w)-150 -1769 y Fm(finger)p 155 1769 V 29 w(request)k Fs(e)n(v)o(ent)f(with)i -(the)f(corresponding)d(list)43 b(of)-150 1869 y(v)n(alues)28 -b(as)h(ar)o(guments;)h(\002nally)-5 b(,)29 b Fm(return)49 -b(0)28 b Fs(indicates)g(that)h(the)-150 1968 y Fm(FingerConn)22 -b Fs(is)i(all)f(done)f(with)h(the)g(memory)f(associated)g(with)-150 -2068 y Fm(line)34 b Fs(\(since)h Fm(new)49 b(StringVal\(line\))32 -b Fs(made)i(a)h(cop)o(y)f(of)-150 2168 y(it\),)20 b(so)h(that)f(memory) -f(can)h(be)g(reclaimed)f(by)h(the)g(caller)-5 b(.)-67 -2267 y(The)34 b(connection)f(identi\002er)h(discussed)g(abo)o(v)o(e)f -(is)j(de\002ned)d(in)-150 2367 y(Bro)20 b(as)h(a)g(\223)p -Fm(connection)p Fs(\224)d(record:)-150 2514 y Ff(type)39 -b(endpoint:)g(record)g({)-30 2592 y(size:)g(count;)g(state:)g(count;) --150 2671 y(};)-150 2750 y(type)g(connection:)f(record)h({)-30 -2829 y(id:)g(conn_id;)-30 2908 y(orig:)g(endpoint;)f(resp:)h(endpoint;) --30 2987 y(start_time:)f(time;)-30 3066 y(duration:)g(interval;)-30 -3145 y(service:)g(string;)89 3223 y(#)i(if)f(empty,)g(service)g(not)h -(yet)f(determined)-30 3302 y(addl:)g(string;)-30 3381 -y(hot:)g(count;)89 3460 y(#)h(how)f(hot;)g(0)h(=)g(don't)f(know)g(or)h -(not)f(hot)-150 3539 y(};)-150 3706 y Fs(The)19 b Fm(id)h -Fs(\002eld)g(is)g(a)g Fm(conn)p 624 3706 V 30 w(id)f -Fs(record,)f(discussed)i(in)g Fi(x)g Fs(3.1.)k Fm(orig)-150 -3806 y Fs(and)29 b Fm(resp)h Fs(correspond)d(to)j(the)g(connection)e -(originator)g(and)h(re-)-150 3906 y(sponder)m(,)22 b(each)h(a)h(Bro)f -Fm(endpoint)f Fs(record)g(consisting)h(of)g Fm(size)-150 -4005 y Fs(\(the)c(number)f(of)i(bytes)g(transferred)d(by)j(that)g -(endpoint)e(so)i(f)o(ar\))f(and)-150 4105 y Fm(state)p -Fs(,)38 b(the)c(endpoint')-5 b(s)33 b(TCP)j(state)f(\(e.g.,)i(SYN)e -(sent,)k(estab-)-150 4204 y(lished,)26 b(closed\).)40 -b(This)25 b(latter)h(w)o(ould)e(be)h(better)g(e)o(xpressed)f(using)-150 -4304 y(an)j(enumerated)e(type)i(\(rather)f(than)g(a)i -Fm(count)p Fs(\),)g(which)f(we)g(may)-150 4404 y(add)20 -b(to)g(Bro)g(in)h(the)f(future.)-67 4503 y(The)36 b Fm(start)p -354 4503 V 29 w(time)g Fs(\002eld)h(re\003ects)g(when)f(the)g -(connection')-5 b(s)-150 4603 y(\002rst)21 b(pack)o(et)f(w)o(as)h -(seen,)f(and)g Fm(duration)g Fs(ho)n(w)f(long)h(the)g(connec-)-150 -4703 y(tion)k(has)h(e)o(xisted.)38 b Fm(service)24 b -Fs(corresponds)e(to)j(the)f(name)g(of)h(the)-150 4802 -y(service,)h(or)f(an)g(empty)f(string)h(if)g(it)h(has)g(not)f(been)f -(identi\002ed.)39 b(By)-150 4902 y(con)m(v)o(ention,)33 -b Fm(addl)g Fs(holds)f(additional)g(information)f(associated)-150 -5001 y(with)e(the)g(connection;)i(better)d(than)h(a)g -Fm(string)f Fs(here)h(w)o(ould)f(be)-150 5101 y(some)16 -b(sort)g(of)g(union)f(or)h(generic)f(type,)i(if)f(Bro)h(supported)d -(such.)23 b(Fi-)-150 5201 y(nally)-5 b(,)18 b(by)h(con)m(v)o(ention)d -(the)k(polic)o(y)e(script)h(increments)f Fm(hot)i Fs(when-)-150 -5300 y(e)n(v)o(er)g(it)i(\002nds)f(something)f(potentially)g -(suspicious)g(about)g(the)h(con-)-150 5400 y(nection.)2132 --104 y(Here)f(is)h(the)f(corresponding)d(polic)o(y)i(script:)2049 -33 y Ff(global)39 b(hot_names)f(=)i({)g("root",)f("lp",)g("uucp")g(};) -2049 111 y(global)g(finger_log)f(=)2169 190 y(open\(getenv\("BRO_ID"\)) -e(==)k("")f(?)2368 269 y("finger.log")f(:)2368 348 y -(fmt\("finger.\045s",)f(getenv\("BRO_ID"\)\)\);)2049 -506 y(event)i(finger_request\(c:connection,)2886 585 -y(request:)g(string,)2886 664 y(full:)g(bool\))2169 742 -y({)2169 821 y(if)g(\()h(byte_len\(request\))d(>)j(80)f(\))h({)2288 -900 y(request)f(=)h(fmt\("\045s...",)2846 979 y(sub_bytes\(request,)d -(1,)j(80\)\);)2288 1058 y(++c$hot;)2169 1137 y(})2169 -1216 y(if)f(\()h(request)f(in)g(hot_names)g(\))2288 1295 -y(++c$hot;)2169 1452 y(local)g(req)g(=)h(request)f(==)g("")h(?)2288 -1531 y("ANY")f(:)h(fmt\("\\"\045s\\"",)e(request\);)2169 -1610 y(if)h(\()h(c$addl)f(!=)g("")h(\))2288 1689 y(#)g(This)f(is)h(an)f -(additional)g(request.)2288 1768 y(req)h(=)f(fmt\("\(\045s\)",)f -(req\);)2169 1847 y(if)h(\()h(full)f(\))2288 1925 y(req)h(=)f -(fmt\("\045s)g(\(/W\)",)g(req\);)2169 2083 y(local)g(msg)g(=)h -(fmt\("\045s)f(>)g(\045s)h(\045s",)2806 2162 y(c$id$orig_h,)2806 -2241 y(c$id$resp_h,)2806 2320 y(req\);)2169 2399 y(if)f(\()h(c$hot)f(>) -h(0)f(\))2288 2478 y(log)h(fmt\("finger:)e(\045s",)h(msg\);)2169 -2556 y(print)g(finger_log,)2408 2635 y(fmt\("\045.6f)f(\045s",)h -(c$start_time,)f(msg\);)2169 2793 y(c$addl)h(=)g(c$addl)g(==)h("")f(?) -2527 2872 y(req)h(:)f(fmt\("*\045s,)g(\045s",)g(c$addl,)g(req\);)2169 -2951 y(})2049 3109 y Fs(The)28 b(global)f Fm(hot)p 2598 -3109 V 30 w(names)h Fs(is)h(a)g(Bro)f Fm(set)h Fs(of)f -Fm(string)p Fs(.)48 b(In)29 b(the)2049 3208 y(ne)o(xt)22 -b(line,)i Fm(finger)p 2689 3208 V 29 w(log)f Fs(is)g(initialized)g(to)g -(a)h(Bro)f Fm(file)p Fs(,)g(either)2049 3308 y(named)f(\223\002nger)-5 -b(.log\224,)23 b(or)m(,)g(if)h(the)f Fm(BRO)p 3196 3308 -V 30 w(ID)g Fs(en)m(vironment)e(v)n(ariable)2049 3407 -y(is)g(set,)g(to)f(a)h(name)f(deri)n(v)o(ed)e(from)h(it)i(using)f(the)g -(b)n(uilt-in)g Fm(fmt)g Fs(func-)2049 3507 y(tion.)2132 -3607 y(The)28 b Fm(finger)p 2595 3607 V 29 w(request)g -Fs(e)n(v)o(ent)g(handler)f(follo)n(ws.)50 b(It)29 b(tak)o(es)2049 -3706 y(three)h(ar)o(guments,)i(corresponding)27 b(to)k(the)g(v)n(alues) -g(added)e(to)j(the)2049 3806 y Fm(val)p 2204 3806 V 29 -w(list)24 b Fs(abo)o(v)o(e.)34 b(It)24 b(\002rst)h(checks)e(whether)g -(the)g(request)h(is)g(e)o(x-)2049 3906 y(cessi)n(v)o(ely)15 -b(long,)h(and,)f(if)h(so,)h(truncates)e(it)h(and)f(increments)g(the)h -Fm(hot)2049 4005 y Fs(\002eld)21 b(of)g(the)g(connection')-5 -b(s)19 b(information)g(record.)25 b(\(The)c(Bro)g(b)n(uilt-)2049 -4105 y(in)j(functions)f(used)h(here)g(are)g(named)g(in)g(terms)g(of)h -(\223bytes\224)e(rather)2049 4204 y(than)16 b(\223string\224)g(because) -f(the)o(y)h(mak)o(e)g(no)g(assumptions)f(about)h(NUL-)2049 -4304 y(termination)k(of)i(their)g(ar)o(guments;)e(in)i(particular)m(,)f -Fm(byte)p 3762 4304 V 29 w(len)h Fs(re-)2049 4404 y(turns)g(the)h -(length)f(of)h(its)h(ar)o(gument)c(including)h(a)i(\002nal)g(NUL)g -(byte,)2049 4503 y(if)d(present.\))2132 4603 y(Ne)o(xt,)32 -b(the)e(script)g(checks)f(whether)g(the)h(request)f(corresponds)2049 -4703 y(to)e(an)o(y)e(of)h(the)h(entries)f(in)h(the)f -Fm(hot)p 3134 4703 V 30 w(names)g Fs(set.)44 b(If)26 -b(so,)i(it)g(again)2049 4802 y(marks)20 b(the)g(connection)e(as)j -(\223hot.)-6 b(\224)2132 4902 y(W)f(e)25 b(then)e(initialize)g(the)h -(local)f(v)n(ariable)f Fm(req)i Fs(to)f(a)h(quoted)e(v)o(er)n(-)2049 -5001 y(sion)17 b(of)h(the)f(request;)h(or)m(,)f(if)h(the)g(request)e(w) -o(as)j(empty)d(\(which)h(in)h(the)2049 5101 y(Finger)25 -b(protocol)g(indicates)g(a)i(request)e(type)h(of)f(\223)-7 -b(ANY\224\),)26 b(then)g(it)2049 5201 y(is)21 b(changed)e(to)h(\223)-7 -b(ANY\224.)2132 5300 y(The)19 b(e)n(v)o(ent)g(handler)g(stores)h(the)f -(Finger)g(request)h(in)f(the)h(connec-)2049 5400 y(tion)g(record')-5 -b(s)19 b Fm(addl)h Fs(\002eld)g(\(see)h(belo)n(w\),)e(so)h(the)g(ne)o -(xt)g(line)g(checks)1908 5649 y(20)p eop -%%Page: 21 21 -21 20 bop -150 -104 a Fs(to)30 b(see)g(whether)f(this)h(\002eld)g -(already)f(contains)g(a)h(request.)53 b(If)29 b(so,)-150 --5 y(then)19 b(we)h(are)g(seeing)f(multiple)g(requests)h(for)f(a)h -(single)f(Finger)g(con-)-150 95 y(nection.)30 b(This)23 -b(is)g(not)f(allo)n(wed)g(by)f(the)i(Finger)e(protocol,)g(b)n(ut)h -(that)-150 194 y(doesn')o(t)28 b(mean)h(we)g(w)o(on')o(t)g(see)h(them!) -52 b(In)29 b(particular)m(,)g(we)h(might)-150 294 y(imagine)23 -b(a)i(subterfuge)d(attack)i(in)g(which)g(an)g(attack)o(er)f(queries)h -(an)-150 394 y(innocuous)h(name)h(in)h(their)g(\002rst)h(request,)g -(and)e(a)h(sensiti)n(v)o(e)g(name)-150 493 y(in)i(their)f(second,)h -(and)f(depending)d(on)j(ho)n(w)g(the)h(\002nger)e(serv)o(er)h(is)-150 -593 y(written,)g(it)g(may)e(well)h(respond)f(to)h(both.)1102 -563 y Fn(5)1183 593 y Fs(This)g(script)g(will)g(still)-150 -693 y(catch)g(such)g(use,)i(since)f(it)g(fully)f(processes)g(each)g -(request;)j(b)n(ut)e(it)-150 792 y(needs)21 b(to)g(be)g(careful)f(to)i -(k)o(eep)e(the)i(global)e(state)i(corresponding)17 b(to)-150 -892 y(the)30 b(connection)e(\(in)i(the)g Fm(addl)f Fs(\002eld\))h -(complete.)54 b(T)-7 b(o)30 b(do)f(so,)k(it)-150 991 -y(marks)21 b(additional)f(requests)h(by)g(enclosing)f(them)h(in)h -(parentheses,)-150 1091 y(and)31 b(also)g(prepends)e(an)i(asterisk)h -(to)f(the)g(entire)g Fm(addl)g Fs(\002eld)g(for)-150 -1191 y(each)25 b(additional)g(request,)h(so)g(that)f(in)h(later)g -(visual)f(inspection)g(of)-150 1290 y(the)20 b(Finger)g(logs)g(these)g -(requests)g(immediately)f(stand)h(out.)-67 1390 y(The)k -Fm(msg)g Fs(local)g(v)n(ariable)f(holds)g(the)h(basic)g(description)f -(of)h(the)-150 1490 y(Finger)29 b(request.)51 b(The)29 -b Fm(fmt)h Fs(function)d(kno)n(ws)i(to)h(format)e(the)h(IP)-150 -1589 y(addresses)38 b Fm(c$id$orig)p 662 1589 25 4 v -28 w(h)h Fs(and)e Fm(c$id$resp)p 1387 1589 V 28 w(h)i -Fs(as)g(\223dotted)-150 1689 y(quads.)-6 b(\224)-67 1788 -y(Ne)o(xt,)27 b(if)f(the)g(connection)e(has)i(been)f(mark)o(ed)f(as)j -(\223hot\224)e(\(either)-150 1888 y(just)30 b(pre)n(viously)-5 -b(,)29 b(or)g(perhaps)f(by)g(a)i(completely)e(dif)n(ferent)f(e)n(v)o -(ent)-150 1988 y(handler\),)17 b(then)g(the)h(script)h(generates)e(a)h -(real-time)g(noti\002cation.)23 b(In)-150 2087 y(an)o(y)17 -b(case,)h(it)g(also)g(records)f(the)g(request)g(to)h(the)g -Fm(finger)p 1533 2087 V 29 w(log)f Fs(\002le.)-150 2187 -y(Finally)-5 b(,)24 b(it)g(updates)e(the)i Fm(addl)f -Fs(\002eld)h(to)g(re\003ect)f(the)h(request)e(\(and)-150 -2287 y(to)e(\003ag)h(multiple)e(requests,)h(as)h(discussed)f(abo)o(v)o -(e\).)-67 2386 y(Entries)g(in)g(the)h(log)e(\002le)i(look)f(lik)o(e:) --150 2530 y Ff(880988813.752829)37 b(171.64.15.68)i(>)527 -2609 y(128.3.253.104)f("feng")-150 2688 y(880991121.364126)f -(131.243.168.28)h(>)527 2766 y(130.132.143.23)g("anlin")-150 -2845 y(880997120.932007)f(192.84.144.6)i(>)527 2924 y(128.3.32.16)g -(ALL)-150 3003 y(881000846.603872)e(128.3.9.45)i(>)527 -3082 y(146.165.7.14)g(ALL)g(\(/W\))-150 3161 y(881001601.958411)e -(152.66.83.11)i(>)527 3240 y(128.3.13.76)g("davfor")-150 -3404 y Fs(\(though)18 b(without)i(the)g(lines)g(split)h(after)f(the)g -(\223)p Fm(>)p Fs(\224\).)-67 3504 y(The)37 b(real-time)f -(noti\002cations)g(look)h(quite)f(similar)m(,)41 b(with)d(the)-150 -3603 y(k)o(e)o(yw)o(ord)24 b(\223)p Fm(finger:)p Fs(\224)34 -b(added)24 b(to)i(a)n(v)n(oid)f(ambiguity)f(with)h(other)-150 -3703 y(types)20 b(of)g(real-time)f(noti\002cation.)-150 -3980 y Ft(Refer)n(ences)-150 4165 y Fs([Ax99])95 b(AXENT)141 -b(T)-6 b(echnologies,)170 b Fr(Intruder)141 b(Alert)p -Fs(,)187 4265 y(http://www)-5 b(.ax)o(ent.com/produ)o(ct/smsb)n(u/IT)c -(A/,)187 4365 y(1999.)-150 4523 y([Br88])114 b(R.)32 -b(Bro)n(wn,)h(\223Calendar)d(Queues:)47 b(A)32 b(F)o(ast)g -Fj(O)r Fc(\(1\))g Fs(Pri-)187 4623 y(ority)39 b(Queue)g(Implementation) -e(for)j(the)g(Simulation)187 4723 y(Ev)o(ent)16 b(Set)j(Problem,)-6 -b(\224)17 b Fr(Communications)f(of)i(the)f(A)n(CM)p Fs(,)187 -4822 y(31\(10\),)g(pp.)j(1220-1227,)c(Oct.)21 b(1988.)-150 -4981 y([Ci99])119 b(Cisco)357 b(Systems,)440 b Fr(NetRang)o(er)p -Fs(,)187 5081 y(http://www)-5 b(.cisco.com/w)o(arp/public/cc/cisco/m)o -(kt/)187 5180 y(security/nranger/inde)o(x.htm)o(l,)15 -b(1999.)p -150 5244 801 4 v -65 5298 a Fk(5)-30 5321 -y Fp(W)-5 b(e)22 b(do)i(indeed)h(see)e(occasional)k(multiple)e -(requests.)41 b(So)23 b(f)o(ar)m(,)i(the)o(y)g(ha)o(v)o(e)f(all)-150 -5400 y(appeared)19 b(fully)f(innocuous.)2049 -104 y Fs([CT94])91 -b(C.)44 b(Compton)f(and)h(D.)g(T)-6 b(ennenhouse,)47 -b(\223Collabora-)2386 -5 y(ti)n(v)o(e)e(Load)f(Shedding)f(for)i -(Media-Based)g(Applica-)2386 95 y(tions,)-6 b(\224)45 -b Fr(Pr)l(oc.)c(International)d(Confer)m(ence)i(on)g(Mul-)2386 -194 y(timedia)i(Computing)f(and)h(Systems)p Fs(,)49 b(Boston,)e(MA,) -2386 294 y(May)-5 b(.)19 b(1994.)2049 459 y([In99])127 -b(Internet)44 b(Security)h(Systems,)52 b(Inc.,)f Fr(RealSecur)m(e)3940 -429 y Fa(TM)4029 459 y Fs(,)2386 559 y(http://www)-5 -b(.iss.net/prod/rs.php3,)15 b(1999.)2049 725 y([JLM89])40 -b(V)-11 b(.)72 b(Jacobson,)83 b(C.)72 b(Leres,)84 b(and)71 -b(S.)g(McCanne,)2386 824 y Fm(tcpdump)p Fs(,)80 b(a)n(v)n(ailable)68 -b(via)h(anon)o(ymous)d(ftp)i(to)2386 924 y(ftp.ee.lbl.go)o(v)-5 -b(,)16 b(Jun.)k(1989.)2049 1089 y([Ka91])100 b(B.)36 -b(Kantor)m(,)j(\223BSD)d(Rlogin,)-6 b(\224)40 b(RFC)d(1282,)h(Netw)o -(ork)2386 1189 y(Information)51 b(Center)m(,)63 b(SRI)55 -b(International,)61 b(Menlo)2386 1289 y(P)o(ark,)19 b(CA,)i(Dec.)f -(1991.)2049 1454 y([MJ93])91 b(S.)30 b(McCanne)e(and)h(V)-11 -b(.)31 b(Jacobson,)f(\223The)f(BSD)i(P)o(ack)o(et)2386 -1554 y(Filter:)38 b(A)27 b(Ne)n(w)g(Architecture)f(for)g(User)n(-le)n -(v)o(el)g(P)o(ack)o(et)2386 1653 y(Capture,)-6 b(\224)18 -b Fr(Pr)l(oc.)h(1993)e(W)-5 b(inter)20 b(USENIX)f(Confer)m(ence)p -Fs(,)2386 1753 y(San)h(Die)o(go,)f(CA.)2049 1918 y([MLJ94])40 -b(S.)77 b(McCanne,)90 b(C.)78 b(Leres)e(and)h(V)-11 b(.)77 -b(Jacobson,)2386 2018 y Fm(libpcap)p Fs(,)j(a)n(v)n(ailable)68 -b(via)h(anon)o(ymous)d(ftp)i(to)2386 2118 y(ftp.ee.lbl.go)o(v)-5 -b(,)16 b(1994.)2049 2283 y([MHL94])39 b(B.)23 b(Mukherjee,)d(L.)i -(Heberlein,)f(and)h(K.)g(Le)n(vitt,)g(\223Net-)2386 2383 -y(w)o(ork)33 b(Intrusion)f(Detection,)-6 b(\224)37 b -Fr(IEEE)c(Network)p Fs(,)38 b(8\(3\),)2386 2482 y(pp.)19 -b(26-41,)f(May/Jun.)h(1994.)2049 2648 y([Ne99])100 b(Netw)o(ork)41 -b(Flight)g(Recorder)m(,)46 b(Inc.,)g Fr(Network)d(Flight)2386 -2747 y(Recor)m(der)p Fs(,)19 b(http://www)-5 b(.nfr)g(.com,)17 -b(1999.)2049 2913 y([PS93])105 b(V)-11 b(.)18 b(P)o(axson)g(and)g(C.)h -(Saltmarsh,)f(\223Glish:)25 b(A)19 b(User)n(-Le)n(v)o(el)2386 -3012 y(Softw)o(are)46 b(Bus)i(for)f(Loosely-Coupled)d(Distrib)n(uted) -2386 3112 y(Systems,)-6 b(\224)17 b Fr(Pr)l(oc.)f(1993)e(W)-5 -b(inter)17 b(USENIX)f(Confer)m(ence)p Fs(,)2386 3212 -y(San)k(Die)o(go,)f(CA.)2049 3377 y([P)o(a94])115 b(V)-11 -b(.)35 b(P)o(axson,)i(\223Empirically-Deri)n(v)o(ed)30 -b(Analytic)35 b(Mod-)2386 3477 y(els)28 b(of)f(W)m(ide-Area)g(TCP)h -(Connections,)-6 b(\224)28 b Fr(IEEE/A)n(CM)2386 3576 -y(T)-5 b(r)o(ansactions)34 b(on)g(Networking)p Fs(,)39 -b(2\(4\),)e(pp.)e(316-336,)2386 3676 y(Aug.)19 b(1994.)2049 -3842 y([P)o(a96])115 b(V)-11 b(.)25 b(P)o(axson,)g Fm(flex)p -Fs(,)g(a)n(v)n(ailable)f(via)h(anon)o(ymous)d(ftp)i(to)2386 -3941 y(ftp.ee.lbl.go)o(v)-5 b(,)16 b(Sep.)k(1996.)2049 -4107 y([P)o(a97a])78 b(V)-11 b(.)31 b(P)o(axson,)i(\223End-to-End)28 -b(Internet)i(P)o(ack)o(et)h(Dynam-)2386 4206 y(ics,)-6 -b(\224)67 b Fr(Pr)l(oc.)57 b(SIGCOMM)g('97)p Fs(,)65 -b(Cannes,)h(France,)2386 4306 y(Sep.)20 b(1997.)2049 -4471 y([P)o(a97b])73 b(V)-11 b(.)28 b(P)o(axson,)h(\223End-to-End)c -(Routing)j(Beha)n(vior)f(in)i(the)2386 4571 y(Internet,)-6 -b(\224)41 b Fr(IEEE/A)n(CM)c(T)-5 b(r)o(ansactions)37 -b(on)h(Network-)2386 4671 y(ing)p Fs(,)19 b(5\(5\),)g(pp.)h(601-615,)d -(Oct.)j(1997.)2049 4836 y([P)o(a98])115 b(V)-11 b(.)18 -b(P)o(axson,)g(\223Bro:)24 b(A)18 b(System)g(for)g(Detecting)f(Netw)o -(ork)2386 4936 y(Intruders)h(in)i(Real-T)m(ime,)-6 b(\224)20 -b(Proc.)f(7th)h(USENIX)g(Secu-)2386 5035 y(rity)g(Symposium,)e(Jan.)i -(1998.)2049 5201 y([PR83a])59 b(J.)26 b(Postel)h(and)f(J.)h(Re)o -(ynolds,)f(\223T)-6 b(elnet)26 b(Protocol)f(Spec-)2386 -5300 y(i\002cation,)-6 b(\224)21 b(RFC)j(854,)d(Netw)o(ork)g -(Information)e(Center)m(,)2386 5400 y(SRI)i(International,)c(Menlo)j(P) -o(ark,)f(CA,)i(May)f(1983.)1908 5649 y(21)p eop -%%Page: 22 22 -22 21 bop -150 -104 a Fs([PR83b])54 b(J.)24 b(Postel)g(and)f(J.)h(Re)o -(ynolds,)g(\223T)-6 b(elnet)23 b(Option)g(Speci\002-)187 --5 y(cations,)-6 b(\224)30 b(RFC)g(855,)g(Netw)o(ork)d(Information)f -(Center)m(,)187 95 y(SRI)21 b(International,)c(Menlo)j(P)o(ark,)f(CA,)i -(May)f(1983.)-150 261 y([PR85])96 b(J.)25 b(Postel)g(and)f(J.)h(Re)o -(ynolds,)f(\223File)h(T)m(ransfer)f(Protocol)187 360 -y(\(FTP\),)-6 b(\224)35 b(RFC)j(959,)h(Netw)o(ork)c(Information)e -(Center)m(,)187 460 y(SRI)21 b(International,)c(Menlo)j(P)o(ark,)f(CA,) -i(Oct.)f(1985.)-150 626 y([PN98])91 b(T)-6 b(.)52 b(Ptacek)g(and)g(T)-6 -b(.)53 b(Ne)n(wsham,)59 b(\223Insertion,)g(Ev)n(a-)187 -726 y(sion,)68 b(and)59 b(Denial)g(of)g(Service:)103 -b(Eluding)57 b(Net-)187 825 y(w)o(ork)i(Intrusion)f(Detection,)-6 -b(\224)69 b(Secure)59 b(Netw)o(orks,)187 925 y(Inc.,)45 -b(http://www)-5 b(.aciri.or)o(g/v)o(ern/Ptacek-)o(Ne)n(wsham)o(-)187 -1025 y(Ev)n(asion-98.ps,)17 b(Jan.)j(1998.)-150 1191 -y([PZCMO96])40 b(N.)22 b(Puk)o(etza,)f(K.)h(Zhang,)e(M.)i(Chung,)f(B.)h -(Mukher)n(-)187 1290 y(jee)34 b(and)f(R.)h(Olsson,)j(\223)-7 -b(A)34 b(Methodology)d(for)i(T)-6 b(esting)187 1390 y(Intrusion)23 -b(Detection)i(Systems,)-6 b(\224)27 b Fr(IEEE)e(T)-5 -b(r)o(ansactions)187 1490 y(on)40 b(Softwar)m(e)g(Engineering)p -Fs(,)j(22\(10\),)g(pp.)d(719-729,)187 1589 y(Oct.)20 -b(1996.)-150 1755 y([RLSSL)-6 b(W97])40 b(M.)25 b(Ranum,)g(K.)g -(Land\002eld,)g(M.)f(Stolarchuk,)g(M.)187 1855 y(Sienkie)n(wicz,)41 -b(A.)d(Lambeth)e(and)i(E.)g(W)-7 b(all,)43 b(\223Imple-)187 -1954 y(menting)29 b(a)i(generalized)e(tool)h(for)g(netw)o(ork)f -(monitor)n(-)187 2054 y(ing,)-6 b(\224)24 b Fr(Pr)l(oc.)g(LISA)f('97)p -Fs(,)h(USENIX)g(11th)f(Systems)h(Ad-)187 2154 y(ministration)19 -b(Conference,)f(San)i(Die)o(go,)f(Oct.)i(1997.)-150 2320 -y([Re96])105 b(Y)-11 b(.)19 b(Rekhter)m(,)f(B.)i(Mosk)o(o)n(witz,)e(D.) -h(Karrenber)o(g,)d(G.)j(J.)h(de)187 2419 y(Groot,)30 -b(and)f(E.)h(Lear)m(,)h(\223)-7 b(Address)29 b(Allocation)g(for)f(Pri-) -187 2519 y(v)n(ate)20 b(Internets,)-6 b(\224)19 b(RFC)i(1918,)e(Feb)m -(.)h(1996.)-150 2685 y([Sr95a])86 b(R.)21 b(Srini)n(v)n(asan,)f -(\223RPC:)i(Remote)e(Procedure)f(Call)j(Pro-)187 2785 -y(tocol)30 b(Speci\002cation)g(V)-9 b(ersion)30 b(2,)-6 -b(\224)34 b(RFC)e(1831,)g(DDN)187 2884 y(Netw)o(ork)19 -b(Information)e(Center)m(,)j(Aug.)f(1995.)-150 3050 y([Sr95b])81 -b(R.)30 b(Srini)n(v)n(asan,)g(\223XDR:)g(External)e(Data)h(Representa-) -187 3150 y(tion)g(Standard,)-6 b(\224)30 b(RFC)g(1832,)g(DDN)g(Netw)o -(ork)e(Infor)n(-)187 3250 y(mation)19 b(Center)m(,)g(Aug.)h(1995.)-150 -3416 y([S-J93])91 b(M.)18 b(St.)h(Johns,)f(\223Identi\002cation)e -(Protocol,)-6 b(\224)18 b(RFC)h(1413,)187 3515 y(Netw)o(ork)38 -b(Information)f(Center)m(,)44 b(SRI)c(International,)187 -3615 y(Menlo)19 b(P)o(ark,)h(CA,)g(Feb)m(.)g(1993.)-150 -3781 y([T)-7 b(o99])111 b(T)-7 b(ouch)65 b(T)-6 b(echnologies,)75 -b(Inc.,)i Fr(INT)o(OUCH)67 b(INSA)p Fs(,)187 3881 y(http://www)-5 -b(.ttisms.com/tti/nsa)p 1176 3881 25 4 v 27 w(www)g(.html,)19 -b(1999.)-150 4047 y([WFP96])41 b(G.)30 b(White,)i(E.)e(Fisch)h(and)e -(U.)h(Pooch,)i(\223Cooperating)187 4146 y(Security)e(Managers:)47 -b(A)32 b(Peer)n(-Based)g(Intrusion)e(De-)187 4246 y(tection)22 -b(System,)-6 b(\224)23 b Fr(IEEE)f(Network)p Fs(,)i(10\(1\),)e(pp.)g -(20-23,)187 4346 y(Jan./Feb)m(.)d(1994.)-150 4512 y([Zi91])123 -b(D.)41 b(Zimmerman,)k(\223The)c(Finger)g(User)h(Information)187 -4611 y(Protocol,)-6 b(\224)27 b(RFC)h(1288,)f(Netw)o(ork)f(Information) -e(Cen-)187 4711 y(ter)m(,)16 b(SRI)g(International,)e(Menlo)h(P)o(ark,) -g(CA,)h(Dec.)k(1991.)1908 5649 y(22)p eop -%%Trailer -end -userdict /end-hook known{end-hook}if -%%EOF diff --git a/doc/quick-start/Bro-installation.texi b/doc/quick-start/Bro-installation.texi deleted file mode 100644 index fcaddfe0f0..0000000000 --- a/doc/quick-start/Bro-installation.texi +++ /dev/null @@ -1,229 +0,0 @@ - -@menu -* Download :: -* Install :: -* Configuration :: -* Encrypted Reports :: -@end menu - -@node Download -@section Download -@cindex download - -Download Bro from: @uref{http://www.bro-ids.org/} - -You can unpack the distribution anywhere except into the directory -you plan to install into. To untar the file, type: - -@example -tar xvzf bro-0.9a6.6.tar.gz -@end example - -@node Install -@section Install - -You'll need to collect the following information before beginning the installation. - -@itemize -@item localnets: a list of local subnets for your network. Bro needs to know which networks are "internal" and which are "external". - -@item interface names: the names of the capture interfaces in your host (e.g. sk0 or en1). Use @code{ifconfig -a} to get the list of all network interfaces on your Bro host. -@end itemize - -If you want to use Bro's periodic email report feature, you'll also need: -@itemize -@item email list: a list of email addresses to send the reports to. - -@item pgp keys: if you want to encrypt all email reports, the location of the -@uref{http://www.gnupg.org/,GPG keyring} of all recipients. -@end itemize - -Bro is very easy to install. Just log in as @code{root}, and type: -@example -./configure -@end example -or to install Bro in a location other than @file{/usr/local/bro}, use: -@example -./configure --prefix=/path/to/bro -@end example -and then type: -@example -make -make install -@end example - -To update an existing Bro installation with new binaries and standard policy file, instead -of @code{'make install'} do a @code{'make update'}. This will preserve all your local customizations. - -@node Configuration -@section Configuration -@cindex bro_config -@cindex bro.cfg - -The @emph{Bro-Lite} configuration script can be used to automatically configure Bro for you. It -checks your system's BPF settings, creates a 'bro' user account, installs -a script to start bro at boot time, and installs a number of @code{cron} jobs -to checkpoint bro every night, run perioidic reports, and manage log files. - -To run this configuration script type: -@example -make install-brolite -@end example - - -This will run the script @code{bro_config}, which creates the file @file{$BROHOME/etc/bro.cfg}. -@code{bro_config} will ask a number of simple questions. - -Sample output of @code{bro_config}, along with explanation, is shown below: - -@quotation - -@verbatim -Running Bro Configuration Utility -Checking interfaces .... Done. -Reading /usr/local/bro/etc/bro.cfg.example for defaults. -@end verbatim -@quotation -@quotation -The @code{bro_config} script looks first at ./bro.cfg, then /usr/local/bro/etc, -for default values to use below. -@end quotation -@end quotation - -@verbatim -Bro Log archive location [/usr/local/bro/archive] -@end verbatim -@quotation -@quotation -This is the directory where log file archives are kept. -If you expect the log files to be very large, it is recommended to put these in a separate disk partition. -@end quotation -@end quotation - -@verbatim -User id to install and run Bro under [bro] -@end verbatim -@quotation -@quotation -@code{bro_config} will create a new user account with this username if the user does not exist. -@end quotation -@end quotation - -@verbatim -Interface names to listen on. [en1,en2] -@end verbatim -@quotation -@quotation -@code{bro_config} looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default. -@end quotation -@end quotation - -@verbatim -Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) [] -Starting Report Time [0600] -Report interval (in hours) [24] -Email addresses for internal reports [bro@localhost] -Do you want to send external reports to a incident - reporting org (e.g.: CERT, CIAC, etc) (Y/N) -Y -Email addresses for external reports [] -@end verbatim - -@quotation -@quotation -Daily reports will be created. -Enter the site name you want to appear at the top and in the subject of all email reports. -The 'start time' and 'interval' define the window of -network activity that the daily report will cover, starting at 'Starting Report Time' and -lasting through 'Report interval'. The start time should be entered using 24hr clock notation. -For example: 12:30am = 0030, 2pm = 1400 - -Two types of reports will be generated, -"internal" and "external". Internal reports contain the same basic information as -the external reports, along with traffic statistics and more detailed information on -incidents. Both internal and external reports will be sent to the "internal" email address list. -External reports are only sent if you answer "Y" and enter an external email address. -(Note: currently only internal reports are generated) -@end quotation -@end quotation - - -@verbatim -Do you want to encrypt the email reports (Y/N) [N] -Y -@end verbatim -@quotation -@quotation -If you want the email reports encrypted, you will need to set up GPG (@uref{http://www.gnupg.org}) -and create a GPG keyring containing the public keys of all email recipients. Instructions -for this are in @ref{Encrypted Reports}. - -@end quotation -@end quotation - -@verbatim -Running script to determine your local subnets ... -Your Local subnets [198.129.224.1/32] -@end verbatim -@quotation -@quotation -Bro needs to know a list of your local subnets. @code{bro_config} runs a tool -that attempts to discover this automatically. -You should always verify the results of this tool. The format is a list of subnet/significant -bits of address. -For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32 -@end quotation -This information will be stored in the file @code{$BROHOME/site/local.site.bro} -@end quotation - -@verbatim -Saving settings to file: /usr/local/bro/etc/bro.cfg -Bro configuration finished. -To change these values, you can rerun bro_config at any time. -@end verbatim -@quotation -@quotation -Indicates that the script finished successfully. -@end quotation -@end quotation - -@end quotation - -For site monitoring very high traffic rates on Gigabit ethernet, there is some -additional system tuning that should be done. See the @uref{http://www.bro-ids.org/, Bro User Guide} for more details. - - -To reconfigure Bro, just type: -@example -bro_config -@end example - -This will update your @file{/usr/local/bro/etc/bro.cfg} file. You can also edit this file using your favorite editor if you prefer. - -For other site customizations, you can edit the file $BROHOME/site/local.site.bro. -For example, to tell bro to not look at traffic for host 198.162.44.66, add: -@verbatim - redef restrict_filters += { ["ignore host 198.162.44.66 "] = "not (host 198.162.44.66)" }; -@end verbatim - -Or to disable alarms for "WeirdActivity", you can add this: -@verbatim - redef notice_action_filters += { [[WeirdActivity]] = ignore_notice, }; -@end verbatim - -Any changes you make in $BROHOME/site will not be touched during an upgrade -or reinstall of Bro. You should avoid editing files in $BROHOME/policy, -as these will be overwritten. - -More details are available in the Bro user guide. - -@node Encrypted Reports -@section Encrypted Reports -@cindex GPG - -Bro can use GPG (@uref{http://www.gnupg.org/}) to encrypt -the reports that it sends. To have Bro encrypt your -reports you must have said 'yes' to the bro_config question to -encrypt your reports. For information on configuring -GPG for Bro reports, see the @uref{http://www.bro-ids.org/, Bro User Manual}. - diff --git a/doc/quick-start/Bro-overview.texi b/doc/quick-start/Bro-overview.texi deleted file mode 100644 index de02ec482c..0000000000 --- a/doc/quick-start/Bro-overview.texi +++ /dev/null @@ -1,143 +0,0 @@ - -@menu -* What is Bro? :: -* Bro features and benefits :: -* Getting more Information :: -@end menu - -@node What is Bro? -@section What is Bro? -@cindex Network Intrusion Detection System - -Bro is a Unix-based Network Intrusion Detection System (IDS). Bro monitors network traffic and detects intrusion attempts based on the traffic -characteristics and content. Bro detects intrusions by comparing network traffic against rules describing events that are deemed troublesome. These rules -might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alerting (e.g., attempts to a given number of different hosts constitutes -a "scan"), or signatures describing known attacks or access to known vulnerabilities. If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command. - -Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques, -Bro is able to achieve the performance necessary to do so while running on commercially -available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection. - - -@node Bro features and benefits -@section Bro features and benefits - -@itemize -@item @strong{Network Based} -@quotation -Bro is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific -network location. A single Bro monitor, strategically placed at a key network junction, can be -used to monitor all incoming and outgoing traffic for the entire site. Bro does not use or -require installation of client software on each individual, networked computer. -@end quotation - -@item @strong{Custom Scripting Language} -@quotation -Bro policy scripts are programs written in the Bro language. They contain the "rules" that -describe what sorts of activities are deemed troublesome. They analyze the network activity and -initiate actions based on the analysis. Although the Bro language takes some time and effort to -learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually -any type of network activity. -@end quotation - -@item @strong{Pre-written Policy Scripts} -@quotation -Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks -while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the -important attack activity. These supplied policy scripts will run "out of the box" and do not -require knowledge of the Bro language or policy script mechanics. -@end quotation - -@item @strong{Powerful Signature Matching Facility} -@quotation -Bro policies incorporate a signature matching facility that looks for specific traffic content. For -Bro, these signatures are expressed as regular expressions, rather than fixed strings. Bro adds a -great deal of power to its signature-matching capability because of its rich language. This allows -Bro to not only examine the network content, but to understand the context of the signature, -greatly reducing the number of false positives. Bro comes with a set of high value signatures -policies, selected for their high detection and low false positive characteristics. -@end quotation - -@item @strong{Network Traffic Analysis} -@quotation -Bro not only looks for signatures, but can also analyze network protocols, connections, -transactions, data amounts, and many other network characteristics. It has powerful facilities for -storing information about past activity and incorporating it into analyses of new activity. -@end quotation - -@item @strong{Detection Followed by Action} -@quotation -Bro policy scripts can generate output files recording the activity seen on the network (including -normal, non-attack activity). They can also send alarms to event logs, including the -operating system syslog facility. In addition, scripts can execute programs, which can, in turn, -send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with -appropriate additional software, insert access control blocks into a router's access control list. -With Bro's ability to execute programs at the operating system level, the actions that Bro can -initiate are only limited by the computer and network capabilities that support Bro. -@end quotation - -@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support} -@cindex Snort -@quotation -The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro -signatures. Along with translating the format of the signatures, snort2bro also incorporates a large -number of enhancements to the standard set of Snort signatures to take advantage of Bro's -additional contextual power and reduce false positives. -@end quotation - - -@end itemize - -@node Getting more Information -@section Getting more Information - -@itemize -@item @strong{Reference manual} -@quotation -An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language -@end quotation - -@item @strong{FAQ} -@cindex FAQ -@quotation -Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}. -Do you have a question that's not -in the FAQ, send it to us and we'll add it. -@end quotation - -@item @strong{E-mail list} -@cindex Email list -@quotation -Send questions on any Bro subject to Bro@@bro-ids.org -The list is frequented by all of the Bro developers, including the primary author of Bro, Dr. Vern -Paxson. - -You can subscribe by going to the website: -@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro}, -@* -or by placing the following command in either the subject or the body of a message addressed to -Bro-request@@ICSI.Berkeley.EDU. - -@example -subscribe [password] [digest-option] [address=
] -@end example - -A password must be given to -unsubscribe or change your options. Once subscribed to the -list, you'll be reminded of your password periodically. -The 'digest-option' may be either: 'nodigest' or 'digest' (no -quotes!) If you wish to subscribe an address other than the -address you use to send this request from, you may specify -"address=" (no brackets around the email -address, no quotes!) - -@end quotation - -@item @strong{Website} -@quotation -The official Bro website is located at: -@uref{http://www.bro-ids.org}. -It contains all of the above documentation and more. -@end quotation - -@end itemize diff --git a/doc/quick-start/Bro-quick-start.pdf b/doc/quick-start/Bro-quick-start.pdf deleted file mode 100644 index 75f0a484c5..0000000000 Binary files a/doc/quick-start/Bro-quick-start.pdf and /dev/null differ diff --git a/doc/quick-start/Bro-quick-start.texi b/doc/quick-start/Bro-quick-start.texi deleted file mode 100644 index 166d1293f3..0000000000 --- a/doc/quick-start/Bro-quick-start.texi +++ /dev/null @@ -1,99 +0,0 @@ -\input texinfo @c -*-texinfo-*- -@comment $Id: Bro-quick-start.texi 958 2004-12-21 16:51:44Z tierney $ -@comment %**start of header -@setfilename Bro-quick-start.info -@settitle Bro Quick Start Guide -@setcontentsaftertitlepage -@comment %**end of header - - -@set VERSION 0.9 -@set UPDATED 11-15-2004 - -@copying -This the Quick Start Guide for Bro -version @value{VERSION}. - -This software is copyright @copyright{} -1995-2004, The Regents of the University of California -and the International Computer Science Institute. All rights reserved. - -For further information about this notice, contact: - -Vern Paxson -email: @email{vern@@icir.org} - -@end copying - -@dircategory Bro -@direntry -* Bro: Network Intrusion Detection System -@end direntry - -@ifnottex -@node Top -@top Bro Quick Start Guide -@copyright{} Lawrence Berkeley National Laboratory -@end ifnottex - -@titlepage -@title Bro Quick Start Guide -@subtitle version @value{VERSION}, @value{UPDATED}, @strong{DRAFT} -@author Vern Paxson, Jim Rothfuss, Brian Tierney -@author Contact: @email{vern@@icir.org} -@author @uref{http://www.bro-ids.org/} -@page -@insertcopying -@vskip 0pt plus 1filll -@end titlepage - -@contents - -@ifnottex -@strong{Bro Quick Start Guide}: -This manual contains info on installing, configuring, and running -Bro. For more details, see the @uref{http://www.bro-ids.org/Bro-user-manual/, -Bro User Manual} -@end ifnottex - -@menu -* Overview of Bro:: -* Requirements :: -* Installation and Configuration:: -* Running Bro :: -* Index:: -@end menu - -@comment ******************************************** - -@node Overview of Bro -@chapter Overview of Bro -@include Bro-overview.texi - -@comment ******************************************** -@node Requirements -@chapter Requirements -@cindex Software requirements -@cindex Hardware requirements - -@include Bro-requirements.texi - -@comment ******************************************** -@node Installation and Configuration -@chapter Installation and Configuration -@cindex Installation instructions -@include Bro-installation.texi -@cindex Configuration instructions - -@comment ******************************************** -@node Running Bro -@chapter Running Bro -@include Bro-running.texi - -@comment ******************************************** -@node Index -@unnumbered Index - -@printindex cp - -@bye diff --git a/doc/quick-start/Bro-requirements.texi b/doc/quick-start/Bro-requirements.texi deleted file mode 100644 index d3fa73b48e..0000000000 --- a/doc/quick-start/Bro-requirements.texi +++ /dev/null @@ -1,79 +0,0 @@ - - -@menu -* Network Tap :: -* Hardware and Software Requirements :: -@end menu - - -@node Network Tap -@section Network Tap -@cindex network tap - -A network tap must be installed to provide Bro with access to live network traffic. -For Bro to be most effective, access to the network must be full-bandwidth (no bandwidth limitations) and full-duplex. A passive tap is recommended to ensure minimal impact on network operations. - -Normally the network tap for Bro should be placed behind an external firewall and on the DMZ -(the portion of the network under the control of the organization but outside of the internal firewall), -as shown in the figure below. Some organizations might prefer to install the network tap before -the firewall in order to detect all scans or attacks. Placing Bro before the firewall will allow -the organization to better understand attacks, but will produce a much high number of alarms and alerts. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms. -In addition to the connection to the network tap, a separate network connection is required -for management of Bro and access to log files. - -For more information on taps and tap placement see the Netoptics White paper titled @emph{Deploying Network Taps with Intrusion Detection Systems} (@uref{http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf}). - -@float Figure, tap location -@image{bro-deployment,6.3in} -@caption{Typical location for network tap and Bro system} -@end float - -@node Hardware and Software Requirements -@section Hardware and Software Requirements - -Bro requires no custom hardware, and runs on low-cost commodity PC-style system. -However, the Bro monitoring host must examine every packet into and out of -your site, so depending on your sites network traffic, you may need a fairly high-end machine. -If you are trying to monitor a link with a large number of connections, we recommend using -a second system for report generation, and run only Bro on the capture host. - -@quotation -@multitable @columnfractions .25 .75 -@comment only work with texiinfo 4.7 or higher: @headitem Item @tab Requirements -@item @strong{Item} @tab @strong{Requirements} - -@item @strong{Processor} -@tab 1 GHz CPU (for 100 BT Ethernet with average packet rate <= 5,000 packets/second) -@* 2 GHz CPU (for 1000 BT Ethernet with average packet rate <= 10,000 packets/second) -@* 3 GHz CPU (for 1000 BT Ethernet with average packet rate <= 20,000 packets/second) -@* 4 GHz CPU (for 1000 BT Ethernet with average packet rate <= 50,000 packets/second) -@* (Note: these are @strong{very} rough estimates, and much depends on the types of -traffic on your network (e.g.: http, ftp, mail, etc.). See the Performance chapter of the Bro User Guide for more information) - -@item @strong{Operating System} -@tab FreeBSD 4.10 (@uref{http://www.freebsd.org/}) Bro works with Linux -and Solaris as well, -but the performance is best under FreeBSD. In particular there are some performance issues with -packet capture under Linux. See the User Guide chapter on Bro and Linux for more information. FreeBSD 5.x should work, but may have performance issues. For sites with very high traffic loads, contact us for information on a FreeBSD 4.x patch to do @emph{bpf bonding} - -@item @strong{Memory} -@tab 1 GB RAM is the minimum needed, but 2-3 GB is recommended - -@item @strong{Hard disk} -@tab 10 GByte minimum, 50 GByte or more for log files recommended - -@item @strong{User privileges} -@tab @emph{superuser} to install Bro, then Bro runs as user @emph{bro} - -@item @strong{Network Interfaces} -@tab 3 interfaces are required: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical. - -@item @strong{Other Software} -@* - Perl version 5.6 or higher (@uref{http://www.perl.org}) -@* - libpcap version 0.8 or higher (@uref{http://www.tcpdump.org}) -@* - tcpdump version 3.8 or higher (@uref{http://www.tcpdump.org}) -@* Note: FreeBSD 4.x comes with older versions perl, libpcap, and tcpdump. Bro -requires newer versions of these tools. - -@end multitable -@end quotation diff --git a/doc/quick-start/Bro-running.texi b/doc/quick-start/Bro-running.texi deleted file mode 100644 index 6fd2d95d0a..0000000000 --- a/doc/quick-start/Bro-running.texi +++ /dev/null @@ -1,316 +0,0 @@ - -@menu -* Starting Bro :: -* Bro Scripts :: -* Sending (E-mail) Bro Reports :: -* Reading a Bro Report :: -@end menu - -@node Starting Bro -@section Starting Bro -@cindex starting Bro -@cindex bro.rc - -Bro is automatically started at boot time via the @command{bro.rc} -script, -( located in /usr/local/bro/etc and /usr/local/etc/rc.d on FreeBSD or -/usr/init.d on Linux ) - -To run this script by hand, type: -@example -bro.rc start -@end example -or -@example -bro.rc checkpoint -@end example -or -@example -bro.rc stop -@end example - -Use @code{checkpoint} to restart Bro, loading a new policy file. - -To get feel for what Bro logs will look like on your traffic, do the following: - -Generate some "offline" data to play with: - -@example - # tcpdump -s 0 -w trace.out -@end example - -Kill off the tcpdump after capturing traffic for a few minutes (use ctrl-C), -then to run Bro against this captured trace file: - -@example - # setenv BROHOME /usr/local/bro - # setenv BROPATH $BROHOME/site:$BROHOME/policy - # bro -r trace.out hostname.bro -@end example - - -@node Bro Scripts -@section Bro Scripts -@cindex bro_generate_report -@cindex bro_log_compress -@cindex check_disk -@cindex managing disk space - -Installing Bro automatically creates the following @command{cron} jobs, -which are -automatically run on a specified interval. - -@itemize -@item @command{site-report.pl}: generates an email report of all alarms -and alerts -@item @command{mail_reports.sh}: send email reports -@end itemize - -These scripts can also all be run by hand at any time. - -Bro log files can get quick large, and it is important to make sure that -the Bro disk -does not fill up. Bro includes some simple scripts to help manage disk -space. Most -sites will want to customize these for their own requirements, and -integrate them into their -backup system to make sure files are not removed before they are -archived. - -@itemize -@item @command{check_disk.sh}: check for low disk space, and send email -@item @command{bro_log_compress.sh}: removes/compresses old log files -@end itemize - -These scripts can be customized by editing their settings in -@code{$BROHOME/etc/bro.cfg}. -The settings are as follows: -@itemize -@item @command{check_disk.sh}: -@itemize -@item @command{diskspace_pct}: when disk is >= this percent full, send -email -@item @command{diskspace_watcher}: list of email addresses to send mail -to -@end itemize -@end itemize - -@itemize -@item @command{bro_log_compress.sh}: -@itemize -@item @command{Days2deletion}: remove files more than this many days old -(default = 60) -@item @command{Days2compression}: compress files more than this many days -old (default = 30) -@end itemize -@end itemize - - - -@node Sending (E-mail) Bro Reports -@section Sending (E-mail) Bro Reports -@cindex e-mail reports -@cindex internal report -@cindex external report - -A daily 'internal' report is created that covers three sets of -information: - -@itemize -@item Incident information -@item Operational status of Bro -@item General network traffic information -@end itemize - -If the local organization is asked to report incidents to another -incident analysis organization (i.e. CERT, CIAC, FedCIRC, etc.) an -auxiliary 'external' report can be created that only contains the -incident information. These reports are stored in $BRODIR/reports. - -The two reports will be mailed to the e-mail addresses specified during -Bro installation. These e-mail addresses can be changed by re-running -the bro_config script or by editing $BROHOME/etc/bro.cfg directly. Each -report has it's own set of e-mail addresses. If it is desired to send -the auxiliary report directly to the external incident analysis -organization without inspection, enter their e-mail address directly. -Otherwise, have the external e-mail sent to someone who can inspect and -forward it appropriately. - -@node Reading a Bro Report -@section Reading a Bro Report -@cindex incident -@cindex incident type -@cindex report period -@cindex alarm -@cindex connection, successful -@cindex connection, unsuccessful -@cindex connection, history -@cindex scans -@cindex system statistics -@cindex traffic statistics - -The report is divided into three parts, the summary, incidents, and -scans. The summary includes a rollup of incident information, Bro -operational statistics, and network information. The incidents section -has details for each Bro alarm. The scans section gives details about -scans that Bro detected. - -@subsection Parts of a Report - -@subsubheading Summary -@quotation -@strong{Report Period:} The beginning and ending date/times that define -the window of network data used to produce the report. -@*@* -@strong{Incident Count:} The number of each type of incident that are -detailed in the report period -@*@* -@strong{System Statistics:} Operating system statistics that give some -idea of the 'health' of Bro's operation. -@*@* -@strong{Traffic Statistics:} Statistics gathered by Bro that may or may -not have significant value in evaluating intrusions, but are useful in -understanding the network environment. -@end quotation - -@subsubheading Incidents -@quotation -@strong{Incident:} Each incident generated by the Bro installation is -assigned a unique identification number. This number is unique for all -incidents, not just to the daily report. -@*@* -@strong{Incident Type:} Bro can detect attacks, but cannot make a -definitive judgment if an attack is successful without further -investigation and/or knowledge of the unique network environment. Bro -uses an expert knowledge algorithm to make a determination if an incident -is 'Likely Successful', 'Unknown' (not enough information to make a -guess), or 'Likely Unsuccessful'. -@*@* -@strong{Local Host:} The local computer involved in the incident; usually -the victim. -@*@* -@strong{Remote Host:} The remote computer involved in the incident; -usually the attacker. -@*@* -@strong{Alarm(s}:) The network event(s) that Bro detected and identified -as probable attacks. -@*@* -@strong{Successful Connections:} Connections where one host initiates a -network request and the other host participates in the subsequent -requested transactions. -@*@* -@strong{Unsuccessful Connections:} Connections where one host initiates a -network request and the other host refuses the request. -@*@* -@strong{Unknown Connections:} Connections where one host initiated a -network request, but it is unclear if the other host participated in a -successful transaction. -@*@* -@strong{Connections History:} A summary tabulation of successful and -unsuccessful connections made in specific time periods. The tabulations -are accumulative. That is, the connections counted under 3 days will -also be counted in each subsequent column. -@end quotation - -@subsubheading Scans -Scans are repetitive (similar) probes, searching several victim hosts for -vulnerabilities. The scan section gives the attack host instigating the -scan, the date/time of the scan, and the ports that were probed. - -@subsection Example Report: - -@example -@verbatim -Bro Report Organization Name -========================================================================= -Summary July 28, 2004 17:01 to July 29, 2004 17:00 -========================================================================= - Incident Likely Successful 1 - Summary Unknown 0 - Likely Unsuccessful 0 - Scans 10 - - System Bro disk space: <% at time of report generation> - Statistics Bro Process cpu: