Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge remote branch 'origin/topic/robin/cleanup' into devel

Browse source
This commit is contained in:
Robin Sommer 2010-11-27 17:30:34 -08:00
commit ffdd469e01
293 changed files with 99 additions and 127745 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
build

0
AUTHORS
View file

30
CHANGES
View file

@ -2,6 +2,36 @@
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1.6-dev.0 Fri Nov 26 13:48:11 PST 2010
- The Bro source code is now developed in the new git repositories.
See the developer pages at http://www.bro-ids.org for more
information on the new development process.
- Bro's build and installation setup has been moved from GNU
autotools to CMake. As a result of that, layout and specifics of
the distribution has changed significantly.
- Lots of pieces have been removed from the distribution that are
either now unnecessary or are no longer maintained.
- As part of the cleanup, a numbef of Bro configure options and
their corresponding functionality have been removed, including:
* --disable-select-loop
* --with-dag
* --disable-nbdns
* --enable-activemapping
* --enable-activemapping
* --enable-shippedpcap
- The previous configure option --enable-int64 is now enabled by default,
and can no longer be disabled.
- ClamAV support has been removed, which has been non-functional for
a while already.
1.5.2.7 Sun Sep 12 19:39:49 PDT 2010
- Addressed a number of lint nits (Vern Paxson).

9
COPYING
View file

@ -1,4 +1,4 @@
Copyright (c) 1995-2008, The Regents of the University of California,
Copyright (c) 1995-2010, The Regents of the University of California,
through Lawrence Berkeley National Laboratory. All rights reserved.
Redistribution and use in source and binary forms, with or without
@ -31,7 +31,7 @@ POSSIBILITY OF SUCH DAMAGE.
Note that some files in the Bro distribution carry their own copyright
notices. The above applies to the Bro scripts in policy/ (other than as
noted below) and the source files in src/ , other than:
noted below) and the source files in src/, other than:
policy/sigs/p0fsyn.osf
src/H3.h
@ -44,6 +44,5 @@ noted below) and the source files in src/ , other than:
src/patricia.c
src/patricia.h
In addition, the build components such as Makefile.in, acinclude.m4, and
others have separate copyrights, as do a number of the elements in the
aux/ subdirectory and in scripts/s2b/snort_rules2.2/ .
In addition, other components, such as the build system, may have
separate copyrights.

0
ChangeLog
View file

3
Checklist-for-Release
View file

@ -1,3 +1,6 @@
TODO: Needs update. -Robin
- Make sure BroV6 works.
- Make sure --enable-int64 builds w/o warnings.

3
FILES.bin
View file

@ -1,3 +0,0 @@
README
VERSION
bro

57
INSTALL
View file

@ -1,3 +1,8 @@
==============
Installing Bro
==============
Prerequisites
=============
@ -25,7 +30,7 @@ before you begin:
These are usually already installed as well.
* OpenSSL headers and libraries
For analysis of SSL certificates by the HTTP analyzer, and
For analysis of SSL certificates by the HTTP analyzer, and
for encrypted Bro-to-Bro communication. These are likely installed,
though some platforms may require installation of a 'devel' package
for the headers.
@ -42,65 +47,41 @@ installation time:
* Libmagic
For identifying file types (e.g., in FTP transfers).
* LibGeoIP
For geo-locating IP addresses.
* Libz
For decompressing HTTP bodies by the HTTP analyzer, and for
compressed Bro-to-Bro communication.
Installation
============
To build and install into /usr/local/bro:
> ./configure
> cd build
> make
> make install
This will perform an out-of-source build into the build directory using the
default build options and then install binaries into /usr/local/bro/bin.
This will perform an out-of-source build into a directory called
build/, using default build options. It then installs the Bro binary
into /usr/local/bro/bin. Depending on the Bro package you
downloaded, there may be auxiliary tools and libraries available in
the aux/ directory. If so, they will be installed by default as well
if not explicitly disabled via configure options.
You can specify a different installation directory with
> ./configure --prefix=<dir>
Run "./configure --help" for more options.
Run "./configure --help" for more options.
Running Bro
===========
Bro is a complex program and it takes a bit of time to get familiar
with it. In the following we give a few simple examples. See
http://www.bro-ids.org/wiki for more information.
To run a policy file from /usr/local/share/bro, such as mt.bro, on a
previously captured tcpdump save file named foo:
bro -r foo mt.bro
To run from interface le0:
bro -i le0 mt
You can alternatively specify interface and scripts to load in your own
policy file:
@load mt
redef interfaces = "le0";
and then run
bro ./my-policy.bro
You can see the BPF filter Bro will use (if not overridden) by executing
bro mt print-filter
To run interactively (e.g., for playing with expression evaluation):
bro
"bro -h" lists the various options.
with it. In the following we give a few simple examples. See the
quickstart guide at http://www.bro-ids.org for more information; you
can the source that in doc/quick-start.

28
Makefile Normal file
View file

@ -0,0 +1,28 @@
#
# A simple static wrapper for a number of standard Makefile targets,
# mostly just forwarding to build/Makefile. This is provided only for
# convenience and supports only a subset of what CMake's Makefile
# to offer. For more, execute that one directly.
#
BUILD=build
all: configured
( cd $(BUILD) && make )
install: configured
( cd $(BUILD) && make install )
clean: configured
( cd $(BUILD) && make clean )
dist: configured
( cd $(BUILD) && make package_source )
distclean:
rm -rf $(BUILD)
.PHONY : configured
configured:
@test -d $(BUILD) || ( echo "Error: No build/ directory found. Did you run configure?" && exit 1 )
@test -e $(BUILD)/Makefile || ( echo "Error: No build/Makefile found. Did you run configure?" && exit 1 )

64
Makefile.am
View file

@ -1,64 +0,0 @@
## Process this file with automake to produce Makefile.in
# snag the whole linux-include directory
EXTRA_DIST = CHANGES README VERSION shtool linux-include \
autogen.sh depcomp ylwrap
# When running distcheck, make sure we skip building GtkDoc-based
# documentation. This applies to Broccoli only, and needs to be
# duplicated here because DISTCHECK_CONFIGURE_FLAGS isn't otherwise
# noticed.
#
DISTCHECK_CONFIGURE_FLAGS = --disable-gtk-doc
chown = @CHOWN@
# aux before src so we compile the libpcap
SUBDIRS = aux src scripts policy doc
test:
( cd ../testing && $(MAKE) test )
install-broctl:
$(MAKE) install
( cd aux/broctl && $(MAKE) install-broctl )
# Deprecated. Don't use.
install-brolite:
$(MAKE) install
$(INSTALL) -d $(prefix)/logs
$(INSTALL) -d $(prefix)/archive
$(INSTALL) -d $(prefix)/var
( cd scripts && $(MAKE) install-brolite )
( cd aux && $(MAKE) install-brolite )
- @CHOWN@ -R `cat scripts/bro_user_id` ${prefix}/
@echo "*********************************************************"
@echo "Please run \"${prefix}/etc/bro.rc --start\" to start bro"
@echo "*********************************************************"
docs:
( cd doc && $(MAKE) doc )
doc-install:
( cd doc && $(MAKE) doc-install )
update:
( cd scripts && $(MAKE) update )
( cd policy && $(MAKE) install )
update-sigs:
(cd scripts && $(MAKE) update-sigs )
reports:
( cd scripts && $(MAKE) reports )
# make sure we don't leak CVS/SVN or private policy files
dist-hook:
rm -rf `find $(distdir) -name CVS`
rm -rf `find $(distdir) -name .svn`
rm -rf $(distdir)/policy/local
release:
./autogen.sh
./configure
$(MAKE) distcheck

0
NEWS
View file

29
README
View file

@ -1,29 +1,24 @@
This is release 1.5 of Bro, a system for detecting network intruders in
This is release 1.6 of Bro, a system for detecting network intruders in
real-time using passive network monitoring.
Please see the file INSTALL for installation instructions and some examples
on how to run Bro. For more documentation, see the Bro Wiki:
Please see the file INSTALL for installation instructions and
pointers for getting started. For more documentation, see the
documentation on Bro's home page:
http://www.bro-ids.org/wiki/index.php/User_Manual
http://www.bro-ids.org/docs
Please note that this documentation is preliminary and still missing pieces.
PDF and HTML versions of older versions of the manuals are also available
in the doc/ directory.
There's also in doc/misc/conn-logs/ a brief summary of the connection logs
generated by the sample policy scripts (which are in policy/).
The main parts of Bro's documentation are also available in the doc/
directory of the distribution. (Please note that the documentation
is still a work in progress; there will be more in future releases.)
Numerous other Bro-related publications, including a paper describing the
system, can be found at
http://www.bro-ids.org/publications.html
http://www.bro-ids.org/publications.html
Some auxiliary scripts and utilities are available in the aux/ directory.
Note that these are not installed by default.
Send comments, etc., to the Bro mailing list, bro@bro-ids.org. However,
please note that you must first subscribe to the list in order to be able
to post to it.
Send comments, etc., to the Bro mailing list, bro@bro-ids.org.
However, please note that you must first subscribe to the list in
order to be able to post to it.
- Vern Paxson & Robin Sommer, on behalf of the Bro development team

9
TODO-For-Next-Release
View file

@ -1,9 +0,0 @@
Plan for 1.6:
Originally, with 1.5 we were going to start working with --use-binpac
as the default. However, this has been deferred pending development
of BinPAC++. We might however turn on BinPAC for the SSL analyzer,
for which the BinPAC version is more robust. It, though, doesn't
support storing certs to disk, which some folks use operationally.
Given DPD means we might not filter traffic anyway, we no longer
have such a good excuse for not dealing with IPv6 options.

2
VERSION
View file

@ -1 +1 @@
1.5.2.7
1.6-dev.0

1029
acinclude.m4
View file

File diff suppressed because it is too large Load diff

143
autogen.sh
View file

@ -1,143 +0,0 @@
#!/bin/sh
# Initialization script to set up the initial configuration files etc.
# shtool usage inspired by the autogen script of the ferite scripting
# language -- cheers Chris :)
#
# This is 'borrowed' from netdude, with minor changes for bro
BLD_ON=`./shtool echo -n -e %B`
BLD_OFF=`./shtool echo -n -e %b`
srcdir=`dirname $0`
NAME=bro
DIE=0
echo
echo " "${BLD_ON}"BRO Build Tools Setup"${BLD_OFF}
echo "===================================================="
echo
echo "Checking whether we have all tools available ..."
(autoconf --version) < /dev/null > /dev/null 2>&1 || {
echo
echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`autoconf' installed to."
echo "Download the appropriate package for your distribution,"
echo "or get the source tarball at ftp://ftp.gnu.org/pub/gnu/"
DIE=1
}
(automake --version) < /dev/null > /dev/null 2>&1 || {
echo
echo ${BLD_ON}"Error"${BLD_OFF}": You must have \`automake' installed."
echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
echo "(or a newer version if it is available)"
DIE=1
NO_AUTOMAKE=yes
}
# if no automake, don't bother testing for aclocal
test -n "$NO_AUTOMAKE" || (aclocal --version) < /dev/null > /dev/null 2>&1 || {
echo
echo ${BLD_ON}"Error"${BLD_OFF}": Missing \`aclocal'. The version of \`automake'"
echo "installed doesn't appear recent enough."
echo "Get ftp://ftp.gnu.org/pub/gnu/automake-1.3.tar.gz"
echo "(or a newer version if it is available)"
DIE=1
}
if test "$DIE" -eq 1; then
exit 1
fi
echo "All necessary tools found."
echo
if [ -d autom4te.cache ] ; then
echo "Removing autom4te.cache ..."
rm -rf autom4te.cache
#echo
#echo ${BLD_ON}"Error"${BLD_OFF}": autom4te.cache directory exists"
#echo "please remove it, and rerun this script"
#echo
#exit 1
fi
echo
echo "running "${BLD_ON}"aclocal"${BLD_OFF}
echo "----------------------------------------------------"
aclocal -I . $ACLOCAL_FLAGS
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo "running "${BLD_ON}"autoheader"${BLD_OFF}
echo "----------------------------------------------------"
autoheader
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo "running "${BLD_ON}"automake"${BLD_OFF}
echo "----------------------------------------------------"
automake -a -c
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo "running "${BLD_ON}"autoconf"${BLD_OFF}
echo "----------------------------------------------------"
autoconf
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Running aux/binpac/autogen.sh"
echo "----------------------------------------------------"
(cd aux/binpac/ && BROBUILD=yes ./autogen.sh)
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Running aux/broccoli/autogen.sh"
echo "----------------------------------------------------"
(cd aux/broccoli/ && BROBUILD=yes ./autogen.sh)
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Running aux/broctl/aux/capstats/autogen.sh"
echo "----------------------------------------------------"
(cd aux/broctl/aux/capstats && ./autogen.sh)
if [ $? -ne 0 ]; then
echo "*** ERROR($NAME), aborting."
exit 1
fi
echo
echo
echo "Setup finished. Now run:"
echo
echo " $ "${BLD_ON}"./configure"${BLD_OFF}" (with options as needed, try --help)"
echo
echo "and then"
echo
echo " $ "${BLD_ON}"make"${BLD_OFF}
echo " # "${BLD_ON}"make install"${BLD_OFF}
echo

1
cmake/OSSpecific.cmake
View file

@ -10,7 +10,6 @@ elseif (${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
elseif (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
set(HAVE_LINUX true)
include_directories(BEFORE ${CMAKE_SOURCE_DIR}/linux-include)
elseif (${CMAKE_SYSTEM_NAME} MATCHES "Solaris")
set(SOCKET_LIBS nsl socket)

136
compile
View file

@ -1,136 +0,0 @@
#! /bin/sh
# Wrapper for compilers which do not understand `-c -o'.
scriptversion=2003-11-09.00
# Copyright (C) 1999, 2000, 2003 Free Software Foundation, Inc.
# Written by Tom Tromey <tromey@cygnus.com>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# This file is maintained in Automake, please report
# bugs to <bug-automake@gnu.org> or send patches to
# <automake-patches@gnu.org>.
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: compile [--help] [--version] PROGRAM [ARGS]
Wrapper for compilers which do not understand `-c -o'.
Remove `-o dest.o' from ARGS, run PROGRAM with the remaining
arguments, and rename the output as expected.
If you are trying to build a whole package this is not the
right script to run: please start by reading the file `INSTALL'.
Report bugs to <bug-automake@gnu.org>.
EOF
exit 0
;;
-v | --v*)
echo "compile $scriptversion"
exit 0
;;
esac
prog=$1
shift
ofile=
cfile=
args=
while test $# -gt 0; do
case "$1" in
-o)
# configure might choose to run compile as `compile cc -o foo foo.c'.
# So we do something ugly here.
ofile=$2
shift
case "$ofile" in
*.o | *.obj)
;;
*)
args="$args -o $ofile"
ofile=
;;
esac
;;
*.c)
cfile=$1
args="$args $1"
;;
*)
args="$args $1"
;;
esac
shift
done
if test -z "$ofile" || test -z "$cfile"; then
# If no `-o' option was seen then we might have been invoked from a
# pattern rule where we don't need one. That is ok -- this is a
# normal compilation that the losing compiler can handle. If no
# `.c' file was seen then we are probably linking. That is also
# ok.
exec "$prog" $args
fi
# Name of file we expect compiler to create.
cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
# Create the lock directory.
# Note: use `[/.-]' here to ensure that we don't use the same name
# that we are using for the .o file. Also, base the name on the expected
# object file name, since that is what matters with a parallel build.
lockdir=`echo $cofile | sed -e 's|[/.-]|_|g'`.d
while true; do
if mkdir $lockdir > /dev/null 2>&1; then
break
fi
sleep 1
done
# FIXME: race condition here if user kills between mkdir and trap.
trap "rmdir $lockdir; exit 1" 1 2 15
# Run the compile.
"$prog" $args
status=$?
if test -f "$cofile"; then
mv "$cofile" "$ofile"
fi
rmdir $lockdir
exit $status
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

1388
config.guess vendored
View file

File diff suppressed because it is too large Load diff

1492
config.sub vendored
View file

File diff suppressed because it is too large Load diff

980
configure.in
View file

@ -1,980 +0,0 @@
dnl @(#) $Id: configure.in 6960 2009-12-19 06:22:16Z vern $ (LBL)
dnl
dnl Copyright (c) 1997, 1998, 2001, 2002
dnl The Regents of the University of California. All rights reserved.
dnl
dnl Process this file with autoconf to produce a configure script.
dnl
## broken versioning stuff
##m4_include([version.m4])
##AC_INIT([bro], VERSION_NUMBER)
## NOTICE: this sets the version at the autoconf time, not
## at configure time, so it may be out of date!
## start of changes for different versions of automake/conf
# this will work with automake 1.8.5
dnl AC_INIT(bro, esyscmd([tr -d '\n' < VERSION]))
dnl AC_CONFIG_SRCDIR(src/Active.cc)
dnl AC_CANONICAL_SYSTEM
dnl AM_INIT_AUTOMAKE
dnl AC_CONFIG_HEADER(config.h)
dnl AC_LBL_C_INIT(V_CCOPT, V_INCLS)
dnl AC_PROG_LEX
## This should work with automake 1.6
AC_INIT(src/Active.cc)
AC_CANONICAL_SYSTEM
#AM_INIT_AUTOMAKE(bro, 0.1.0)
AM_INIT_AUTOMAKE(bro, esyscmd([tr -d '\n' < VERSION]))
AM_CONFIG_HEADER(config.h)
AC_LBL_C_INIT_BEFORE_CC(V_CCOPT, V_INCLS)
AC_PROG_CC
AC_LBL_C_INIT(V_CCOPT, V_INCLS)
AM_PROG_LEX
## end of changes for versions of automake/conf
dnl Commands for funkier shell output:
BLD_ON=`./shtool echo -n -e %B`
BLD_OFF=`./shtool echo -n -e %b`
# We should install everything in /usr/local/bro{bin,lib,policy,etc}
AC_PREFIX_DEFAULT(/usr/local/bro)
dnl ################################################
dnl # Checks for programs
dnl ################################################
AC_PROG_YACC
AC_PROG_CXX
AC_PROG_INSTALL
AC_PROG_MAKE_SET
AC_PROG_RANLIB
AC_CHECK_PROGS(COMPRESS, gzip, compress)
AM_CONDITIONAL(USEV6, false)
AC_ARG_ENABLE(brov6,
[ --enable-brov6 enable IPV6 processing],
AC_DEFINE(BROv6,,[enable IPV6 processing])
AM_CONDITIONAL(USEV6,true))
AC_ARG_ENABLE(int64,
[ --enable-int64 enable use of int64 (long long) for integers],
AC_DEFINE(USE_INT64,1,[enable use of 64-bit integers]))
AC_ARG_ENABLE(activemapping,
[ --enable-activemapping enable active mapping processing],
AC_DEFINE(ACTIVE_MAPPING,,[Enable active mapping processing]))
AC_ARG_ENABLE(expire-dfa-states,
[ --enable-expire-dfa-states enable DFA state expiration],
AC_DEFINE(EXPIRE_DFA_STATES,,[Enable DFA state expiration]))
AC_ARG_ENABLE(debug,
[ --enable-debug no compiler optimizations],
debug="yes"
V_CCOPT="-g -DDEBUG"
CFLAGS="-DDEBUG `echo $CFLAGS | sed -e 's/-O2//'`"
CPPFLAGS="-DDEBUG `echo $CPPFLAGS | sed -e 's/-O2//'`"
CXXFLAGS="-DDEBUG `echo $CXXFLAGS | sed -e 's/-O2//'`",
debug="no")
AC_ARG_ENABLE(select-loop,
[ --disable-select-loop disable select-based main loop],
check_select_loop=no,
check_select_loop=yes)
AC_ARG_ENABLE(perftools,
[ --enable-perftools use Google's perftools],
use_perftools=yes,
use_perftools=no)
AC_ARG_WITH(openssl,
[ --with-openssl=PATH path to OpenSSL (needed for SSL analyzer and secure communication)],
if test "$withval" != "no" -a "$withval" != "NO"; then
use_openssl=yes
OPENSSL="$withval"
LDFLAGS="${LDFLAGS} -L${OPENSSL}/lib "
V_INCLS="${V_INCLS} -I${OPENSSL}/include"
CXXFLAGS="${CXXFLAGS} -I${OPENSSL}/include"
else
use_openssl=no
fi
)
AC_ARG_ENABLE(shippedpcap,
[ --enable-shippedpcap use the shipped version of libpcap ],
[ if test "$enableval" = yes; then
use_shippedpcap=yes
else
use_shippedpcap=no
fi ],
[ use_shippedpcap=no ])
AC_ARG_WITH(perl, [ --with-perl=PATH path/name of the Perl interpreter],
PERL=$withval, PERL=${PERL:-})
AC_ARG_WITH(dag,
[ --with-dag=PATH path to the DAG library (for native support for Endace Tech.'s DAG monitoring cards)],
if test "$withval" != "no" -a "$withval" != "NO"; then
use_dag=yes
DAGPATH="$withval"
LDFLAGS="${LDFLAGS} -L${DAGPATH}/lib "
V_INCLS="${V_INCLS} -I${DAGPATH}/include"
else
use_dag=no
fi
)
AC_ARG_WITH(binpac,
[ --with-binpac=PATH path to a binpac executable for compiling analyzer code],
BINPAC="$withval")
AC_ARG_ENABLE(nbdns,
AC_HELP_STRING([--disable-nbdns], [Disable non-blocking DNS support]),
nbdns="no", nbdns="yes")
AC_LBL_ENABLE_CHECK([activemapping binpac broccoli brov6 debug \
expire-dfa-states gtk-doc int64 openssl perftools perl \
select-loop shippedpcap broctl cluster nbdns])
dnl ################################################
dnl # Writing around broken autoconf
dnl ################################################
dnl It seems that AC_CHECK_HEADER defines a bash function called
dnl ac_fn_c_check_header_compile in the output when it is first
dnl encountered. While in general a neat idea, this fails, if the
dnl first use of AC_CHECK_HEADER is in an if/else clause. In this
dnl case the function's scope is limited to the enclosing if/els
dnl block and later calls to the function fail (more or less silently)
dnl Solution: we just place a phony AC_CHECK_HEADER call here.
AC_CHECK_HEADER([stdio.h])
AC_CHECK_HEADERS([stdio.h stdio.h])
dnl ################################################
dnl # OpenSSL
dnl ################################################
if test "$use_openssl" != "no" -a "$use_openssl" != "NO"; then
saved_libs="${LIBS}"
AC_CHECK_LIB(crypto, OPENSSL_add_all_algorithms_conf,
LIBS="${LDFLAGS} -lcrypto"
AC_CHECK_LIB(ssl, SSL_new,, AC_MSG_ERROR([Can't find SSL library]))
LIBS="${LDFLAGS} -lssl"
use_openssl=yes,
use_openssl=no
)
LIBS="${saved_libs}"
else
use_openssl=no
fi
if test "$use_openssl" != "no"; then
saved_cflags="${CFLAGS}"
CFLAGS="${CFLAGS} -I${OPENSSL}/include"
AC_CHECK_DECL(OPENSSL_add_all_algorithms_conf,,
use_openssl=no,
[#include <openssl/evp.h>])
CFLAGS="${saved_cflags}"
fi
if test "$use_openssl" = "yes"; then
# On Red Hat we may need to include Kerberos header.
# (CHECK_HEADER doesn't work here)
saved_cflags="${CFLAGS}"
CFLAGS="${CFLAGS} -I${OPENSSL}/include"
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[#include <openssl/ssl.h>]])],,
CFLAGS="${CFLAGS} -I/usr/kerberos/include"
AC_CHECK_HEADER([krb5.h],
V_INCLS="${V_INCLS} -I/usr/kerberos/include"
AC_DEFINE(NEED_KRB5_H,,[Include krb5.h]),
use_openssl=no
AC_MSG_WARN([Can't compile OpenSSL test; disabling OpenSSL.]);
,
[#include <krb5.h>
#include <openssl/ssl.h>]
)
CFLAGS="${saved_cflags}"
)
fi
# Check for version >= 0.9.7
if test "$use_openssl" = "yes"; then
saved_libs="${LIBS}"
LIBS="${LIBS} -lssl -lcrypto"
AC_MSG_CHECKING([for OpenSSL >= 0.9.7])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <openssl/evp.h>]], [[OPENSSL_add_all_algorithms_conf();]])],
AC_MSG_RESULT(yes)
use_openssl=yes,
AC_MSG_RESULT(no)
use_openssl=no)
LIBS="${saved_libs}"
fi
AM_CONDITIONAL(USE_OPENSSL, false)
if test "$use_openssl" = "yes"; then
AM_CONDITIONAL(USE_OPENSSL, true)
AC_DEFINE(USE_OPENSSL,,[Use OpenSSL])
LIBS="${LIBS} -lssl -lcrypto"
fi
# A test to see whether d2i_X509() uses const for the u_char**
# argument. Since one cannot just cast a u_char** to a const one
# (http://parashift.com/c++-faq-lite/const-correctness.html#faq-18.17)
# we test and then force a u_char** cast only when needed.
#
if test "$use_openssl" = "yes"; then
AC_MSG_CHECKING([whether d2i_X509() uses a const unsigned char**])
AC_LANG_PUSH([C++])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/x509.h>]],
[[const unsigned char** cpp = 0;
X509** x = 0; d2i_X509(x, cpp, 0);]])],
AC_DEFINE(OPENSSL_D2I_X509_USES_CONST_CHAR,,[d2i_x509 uses const char**])
AC_MSG_RESULT(yes),
AC_MSG_RESULT(no))
AC_LANG_POP([C++])
fi
# do we use ssl?
AM_CONDITIONAL(USE_SSL, test "$use_openssl" = "yes")
dnl ################################################
dnl # Check for Perl executable
dnl ################################################
if test -n "$PERL"; then
if echo "$PERL" | grep '^/' >/dev/null; then
AC_MSG_CHECKING(for $PERL)
if test -s "$PERL"; then
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
PERL='none'
fi
else
find_perl="$PERL"
PERL=''
fi
fi
dnl if there is no perl, go find one!
if test -z "$PERL"; then
AC_PATH_PROGS(PERL,perl5 perl,,/usr/local/bin:/opt/local/bin:/usr/bin::.)
fi
dnl if we still can't find it, warn them
if test -z "$PERL"; then
AC_MSG_WARN([Cannot find perl; please use --with-perl=/path/to/perl option.])
else
dnl this seems backwards to me .....? but works
if ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then
AC_MSG_WARN([Bad perl version, need perl 5.6.1 or higher.; please use --with-perl=/path/to/perl option.])
fi
fi
AC_SUBST(PERL)
dnl ################################################
dnl # Check for chown binary
dnl ################################################
AC_PATH_PROG(CHOWN, chown, ,
[/usr/sbin:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin])
AC_SUBST(CHOWN)
dnl ################################################
dnl # OS-specific hacks and tweaks
dnl ################################################
AC_LBL_DEVEL(V_CCOPT)
AM_CONDITIONAL(USE_NMALLOC, false)
dnl Our resolver tests below include an absolute libray location.
dnl This is its default, it may be changed for some OSs.
bro_absolute_libresolv="/usr/lib/libresolv.a"
case "$target_os" in
freebsd*)
# alternate malloc is faster for FreeBSD, but needs more testing
# need to add way to set this from the command line
AM_CONDITIONAL(USE_NMALLOC, true)
;;
darwin*)
AC_MSG_CHECKING([if we need to include arpa/nameser_compat.h])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <arpa/nameser.h>]], [[HEADER *hdr; int d = NS_IN6ADDRSZ;]])], bro_ns_header_defined=yes, bro_ns_header_defined=no)
# if the header is found, we don't need compatibility
if test "x$bro_ns_header_defined" = xyes; then
AC_MSG_RESULT(no)
else
AC_DEFINE(NEED_NAMESER_COMPAT_H,,[Compatibility for Darwin])
AC_MSG_RESULT(yes)
fi
# Support for MacPorts and Fink package-management.
test -d /opt/local/lib && LDFLAGS="${LDFLAGS} -L/opt/local/lib"
test -d /sw/lib && LDFLAGS="${LDFLAGS} -L/sw/lib"
V_INCLS="${V_INCLS} -I/opt/local/include -I/sw/include"
CXXFLAGS="${CXXFLAGS} -I/opt/local/include -I/sw/include"
;;
openbsd*)
AM_CONDITIONAL(USE_NMALLOC, true)
AC_DEFINE(HAVE_OPENBSD,,[We are on a OpenBSD system])
LDFLAGS="${LDFLAGS} -L/usr/local/lib"
V_INCLS="${V_INCLS} -I/usr/local/include"
CXXFLAGS="${CXXFLAGS} -I/usr/local/include"
;;
linux*)
V_INCLS="$V_INCLS -I\${top_srcdir}/linux-include"
AC_DEFINE(HAVE_LINUX,,[We are on a Linux system])
AC_MSG_CHECKING(Linux kernel version)
AC_CACHE_VAL(ac_cv_linux_vers,
ac_cv_linux_vers=`uname -r 2>&1 | \
sed -n -e '$s/.* //' -e '$s/\..*//p'`)
AC_MSG_RESULT($ac_cv_linux_vers)
if test $ac_cv_linux_vers -lt 2 ; then
AC_MSG_ERROR(version 2 or higher required; see the INSTALL doc for more info)
fi
if test "a$build_cpu" = "ax86_64"; then
bro_absolute_libresolv="/usr/lib64/libresolv.a"
fi
;;
solaris*)
LIBS="${LIBS} -lnsl -lsocket"
;;
osf*)
dnl Workaround around ip_hl vs. ip_vhl problem in netinet/ip.h
V_CCOPT="$V_CCOPT -D__STDC__=2"
esac
dnl ################################################
dnl # Enable large file support for all platforms.
dnl # Can be disabled with --disable-largefile
dnl ################################################
AC_SYS_LARGEFILE
dnl ################################################
dnl # Checks for types and header files.
dnl ################################################
AC_HEADER_STDC
AC_LBL_TYPE_SIGNAL
AC_LBL_CHECK_TYPE(int32_t, int)
AC_LBL_CHECK_TYPE(u_int32_t, u_int)
AC_LBL_CHECK_TYPE(u_int16_t, u_short)
AC_LBL_CHECK_TYPE(u_int8_t, u_char)
AC_HEADER_TIME
AC_CHECK_HEADERS([memory.h netinet/in.h socket.h getopt.h])
AC_CHECK_HEADERS([net/ethernet.h netinet/ether.h netinet/if_ether.h sys/ethernet.h],,,
[#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/if.h>])
AC_CHECK_HEADERS([netinet/ip6.h],,,
[#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <net/if.h>])
AC_DEFUN([AC_C_SOCKLEN_T],
[AC_CACHE_CHECK(for socklen_t, ac_cv_c_socklen_t,
[
AC_TRY_COMPILE([
#include <sys/types.h>
#include <sys/socket.h>
],[
socklen_t foo;
],[
ac_cv_c_socklen_t=yes
],[
ac_cv_c_socklen_t=no
])
])
if test $ac_cv_c_socklen_t = no; then
AC_DEFINE(socklen_t, int, [define to int if socklen_t not available])
fi
])
AC_C_SOCKLEN_T
AC_BRO_SYSLOG_INT
AC_BRO_SOCK_DECL
dnl ################################################
dnl # PCAP stuff.
dnl ################################################
# ensure we are either YES or NO
if test "$use_shippedpcap" = "no" ; then
pcap_local="NO"
pcapmsg="system-provided"
AM_CONDITIONAL(USE_LOCALPCAP, false)
else
pcap_local="YES"
pcapmsg="shipped with Bro"
AM_CONDITIONAL(USE_LOCALPCAP, true)
fi
# if not using local version, find one on the system
if test "$pcap_local" = "NO"; then
AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
CPPFLAGS="$CPPFLAGS $V_INCLS"
AC_CHECK_HEADERS(pcap-int.h)
AC_CHECK_FUNCS(bpf_set_bufsize)
dnl ################################################
dnl # Check whether pcap provides pcap_version
dnl ################################################
AC_MSG_CHECKING([for pcap_version in libpcap])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([extern char pcap_version[];], [puts(pcap_version);])],
AC_MSG_RESULT(yes)
AC_DEFINE(PCAP_VERSION_STRING,,[Have a version string in libpcap]),
AC_MSG_RESULT(no))
dnl ################################################
dnl # Check whether linking to pcap works
dnl ################################################
AC_CHECK_LIB(pcap, main, , AC_MSG_ERROR([Bro requires pcap - install from aux/ if necessary.]))
else
# we have to define the abilites of the local pcap
# as it hasn't been unpacked/configured/installed
# yet and we can't query it.
AC_DEFINE(HAVE_PCAP_INT_H, 1, [Define to 1 if you have the <pcap-int.h> header file.])
AC_DEFINE(HAVE_BPF_SET_BUFSIZE, 0, [Define to 1 if you have the bpf_set_bufsize function.])
AC_DEFINE(PCAP_VERSION_STRING, 1, [Have a version string in libpcap])
AC_DEFINE(HAVE_LIBPCAP, 1, [Define to 1 if you have the pcap library (-lpcap).])
fi
dnl AC_CHECK_HEADERS(pcap-int.h)
dnl AC_CHECK_FUNCS(bpf_set_bufsize)
dnl ################################################
dnl # STL compatibility tests.
dnl ################################################
dnl # Whether basic_string<> requires additional
dnl # definitions for char_traits. In that case, we
dnl # fall back to vector.
dnl #
AC_MSG_CHECKING([if char_traits defines all methods])
AC_LANG_PUSH([C++])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <string>
using namespace std;
class Foo { };
]], [[
char_traits<Foo*> foo;
Foo f;
Foo *fp;
foo.assign(&fp, 10, &f);]])],
AC_MSG_RESULT([yes])
basic_string_works=yes,
AC_MSG_RESULT([no])
basic_string_works=no
AC_DEFINE(BASIC_STRING_BROKEN,,[basic_string not usable with non-char template arg]))
AC_LANG_POP([C++])
dnl ################################################
dnl # Include the Broccoli tree in aux/broccoli in
dnl # the setup, unless specifically disabled.
dnl ################################################
AC_ARG_ENABLE(broccoli,
AC_HELP_STRING([--disable-broccoli], [Do not build/package Broccoli]),
broccoli="no", broccoli="yes")
AM_CONDITIONAL(USE_BROCCOLI, test "x$broccoli" = xyes)
if test "x$broccoli" = xyes; then
AC_CONFIG_SUBDIRS(aux/broccoli)
fi
dnl ################################################
dnl # Include the broctl tree in aux/broctl into
dnl # the setup, unless specifically disabled.
dnl # Per default, we configure it in standalone mode;
dnl # if --enable-cluster is given, we switch to
dnl # cluster mode.
dnl ################################################
AC_ARG_ENABLE(broctl,
AC_HELP_STRING([--disable-broctl], [Do not build/package broctl framework]),
broctl=$enableval, broctl="yes")
AC_ARG_ENABLE(cluster,
AC_HELP_STRING([--enable-cluster], [Configure broctl for cluster usage]),
cluster=$enableval, cluster="no")
dnl ################################################
dnl # Include the Binpac tree in aux/binpac in the
dnl # build, unless the user selected another binpac
dnl # via --with-binpac=.
dnl ################################################
if test "$BINPAC" = ""; then
AC_CONFIG_SUBDIRS(aux/binpac)
BINPAC="\${top_builddir}/aux/binpac/src/binpac"
binpacmsg="shipped with Bro"
else # Check (somewhat) whether the binpac given is valid
AC_MSG_CHECKING([whether given binpac is executable])
if test -x "$BINPAC"; then
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
echo "Please check whether $BINPAC is correct."
exit 1
fi
binpacmsg="$BINPAC"
fi
AC_SUBST(BINPAC)
dnl ################################################
dnl # DNS resolver checks.
dnl ################################################
dnl
dnl Check whether our arpa/nameser.h provides type ns_msg.
dnl If not, we disable nonblocking DNS lookups.
dnl We assume worst case first and improve on it below.
AM_CONDITIONAL(USE_NBDNS, false)
dnl Add potential header locations to path
if test -d /usr/local/include/bind; then
CFLAGS="$CFLAGS -I/usr/local/include/bind"
fi
AC_CHECK_TYPE(ns_msg, bro_check_nb_dns=yes, bro_check_nb_dns=no, [#include <arpa/nameser.h>])
if test $bro_check_nb_dns = no; then
AC_MSG_NOTICE([Nonblocking DNS disabled.])
use_nb_dns=no
else
dnl We will check for ns_initparse and res_mkquery using a number
dnl of resolver library variations, a list of which we build up now.
bro_resolver_options="none -lresolv ${bro_absolute_libresolv} -lbind"
save_cflags="$CFLAGS"
save_ldflags="$LDFLAGS"
save_libs="$LIBS"
dnl Okay now try to link both symbols with each of the resolver
dnl location variants. As soon as one works, we're happy.
for res in $bro_resolver_options; do
AC_MSG_CHECKING([for ns_inittab/res_mkquery with resolver '$res'])
dnl "none" just means "try without any additional flags".
if test "$res" = "none"; then
res=""
fi
CFLAGS="${save_cflags}"
LDFLAGS="${save_ldflags}"
LIBS="${save_libs} $res"
dnl In the generic -lbind case, we check for the existence
dnl of a number of directories and add them to the relevant
dnl paths.
dnl
if test "$res" = "-lbind"; then
if test -d /usr/local/bind/lib; then
LDFLAGS="$LDFLAGS -L/usr/local/bind/lib"
fi
if test -d /usr/local/lib; then
LDFLAGS="$LDFLAGS -L/usr/local/lib"
fi
fi
bro_ns_initparse_works=no
bro_res_mkquery_works=no
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <arpa/nameser.h>]],
[[ns_initparse(0,0,0);]])],
bro_ns_initparse_works=yes)
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <resolv.h>]],
[[int (*p)() = res_mkquery]])], bro_res_mkquery_works=yes)
if test $bro_ns_initparse_works = yes && test $bro_res_mkquery_works = yes && test $nbdns = yes; then
AC_MSG_RESULT(yes)
AC_MSG_NOTICE([Nonblocking DNS enabled.])
dnl Make sure that nb_dns.o is linked in.
NBDNS="nb_dns.o"
AC_SUBST(NBDNS)
AM_CONDITIONAL(USE_NBDNS, true)
AC_DEFINE(HAVE_NB_DNS,,[async dns support])
use_nb_dns=yes
break
else
AC_MSG_RESULT(no)
fi
done
if test "x$NBDNS" != "xnb_dns.o"; then
AC_MSG_NOTICE([Nonblocking DNS disabled.])
use_nb_dns=no
CFLAGS="${save_cflags}"
LDFLAGS="${save_ldflags}"
LIBS="${save_libs}"
fi
fi
dnl ################################################
dnl # Checks for library functions.
dnl ################################################
AC_FUNC_MEMCMP
AC_FUNC_STRFTIME
AC_CHECK_FUNCS(strerror strsep strcasestr mallinfo getopt_long)
AC_SEARCH_LIBS(inet_aton, resolv)
# We use deflatePrime() to make sure that zlib is recent enough.
AC_CHECK_LIB(z, deflatePrime)
# Libmagic
have_libmagic=yes
AC_CHECK_HEADERS([magic.h],,have_libmagic=no)
AC_CHECK_LIB(magic,magic_open,,have_libmagic=no)
# Libclamav
# have_libclamav=yes
# AC_CHECK_HEADERS([clamav.h],,have_libclamav=no)
# AC_CHECK_LIB(clamav,cl_retdbdir,,have_libclamav=no)
# Libclamav is broken because of changed API.
have_libclamav=no
if test "$have_libclamav" = "yes"; then
AC_DEFINE(USE_LIBCLAMAV,,[Use libclamav])
fi
# LibGeoIP
have_libgeoip=yes
AC_CHECK_HEADERS([GeoIPCity.h],,have_libgeoip=no)
if test "$have_libgeoip" = "yes"; then
AC_CHECK_LIB(GeoIP,GeoIP_open_type,,have_libgeoip=no)
fi
if test "$have_libgeoip" = "yes"; then
AC_DEFINE(USE_GEOIP,,[GeoIP geographic lookup functionality])
fi
dnl ################################################
dnl # Terminal library support
dnl ################################################
bro_have_termlibrary=no
dnl 1) Check if termcap is available
AC_CHECK_LIB(termcap, tgetnum,
[AC_CHECK_HEADERS([termcap.h term.h],
LIBS="${LIBS} -ltermcap"
bro_have_termlibrary=yes)])
dnl 2) Check if curses is available instaed
if test "$bro_have_termlibrary" = no; then
AC_CHECK_LIB(curses, tgetnum,
[AC_CHECK_HEADERS([curses.h term.h],
LIBS="${LIBS} -lcurses"
bro_have_termlibrary=yes)])
fi
dnl 3) Check for ncurses as a final resort
if test "$bro_have_termlibrary" = no; then
AC_CHECK_LIB(ncurses, tgetnum,
[AC_CHECK_HEADERS([ncurses.h curses.h term.h],
LIBS="${LIBS} -lncurses"
bro_have_termlibrary=yes)])
fi
if test "$bro_have_termlibrary" != yes; then
AC_MSG_RESULT(no)
AC_MSG_ERROR([No terminal emulation library found! Consider installing termcap, curses, or ncurses.])
else
AC_MSG_RESULT(yes)
fi
dnl Check whether we have readline and history libraries
AC_CHECK_HEADER([readline/readline.h], bro_readline=yes)
AC_CHECK_HEADER([readline/history.h], bro_history=yes)
AC_CHECK_LIB(readline, using_history,, bro_libreadline=no)
if test "$bro_history" = yes; then
AC_CHECK_MEMBER([HISTORY_STATE.entries],
[bro_history_entries=yes], [],
[#include <stdio.h>
#include <readline/history.h>])
fi
if test "$bro_readline" = yes -a \
"$bro_history" = yes -a \
"$bro_libreadline" != no -a \
"$bro_history_entries" = yes; then
AC_DEFINE(HAVE_READLINE,1,[line editing & history powers])
fi
AC_C_BIGENDIAN(
AC_DEFINE(WORDS_BIGENDIAN,1,[whether words are stored with the most significant byte first])
dnl This is intentionally named differently so as to not collide with WORDS_BIGENDIAN
HOST_BIGENDIAN="#define HOST_BIGENDIAN 1"
AC_SUBST(HOST_BIGENDIAN))
AC_CHECK_TYPES([union semun, struct sembuf],[],[],
[#include <sys/types.h>
#include <sys/sem.h>
])
# see if we have sin_len
AC_CHECK_MEMBER(struct sockaddr_in.sin_len,
[AC_DEFINE(SIN_LEN,,[have sin_len field in sockaddr_in])],,
[
#if HAVE_SYS_TYPES_H
# include <sys/types.h>
#endif
#if HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#endif
#if HAVE_NETINET_IN_H
# include <netinet/in.h>
#endif
])
AC_CHECK_SIZEOF(long long)
AC_CHECK_SIZEOF(long int)
AC_CHECK_SIZEOF(void *)
# Per default we do not use the select-based main loop. We activate it only if
# (i) the user requests it
# (ii) we know the OS to support selectable pcap fds
use_select_loop=no
if test $check_select_loop = yes; then
case "$target_os" in
linux*)
# Linux should support selectable at least since 2.2 (not sure
# about earlier versions)
AC_MSG_CHECKING(Linux kernel version support selectable fds)
AC_CACHE_VAL(ac_cv_linux_major_vers,
ac_cv_linux_major_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
AC_CACHE_VAL(ac_cv_linux_minor_vers,
ac_cv_linux_minor_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
linux_version=`expr $ac_cv_linux_major_vers '*' 10 '+' $ac_cv_linux_minor_vers`
if test $linux_version -gt 21; then
use_select_loop=yes
AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is ok)
else
AC_MSG_RESULT($ac_cv_linux_major_vers.$ac_cv_linux_minor_vers is too old)
fi
;;
freebsd*)
# FreeBSD supports selectable fds correctly since 4.6.
AC_MSG_CHECKING(FreeBSD kernel version support selectable fds)
AC_CACHE_VAL(ac_cv_freebsd_major_vers,
ac_cv_freebsd_major_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $1}'`)
AC_CACHE_VAL(ac_cv_freebsd_minor_vers,
ac_cv_freebsd_minor_vers=`uname -r 2>&1 | \
sed 's/-.*$//g' | awk -v FS='.' '{print $2}'`)
freebsd_version=`expr $ac_cv_freebsd_major_vers '*' 10 '+' $ac_cv_freebsd_minor_vers`
if test $freebsd_version -gt 45; then
use_select_loop=yes
AC_MSG_RESULT($ac_cv_freebsd_major_vers.$ac_cv_freebsd_minor_vers is ok)
else
AC_MSG_RESULT($ac_cv_freebsd_major_vers X $ac_cv_freebsd_minor_vers is too old)
fi
;;
esac
fi
if test "$use_select_loop" = "yes"; then
AC_DEFINE(USE_SELECT_LOOP,,[Use select-based main loop])
fi
dnl ################################################
dnl # Endace DAG support
dnl ################################################
if test "$use_dag" != "no" -a "$use_dag" != "NO"; then
AC_CHECK_LIB(dag, dag_open, use_dag=yes, use_dag=no)
AC_CHECK_HEADER(pcap.h,,use_dag=no)
if test "$use_dag" = "yes"; then
AC_DEFINE(USE_DAG,,[Include Endace DAG support])
LIBS="${LIBS} -ldag"
AC_SUBST(WANT_DAG_OBJ, "\$(DAG_OBJ)")
else
AC_SUBST(WANT_DAG_OBJ, "")
fi
else
use_dag=no
fi
dnl ################################################
dnl # If configured with --enable-perftools, look for
dnl # Google's perftools to do heap checking.
dnl ################################################
if test "$use_perftools" != "no" -a "$use_perftools" != "NO"; then
AC_LANG_PUSH(C++)
saved_libs="${LIBS}"
LIBS="${LIBS} -ltcmalloc -lpthread"
AC_TRY_LINK([#include <google/heap-checker.h>],
[HeapLeakChecker heap_checker("test");],
[use_perftools="yes"],[use_perftools="no"])
LIBS="${saved_libs}"
AC_LANG_POP([C++])
if test "$use_perftools" = "yes"; then
AC_DEFINE(USE_PERFTOOLS,,[Use Google's perftools])
LIBS="${LIBS} -ltcmalloc -lpthread"
fi
fi
###############################
# Configure broctl.
###############################
# Need Python >= 2.4.
have_python=no
AC_PATH_TOOL(pybin, python, "")
if test "x$pybin" != x -a "x$broctl" = xyes; then
AC_MSG_CHECKING([for Python >= 2.4])
AC_CACHE_VAL(ac_cv_python_major_vers,
ac_cv_python_major_vers=`python -V 2>&1 | \
sed 's/^Python //g' | awk -v FS='.' '{print $1}'`)
AC_CACHE_VAL(ac_cv_python_minor_vers,
ac_cv_python_minor_vers=`python -V 2>&1 | \
sed 's/^Python //g' | awk -v FS='.' '{print $2}'`)
pyversion=`expr $ac_cv_python_major_vers '*' 10 '+' $ac_cv_python_minor_vers`
if test $pyversion -ge 24; then
AC_MSG_RESULT([yes])
have_python=yes
fi
AC_CHECK_PROG(have_python, python-config, $have_python, no)
if test "x$have_python" != xyes; then
AC_MSG_RESULT([no, disabling broctl])
fi
fi
if test "x$have_python" != xyes; then
broctl=no
fi
AM_CONDITIONAL(USE_BROCTL, test "x$broctl" = xyes)
if test "x$broctl" = xyes; then
if test "x$cluster" = xno; then
standalone="--standalone"
fi
echo "=== configuring in aux/broctl"
test -d aux || mkdir aux
test -d aux/broctl || mkdir aux/broctl
${srcdir}/aux/broctl/configure --prefix=${prefix} --builddir=`pwd`/aux/broctl --brodist=${srcdir} ${standalone}
AC_CONFIG_SUBDIRS([aux/broctl/aux/capstats])
fi
if test "$use_xqilla" = "yes"; then
LIBS="${LIBS} -lxqilla"
fi
# grab the hostname
BROHOST=`hostname 2>/dev/null` || `uname -n 2>/dev/null`
AC_SUBST(BROHOST)
dnl Setup pcap path just before creating files, this way tests won't fail
dnl with 'can't find libpcap' when we use the local pcap which hasn't
dnl been unpacked yet
if test "$pcap_local" = "YES"; then
LIBS="-L\${top_srcdir}/aux/libpcap-0.9.8 -lpcap $LIBS"
V_INCLS="$V_INCLS -I\${top_builddir}/aux/libpcap-0.9.8"
fi
AC_SUBST(V_CCOPT)
AC_SUBST(V_INCLS)
AC_SUBST(LDFLAGS)
dnl AC_SUBST(V_PCAPDEP) dnl (libpcap dependancies -- not used)
AC_OUTPUT([Makefile
src/Makefile
doc/Makefile
doc/ref-manual/Makefile
doc/quick-start/Makefile
doc/user-manual/Makefile
aux/adtrace/Makefile
aux/cf/Makefile
aux/hf/Makefile
aux/nftools/Makefile
aux/scripts/Makefile
aux/bdcat/Makefile
aux/rst/Makefile
aux/Makefile
policy/Makefile
policy/sigs/Makefile
policy/time-machine/Makefile
scripts/Makefile
scripts/bro_config
scripts/bro.rc
scripts/localnetMAC.pl
scripts/s2b/Makefile
scripts/s2b/bro-include/Makefile
scripts/s2b/example_bro_files/Makefile
scripts/s2b/etc/Makefile
scripts/s2b/bin/Makefile
scripts/s2b/pm/Makefile
scripts/s2b/snort_rules2.2/Makefile
],
[chmod +x scripts/bro_config
chmod +x scripts/localnetMAC.pl]
)
if test "$use_openssl" != "yes"; then
OPENSSL=""
#else
# AC_OUTPUT(aux/bdcat/Makefile)
fi
echo
echo " "${BLD_ON}"Bro Configuration Summary"${BLD_OFF}
echo "=========================================================="
echo
echo " - Debugging enabled: "${BLD_ON}$debug${BLD_OFF}
echo " - OpenSSL support: "${BLD_ON}$use_openssl $OPENSSL${BLD_OFF}
echo " - Non-blocking main loop: "${BLD_ON}$use_select_loop${BLD_OFF}
echo " - Non-blocking resolver: "${BLD_ON}$use_nb_dns${BLD_OFF}
echo " - Installation prefix: "${BLD_ON}$prefix${BLD_OFF}
echo " - Perl interpreter: "${BLD_ON}$PERL${BLD_OFF}
echo " - Using basic_string: "${BLD_ON}$basic_string_works${BLD_OFF}
echo " - Using libmagic: "${BLD_ON}$have_libmagic${BLD_OFF}
# echo " - Using libclamav: "${BLD_ON}$have_libclamav${BLD_OFF}
echo " - Using perftools: "${BLD_ON}$use_perftools${BLD_OFF}
echo " - Binpac used: "${BLD_ON}$binpacmsg${BLD_OFF}
echo " - Using libGeoIP: "${BLD_ON}$have_libgeoip${BLD_OFF}
echo " - Enabled broctl: "${BLD_ON}$broctl${BLD_OFF}
echo " - Enabled cluster: "${BLD_ON}$cluster${BLD_OFF}
echo " - Pcap used: "${BLD_ON}$pcapmsg${BLD_OFF}
echo
exit 0

526
depcomp
View file

@ -1,526 +0,0 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
scriptversion=2004-04-25.13
# Copyright (C) 1999, 2000, 2003, 2004 Free Software Foundation, Inc.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.
# As a special exception to the GNU General Public License, if you
# distribute this file as part of a program that contains a
# configuration script generated by Autoconf, you may include it under
# the same distribution terms that you use for the rest of that program.
# Originally written by Alexandre Oliva <oliva@dcc.unicamp.br>.
case $1 in
'')
echo "$0: No command. Try \`$0 --help' for more information." 1>&2
exit 1;
;;
-h | --h*)
cat <<\EOF
Usage: depcomp [--help] [--version] PROGRAM [ARGS]
Run PROGRAMS ARGS to compile a file, generating dependencies
as side-effects.
Environment variables:
depmode Dependency tracking mode.
source Source file read by `PROGRAMS ARGS'.
object Object file output by `PROGRAMS ARGS'.
depfile Dependency file to output.
tmpdepfile Temporary file to use when outputing dependencies.
libtool Whether libtool is used (yes/no).
Report bugs to <bug-automake@gnu.org>.
EOF
exit 0
;;
-v | --v*)
echo "depcomp $scriptversion"
exit 0
;;
esac
if test -z "$depmode" || test -z "$source" || test -z "$object"; then
echo "depcomp: Variables source, object and depmode must be set" 1>&2
exit 1
fi
# `libtool' can also be set to `yes' or `no'.
if test -z "$depfile"; then
base=`echo "$object" | sed -e 's,^.*/,,' -e 's,\.\([^.]*\)$,.P\1,'`
dir=`echo "$object" | sed 's,/.*$,/,'`
if test "$dir" = "$object"; then
dir=
fi
# FIXME: should be _deps on DOS.
depfile="$dir.deps/$base"
fi
tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
# here, because this file can only contain one case statement.
if test "$depmode" = hp; then
# HP compiler uses -M and no extra arg.
gccflag=-M
depmode=gcc
fi
if test "$depmode" = dashXmstdout; then
# This is just like dashmstdout with a different argument.
dashmflag=-xM
depmode=dashmstdout
fi
case "$depmode" in
gcc3)
## gcc 3 implements dependency tracking that does exactly what
## we want. Yay! Note: for some reason libtool 1.4 doesn't like
## it if -MD -MP comes after the -MF stuff. Hmm.
"$@" -MT "$object" -MD -MP -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
mv "$tmpdepfile" "$depfile"
;;
gcc)
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
## -MM, not -M (despite what the docs say).
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
gccflag=-MD,
fi
"$@" -Wp,"$gccflag$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
echo "$object : \\" > "$depfile"
alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
## The second -e expression handles DOS-style file names with drive letters.
sed -e 's/^[^:]*: / /' \
-e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile"
## This next piece of magic avoids the `deleted header file' problem.
## The problem is that when a header file which appears in a .P file
## is deleted, the dependency causes make to die (because there is
## typically no way to rebuild the header). We avoid this by adding
## dummy dependencies for each header file. Too bad gcc doesn't do
## this for us directly.
tr ' ' '
' < "$tmpdepfile" |
## Some versions of gcc put a space before the `:'. On the theory
## that the space means something, we add a space to the output as
## well.
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
hp)
# This case exists only to let depend.m4 do its work. It works by
# looking at the text of this script. This case will never be run,
# since it is checked for above.
exit 1
;;
sgi)
if test "$libtool" = yes; then
"$@" "-Wp,-MDupdate,$tmpdepfile"
else
"$@" -MDupdate "$tmpdepfile"
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files
echo "$object : \\" > "$depfile"
# Clip off the initial element (the dependent). Don't try to be
# clever and replace this with sed code, as IRIX sed won't handle
# lines with more than a fixed number of characters (4096 in
# IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines;
# the IRIX cc adds comments like `#:fec' to the end of the
# dependency line.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \
tr '
' ' ' >> $depfile
echo >> $depfile
# The second pass generates a dummy entry for each header file.
tr ' ' '
' < "$tmpdepfile" \
| sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \
>> $depfile
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
aix)
# The C for AIX Compiler uses -M and outputs the dependencies
# in a .u file. In older versions, this file always lives in the
# current directory. Also, the AIX compiler puts `$object:' at the
# start of each line; $object doesn't have directory information.
# Version 6 uses the directory in both cases.
stripped=`echo "$object" | sed 's/\(.*\)\..*$/\1/'`
tmpdepfile="$stripped.u"
if test "$libtool" = yes; then
"$@" -Wc,-M
else
"$@" -M
fi
stat=$?
if test -f "$tmpdepfile"; then :
else
stripped=`echo "$stripped" | sed 's,^.*/,,'`
tmpdepfile="$stripped.u"
fi
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
if test -f "$tmpdepfile"; then
outname="$stripped.o"
# Each line is of the form `foo.o: dependent.h'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed -e "s,^$outname:,$object :," < "$tmpdepfile" > "$depfile"
sed -e "s,^$outname: \(.*\)$,\1:," < "$tmpdepfile" >> "$depfile"
else
# The sourcefile does not contain any dependencies, so just
# store a dummy comment line, to avoid errors with the Makefile
# "include basename.Plo" scheme.
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
icc)
# Intel's C compiler understands `-MD -MF file'. However on
# icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c
# ICC 7.0 will fill foo.d with something like
# foo.o: sub/foo.c
# foo.o: sub/foo.h
# which is wrong. We want:
# sub/foo.o: sub/foo.c
# sub/foo.o: sub/foo.h
# sub/foo.c:
# sub/foo.h:
# ICC 7.1 will output
# foo.o: sub/foo.c sub/foo.h
# and will wrap long lines using \ :
# foo.o: sub/foo.c ... \
# sub/foo.h ... \
# ...
"$@" -MD -MF "$tmpdepfile"
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile"
exit $stat
fi
rm -f "$depfile"
# Each line is of the form `foo.o: dependent.h',
# or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
# Do two passes, one to just change these to
# `$object: dependent.h' and one to simply `dependent.h:'.
sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
# Some versions of the HPUX 10.20 sed can't process this invocation
# correctly. Breaking it into two sed invocations is a workaround.
sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
tru64)
# The Tru64 compiler uses -MD to generate dependencies as a side
# effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'.
# At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put
# dependencies in `foo.d' instead, so we check for that too.
# Subdirectories are respected.
dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
test "x$dir" = "x$object" && dir=
base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'`
if test "$libtool" = yes; then
# Dependencies are output in .lo.d with libtool 1.4.
# They are output in .o.d with libtool 1.5.
tmpdepfile1="$dir.libs/$base.lo.d"
tmpdepfile2="$dir.libs/$base.o.d"
tmpdepfile3="$dir.libs/$base.d"
"$@" -Wc,-MD
else
tmpdepfile1="$dir$base.o.d"
tmpdepfile2="$dir$base.d"
tmpdepfile3="$dir$base.d"
"$@" -MD
fi
stat=$?
if test $stat -eq 0; then :
else
rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3"
exit $stat
fi
if test -f "$tmpdepfile1"; then
tmpdepfile="$tmpdepfile1"
elif test -f "$tmpdepfile2"; then
tmpdepfile="$tmpdepfile2"
else
tmpdepfile="$tmpdepfile3"
fi
if test -f "$tmpdepfile"; then
sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile"
# That's a tab and a space in the [].
sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile"
else
echo "#dummy" > "$depfile"
fi
rm -f "$tmpdepfile"
;;
#nosideeffect)
# This comment above is used by automake to tell side-effect
# dependency tracking mechanisms from slower ones.
dashmstdout)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
test -z "$dashmflag" && dashmflag=-M
# Require at least two characters before searching for `:'
# in the target name. This is to cope with DOS-style filenames:
# a dependency such as `c:/foo/bar' could be seen as target `c' otherwise.
"$@" $dashmflag |
sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
tr ' ' '
' < "$tmpdepfile" | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
dashXmstdout)
# This case only exists to satisfy depend.m4. It is never actually
# run, as this mode is specially recognized in the preamble.
exit 1
;;
makedepend)
"$@" || exit $?
# Remove any Libtool call
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# X makedepend
shift
cleared=no
for arg in "$@"; do
case $cleared in
no)
set ""; shift
cleared=yes ;;
esac
case "$arg" in
-D*|-I*)
set fnord "$@" "$arg"; shift ;;
# Strip any option that makedepend may not understand. Remove
# the object too, otherwise makedepend will parse it as a source file.
-*|$object)
;;
*)
set fnord "$@" "$arg"; shift ;;
esac
done
obj_suffix="`echo $object | sed 's/^.*\././'`"
touch "$tmpdepfile"
${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@"
rm -f "$depfile"
cat < "$tmpdepfile" > "$depfile"
sed '1,2d' "$tmpdepfile" | tr ' ' '
' | \
## Some versions of the HPUX 10.20 sed can't process this invocation
## correctly. Breaking it into two sed invocations is a workaround.
sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile"
rm -f "$tmpdepfile" "$tmpdepfile".bak
;;
cpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout.
"$@" || exit $?
# Remove the call to Libtool.
if test "$libtool" = yes; then
while test $1 != '--mode=compile'; do
shift
done
shift
fi
# Remove `-o $object'.
IFS=" "
for arg
do
case $arg in
-o)
shift
;;
$object)
shift
;;
*)
set fnord "$@" "$arg"
shift # fnord
shift # $arg
;;
esac
done
"$@" -E |
sed -n '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' |
sed '$ s: \\$::' > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
cat < "$tmpdepfile" >> "$depfile"
sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile"
rm -f "$tmpdepfile"
;;
msvisualcpp)
# Important note: in order to support this mode, a compiler *must*
# always write the preprocessed file to stdout, regardless of -o,
# because we must use -o when running libtool.
"$@" || exit $?
IFS=" "
for arg
do
case "$arg" in
"-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI")
set fnord "$@"
shift
shift
;;
*)
set fnord "$@" "$arg"
shift
shift
;;
esac
done
"$@" -E |
sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::echo "`cygpath -u \\"\1\\"`":p' | sort | uniq > "$tmpdepfile"
rm -f "$depfile"
echo "$object : \\" > "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile"
echo " " >> "$depfile"
. "$tmpdepfile" | sed 's% %\\ %g' | sed -n '/^\(.*\)$/ s::\1\::p' >> "$depfile"
rm -f "$tmpdepfile"
;;
none)
exec "$@"
;;
*)
echo "Unknown depmode $depmode" 1>&2
exit 1
;;
esac
exit 0
# Local Variables:
# mode: shell-script
# sh-indentation: 2
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-end: "$"
# End:

9
doc/Makefile.am
View file

@ -1,9 +0,0 @@
EXTRA_DIST = README.txt
SUBDIRS = ref-manual quick-start user-manual
doc:
@echo "Build Bro Documentation (html and pdf)"
for d in $(SUBDIRS); do \
( cd $$d && $(MAKE) $@ ); \
done

1
doc/README Normal file
View file

@ -0,0 +1 @@
TODO.

14
doc/README.txt
View file

@ -1,14 +0,0 @@
The current documentation is in the following directories:
quick-start/
user-manual/
ref-manual/
To build html and pdf version of the documents, 'makeinfo' and 'texi2dvi', part
of the GNU texinfo package, version 4.7 or higher is required.
Pre-built (and probably more current) versions of the documentation
are available at:
http://www.bro-ids.org/manuals.html

82
doc/misc/conn-logs
View file

@ -1,82 +0,0 @@
TCP connection logs are generated by tcp.bro. The summaries are written
to stdout, one line per connection:
start-time duration protocol orig-bytes resp-bytes \
local-addr remote-addr state flags additional
start-time: timestamp of when the connection's first packet was
observed
duration: time until connection finished, in seconds, or '?' if
not determined
protocol: TCP protocol, if well-known port; or portmapper request
orig-bytes: total bytes sent by originator. Computed from difference
between starting and ending sequence numbers, so sometimes
wrong (if wrong, the values tend to be erroneously large)
resp-bytes: same for bytes sent by connection responder
local-addr: IP address of local end of connection
remote-addr: IP address of remote end of connection
Note that these would make more sense as originator/responder,
but for historical reasons they're defined in terms of
"local" and "remote", where "local" is specified by the
"local_nets" set in hot.bro. To pull out the originator
and responder addresses requires looking at the "flags"
field to see whether the connection originated locally.
state: final connection state (see below)
flags: some characteristics of the connection. The most important is
the 'L' flag, which if present indicates that the connection
was initiated by the local address (see above); otherwise
it was initiated by the remote address.
additional: protocol-specific additional information, such as the FTP
session identifier, telnet user name, finger request, or
portmapper results.
The scripts "hot-report" and "mon-report" (in the aux/scripts/ directory)
generate readable versions of these connection summaries. They include
a mnemonic indicating the connection's state. Here is the list of
abbreviations used:
Symbol Name Meaning
------ ------- -------------------
} S0 Initial SYN seen, no reply seen ("unanswered")
> S1 Initial SYN handshake seen ("established")
> SF Established and normal FIN handshake seen
for termination. Note that this is the same
symbol as for state S1. You can tell the two
apart because for S1 there will not be any
byte counts, while for SF there will be.
[ REJ Initial SYN elicited RST in reply ("rejected")
}2 S2 Established and FIN from originator only seen
}3 S3 Established and FIN from responder only seen
>] RSTO Established, originator sent a RST to terminate
>[ RSTR Established, responder sent a RST to terminate
}] RSTOS0 Originator sent a SYN followed by a RST,
we never saw a SYN ack from the responder
<[ RSTRH Responder sent a SYN ack followed by a RST,
we never saw a SYN from the originator
>h SH Originator sent a SYN followed by a FIN,
we never saw a SYN ack from the responder
(so "half" open)
<h SHR Responder sent a SYN ack followed by a FIN,
we never saw a SYN from the originator
?>? OTH No SYN seen, just midstream traffic
The sundry weird states can arise from broken TCPs, but also from split
routing in which Bro just sees one side of a connection.
For UDP, if we see a request but no reply, that's state S0 ("}"); a request
followed by a reply is SF (">"); and a reply but no request is SHR ("<h").

49
doc/misc/ssl.txt
View file

@ -1,49 +0,0 @@
How to create certificates to authorize Bro's SSL connections
=============================================================
- Create a global CA key/certificate once:
* Create some directory to store the CA stuff, and create
a few things there:
mkdir <ca-dir>
cd <ca-dir>
mkdir private newcerts cert crl
chmod 700 private
touch index.txt
echo 01 >serial
cp bro/openssl.conf .
* Create a private CA key:
openssl genrsa -des3 -out private/ca_key.pem
* Self-sign it:
openssl req -new -x509 -key private/ca_key.pem -out ca_cert.pem -days 1095
- For each Bro:
* Create a private key (w/o password):
openssl genrsa -out bro_key.pem
* Create a certification request:
openssl req -new -key bro_key.pem -out bro.csr
* Create a certificate using the CA key:
openssl ca -config openssl.cnf -in bro.csr -out bro_cert.pem
* Verify that the certicate is ok:
openssl verify -CAfile ca_cert.pem bro_cert.pem
* Concat Bro key and certificate:
cat bro_key.pem bro_cert.pem >bro.pem
* Copy this and the CA certificate to the IDS machine:
scp bro.pem ca_cert.pem ids:...
* Redef Bro's variables to point to the files:
redef ssl_ca_certificate = "...../ca_cert.pem";
redef ssl_private_key = "...../bro.pem";
* Remove the unnecessary stuff:
rm bro_key.pem bro.csr bro_cert.pem bro.pem

BIN
doc/old/manual-src.tar.gz
View file

Binary file not shown.

BIN
doc/old/manual.pdf
View file

Binary file not shown.

60
doc/old/manual/WARNINGS
View file

@ -1,60 +0,0 @@
The manual.aux file was not found, so sections will not be numbered
and cross-references will be shown as icons.
There is no author for this document.
? brace missing for \emph
? brace missing for \index
couldn't convert character bb into available encodings
...set $ACCENT_IMAGES to get an image
couldn't convert character cring into available encodings
couldn't convert character tt into available encodings
No number for "Differenttypesofdirectionsfor<TT>set_contents_file</TT>"
No number for "<TT>print-filter</TT>printsoutthe<TT>tcpdump</TT>filteryourBroscriptwoulduseandthenexits."
No number for "Definitionofthe<TT>net_stats</TT>record."
No number for "Definitionof<TT>conn_id</TT>and<TT>connection</TT>records."
No number for "TCPandUDPconnectionstates,asstoredinan<TT>endpoint</TT>record."
No number for "Summariesofconnectionstates,asreportedin<TT>red</TT>files."
No number for "Differentconnectionstatestousewhencalling<TT>check_hot</TT>."
No number for "Sampledefinitionof<TT>log_hook</TT>"
No number for "Definitionofthe<TT>dns_mapping</TT>record."
No number for "Definitionofthe<TT>ftp_session_info</TT>record"
No number for "ExampleofFTPlogfileentriesforasingleFTPsession."
No number for "ExampleofHTTPlogfileentriesforasingleHTTPsession."
No number for "Differenttypesofconfusionthat<TT>login</TT>analyzercanreport."
No number for "TypesofcallstotheRPCportmapperservice."
No number for "TypesofRPCstatuscodes."
No number for "<TT>endpoint_stats</TT>fieldsforsummarizingconnectionendpointstatistics,alloftype<TT>count</TT>."
No number for "Possibleactionstotakeforsignaturesmatches.<I>signatures-log</I>defaultsto<TT>open_log_file(;SPMquot;signatures;SPMquot;)</TT>."
No number for "Definitionofthe<TT>x509</TT>record"
No number for "Definitionofthe<TT>ssl_connection_info</TT>record"
No number for "ExampleofSSLlogfilewithasingleSSLsession."
No number for "Differenttypesofpossibleactionstotakefor``weird''events."
No number for "Definitionofthe<TT>signature_state</TT>record."
Failed to convert image /tmp/l2h6233/image052.ps

1
doc/old/manual/images.aux
View file

@ -1 +0,0 @@
\relax

0
doc/old/manual/images.idx
View file

607
doc/old/manual/images.log
View file

@ -1,607 +0,0 @@
This is TeX, Version 3.14159 (Web2C 7.3.1) (format=latex 2001.8.15) 21 MAR 2004 07:20
**./images.tex
(./images.tex
LaTeX2e <1999/12/01> patch level 1
Babel <v3.6Z> and hyphenation patterns for american, french, german, ngerman, n
ohyphenation, loaded.
(/usr/local/share/texmf/tex/latex/base/report.cls
Document Class: report 1999/09/10 v1.4a Standard LaTeX document class
(/usr/local/share/texmf/tex/latex/base/size10.clo
File: size10.clo 1999/09/10 v1.4a Standard LaTeX file (size option)
)
\c@part=\count79
\c@chapter=\count80
\c@section=\count81
\c@subsection=\count82
\c@subsubsection=\count83
\c@paragraph=\count84
\c@subparagraph=\count85
\c@figure=\count86
\c@table=\count87
\abovecaptionskip=\skip41
\belowcaptionskip=\skip42
\bibindent=\dimen102
) (/usr/local/share/texmf/tex/latex/base/ifthen.sty
Package: ifthen 1999/09/10 v1.1b Standard LaTeX ifthen package (DPC)
) (/usr/local/share/texmf/tex/latex/base/makeidx.sty
Package: makeidx 1999/09/17 v1.0l Standard LaTeX package
) (/usr/local/share/texmf/tex/latex/psnfss/times.sty
Package: times 1999/03/29 PSNFSS v.7.2 Times font as default roman : S Rahtz
) (/usr/local/share/texmf/tex/generic/misc/psfig.sty
\@unused=\write3
\ps@stream=\read1
\p@intvaluex=\dimen103
\p@intvaluey=\dimen104
psfig/tex 1.10-dvips
) (/home/jaguar/u0/vern/latex2html/texinputs/html.sty
Package: html 1999/07/19 v1.38 hypertext commands for latex2html (nd, hws, rrm)
\c@lpart=\count88
\c@lchapter=\count89
\c@lsection=\count90
\c@lsubsection=\count91
\c@lsubsubsection=\count92
\c@lparagraph=\count93
\c@lsubparagraph=\count94
\c@lsubsubparagraph=\count95
\ptrfile=\write4
)
\@indexfile=\write5
\openout5 = `images.idx'.
Writing index file images.idx
(/usr/local/share/texmf/tex/latex/graphics/color.sty
Package: color 1999/02/16 v1.0i Standard LaTeX Color (DPC)
(/usr/local/share/texmf/tex/latex/config/color.cfg)
Package color Info: Driver file: dvips.def on input line 125.
(/usr/local/share/texmf/tex/latex/graphics/dvips.def
File: dvips.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
) (/usr/local/share/texmf/tex/latex/graphics/dvipsnam.def
File: dvipsnam.def 1999/02/16 v3.0i Driver-dependant file (DPC,SPQR)
)) (/usr/local/share/texmf/tex/latex/base/inputenc.sty
Package: inputenc 1999/09/17 v0.992 Input encoding file
(/usr/local/share/texmf/tex/latex/base/latin1.def
File: latin1.def 1999/09/17 v0.992 Input encoding file
))
\sizebox=\box26
\lthtmlwrite=\write6
No file images.aux.
\openout1 = `images.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 334.
LaTeX Font Info: ... okay on input line 334.
LaTeX Font Info: Try loading font information for OT1+ptm on input line 334.
(/usr/local/share/texmf/tex/latex/psnfss/ot1ptm.fd
File: ot1ptm.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/ptm.
)
latex2htmlLength hsize=349.0pt
latex2htmlLength vsize=633.0pt
latex2htmlLength hoffset=0.0pt
latex2htmlLength voffset=0.0pt
latex2htmlLength topmargin=0.0pt
latex2htmlLength topskip=0.00003pt
latex2htmlLength headheight=0.0pt
latex2htmlLength headsep=0.0pt
latex2htmlLength parskip=0.0pt plus 1.0pt
latex2htmlLength oddsidemargin=-10.84006pt
latex2htmlLength evensidemargin=-10.84006pt
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <7> on input line 399.
LaTeX Font Info: External font `cmex10' loaded for size
(Font) <5> on input line 399.
l2hSize :tex2html_wrap_inline5436:6.74997pt::0.0pt::13.00003pt.
[1
]
l2hSize :tex2html_wrap_inline5438:6.74997pt::0.0pt::8.00003pt.
[2
]
l2hSize :tex2html_wrap_inline5440:6.83331pt::0.0pt::73.23354pt.
[3
]
l2hSize :tex2html_wrap_inline5442:6.83331pt::0.0pt::15.04518pt.
[4
]
l2hSize :tex2html_wrap_inline5444:8.14003pt::0.0pt::13.9723pt.
[5
]
l2hSize :tex2html_wrap_inline5446:8.14003pt::0.0pt::13.9723pt.
[6
]
l2hSize :tex2html_wrap_inline5448:8.14003pt::0.0pt::9.98618pt.
[7
]
l2hSize :tex2html_wrap_inline5450:6.83331pt::0.0pt::41.50558pt.
[8
]
l2hSize :tex2html_wrap_inline5452:6.83331pt::0.0pt::59.23058pt.
[9
]
l2hSize :tex2html_wrap_inline5454:6.83331pt::0.0pt::16.67014pt.
[10
]
l2hSize :tex2html_wrap_inline5456:7.96227pt::0.0pt::7.13895pt.
[11
]
l2hSize :tex2html_wrap_inline5458:6.88586pt::0.0pt::5.09726pt.
[12
]
l2hSize :tex2html_wrap_inline8536:7.24997pt::7.24997pt::4.98616pt.
[13
]
l2hSize :tex2html_wrap_inline8540:7.24997pt::7.24997pt::4.98616pt.
[14
]
l2hSize :tex2html_wrap_inline8614:7.24997pt::7.24997pt::4.98616pt.
[15
]
l2hSize :tex2html_wrap_inline16373:7.24997pt::7.24997pt::21.05557pt.
[16
]
l2hSize :tex2html_wrap_inline16375:6.74997pt::0.0pt::9.28017pt.
[17
]
l2hSize :tex2html_wrap_inline16379:6.74997pt::0.0pt::6.50238pt.
[18
]
l2hSize :tex2html_wrap_inline16393:6.94444pt::0.0pt::6.26161pt.
[19
]
LaTeX Font Info: Try loading font information for OT1+pcr on input line 614.
(/usr/local/share/texmf/tex/latex/psnfss/ot1pcr.fd
File: ot1pcr.fd 1998/07/06 Fontinst v1.800 font definitions for OT1/pcr.
)
Overfull \hbox (59.0pt too wide) in paragraph at lines 631--631
[] \OT1/pcr/m/n/10 print fmt("(%s) and (%s)", capture_filter, restrict_f
ilter);[]
[]
l2hSize :figure22361:203.09998pt::0.0pt::349.0pt.
[20
]
Overfull \hbox (41.0pt too wide) in paragraph at lines 647--647
[] \OT1/pcr/m/n/10 pkts_recvd: count; # Number of packets received so
far.[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 647--647
[] \OT1/pcr/m/n/10 pkts_dropped: count; # Number of packets *reported* d
ropped.[]
[]
Overfull \hbox (83.0pt too wide) in paragraph at lines 647--647
[] \OT1/pcr/m/n/10 interface_drops: count; # Number of drops reported by in
terface(s).[]
[]
l2hSize :figure22485:83.09998pt::0.0pt::349.0pt.
[21
]
Overfull \hbox (29.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 id: conn_id; # Originator/responder addresses/port
s.[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 duration: interval; # How long it was active (or has been
so far).[]
[]
Overfull \hbox (95.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 service: string; # The service we associate with it (e
.g., "http").[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 addl: string; # Additional information associated w
ith it.[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 680--680
[] \OT1/pcr/m/n/10 hot: count; # How many times we've marked it as s
ensitive.[]
[]
l2hSize :figure22528:275.09998pt::0.0pt::349.0pt.
[22
]
l2hSize :tex2html_wrap_inline31877:6.83331pt::0.0pt::8.00005pt.
[23
]
l2hSize :tex2html_wrap_inline31879:6.83331pt::0.0pt::8.58684pt.
[24
]
l2hSize :tex2html_wrap_inline31899:7.33331pt::7.33331pt::12.53233pt.
[25
]
l2hSize :tex2html_wrap_inline31901:7.33331pt::7.33331pt::12.51337pt.
[26
]
l2hSize :tex2html_wrap_inline31903:7.33331pt::7.33331pt::11.0695pt.
[27
]
l2hSize :tex2html_wrap_inline31905:7.33331pt::7.33331pt::12.4283pt.
[28
]
l2hSize :tex2html_wrap_inline31927:7.33331pt::7.33331pt::12.44727pt.
[29
]
l2hSize :tex2html_wrap_inline31937:7.33331pt::7.33331pt::11.0792pt.
[30
]
l2hSize :tex2html_wrap_inline31941:7.33331pt::7.33331pt::11.06023pt.
[31
]
l2hSize :tex2html_wrap_inline31943:6.83331pt::0.0pt::9.05698pt.
[32
]
l2hSize :tex2html_wrap_inline31957:7.33331pt::7.33331pt::11.36739pt.
[33
]
l2hSize :tex2html_wrap_inline31961:7.33331pt::7.33331pt::11.34842pt.
[34
]
l2hSize :tex2html_wrap_inline31971:7.24997pt::7.24997pt::5.53128pt.
[35
]
l2hSize :figure23775:263.09998pt::0.0pt::349.0pt.
[36
]
Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 req_host: string; # The hostname in the request, if a
ny.[]
[]
Overfull \hbox (29.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 req_addr: addr; # The address in the request, if an
y.[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 hostname: string; # The hostname in the answer, or "<
none>".[]
[]
Overfull \hbox (35.0pt too wide) in paragraph at lines 830--830
[] \OT1/pcr/m/n/10 addrs: set[addr]; # The addresses in the answer, if a
ny.[]
[]
l2hSize :figure23860:131.09998pt::0.0pt::349.0pt.
[37
]
Overfull \hbox (41.0pt too wide) in paragraph at lines 858--858
[] \OT1/pcr/m/n/10 id: count; # unique number associated w/ ses
sion[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
[] \OT1/pcr/m/n/10 log_if_not_denied: bool; # unless code 530 on repl
y, log it[]
[]
Overfull \hbox (71.0pt too wide) in paragraph at lines 858--858
[] \OT1/pcr/m/n/10 log_if_not_unavail: bool; # unless code 550 on repl
y, log it[]
[]
l2hSize :figure24088:131.09998pt::0.0pt::349.0pt.
[38
]
Overfull \hbox (35.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499885.784104 #26 131.243.70.68/1899 > 64.55.26.206/ftp st
art[]
[]
Overfull \hbox (5.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499886.685046 #26 response (220 tuvok.ooc.com FTP server[]
[]
Overfull \hbox (23.0pt too wide) in paragraph at lines 877--877
[] \OT1/pcr/m/n/10 (Version wu-2.6.0(1) Fri Jun 23 09:17:44 EDT 2000) ready.
)[]
[]
Overfull \hbox (41.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499889.493020 #26 SIZE /pub/OB/4.0/JOB-4.0.3.zip (213 1675
597)[]
[]
Overfull \hbox (65.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972499890.135706 #26 *RETR /pub/OB/4.0/JOB-4.0.3.zip, ABOR (c
omplete)[]
[]
Overfull \hbox (11.0pt too wide) in paragraph at lines 877--877
[]\OT1/pcr/m/n/10 972500055.491045 #26 response (225 ABOR command successful.)[
]
[]
l2hSize :figure24192:119.53992pt::0.0pt::349.0pt.
[39
]
l2hSize :figure24357:83.53992pt::0.0pt::349.0pt.
[40
]
l2hSize :tex2html_wrap_inline31983:7.24997pt::7.24997pt::16.05556pt.
[41
]
l2hSize :tex2html_wrap_inline31987:7.24997pt::7.24997pt::26.05559pt.
[42
]
l2hSize :tex2html_wrap_inline31989:7.24997pt::7.24997pt::31.0556pt.
[43
]
l2hSize :tex2html_wrap_inline31991:7.24997pt::7.24997pt::8.27783pt.
[44
]
l2hSize :figure25695:59.09998pt::0.0pt::349.0pt.
[45
]
Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 id: count; # the log identifier numb
er[]
[]
Overfull \hbox (29.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 connection_id: conn_id; # IP connection informati
on[]
[]
Overfull \hbox (83.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 version: count; # version associated with
connection[]
[]
Overfull \hbox (59.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 id_index: string; # index for associated se
ssionID[]
[]
Overfull \hbox (131.0pt too wide) in paragraph at lines 970--970
[] \OT1/pcr/m/n/10 handshake_cipher: count; # cipher suite client and
server agreed upon[]
[]
l2hSize :figure25707:119.09998pt::0.0pt::349.0pt.
[46
]
Overfull \hbox (59.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.534846 #1 192.168.0.98/32988 > 213.61.126.124/http
s start[]
[]
Overfull \hbox (2135.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.534846 #1 cipher suites: SSLv3x_RSA_WITH_RC4_128_M
D5 (0x4), SSLv3x_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xFEFF), SSLv3x_RSA_WITH_3DES_
EDE_CBC_SHA (0xA), SSLv3x_RSA_FIPS_WITH_DES_CBC_SHA (0xFEFE), SSLv3x_RSA_WITH_D
ES_CBC_SHA(0x9), SSLv3x_RSA_EXPORT1024_WITH_RC4_56_SHA (0x64), SSLv3x_RSA_EXPOR
T1024_WITH_DES_CBC_SHA (0x62), SSLv3x_RSA_EXPORT_WITH_RC4_40_MD5 (0x3), SSLv3x_
RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6),[]
[]
Overfull \hbox (65.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.753356 #1 cipher suite: SSLv3x_RSA_WITH_RC4_128_MD
5 (0x4),[]
[]
Overfull \hbox (749.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server issuer: /C=DE/ST=Hamburg/L=
Hamburg/O=TC TrustCenter for Security in Data Networks GmbH/OU=TC TrustCenter C
lass 3 CA/Email=certificate@trustcenter.de,[]
[]
Overfull \hbox (521.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.762601 #1 X.509 server subject: /C=DE/ST=Berlin/O=
Lehmanns Fachbuchhandlung GmbH/OU=Zentrale EDV/CN=www.jfl.de/Email=admin@lehman
ns.de[]
[]
Overfull \hbox (257.0pt too wide) in paragraph at lines 992--992
[]\OT1/pcr/m/n/10 1046778101.894567 #1 handshake finished, version 3.1, cipher
suite: SSLv3x_RSA_WITH_RC4_128_MD5 (0x4)[]
[]
l2hSize :figure25794:155.25494pt::0.0pt::349.0pt.
[47
]
l2hSize :tex2html_wrap_inline31993:7.31989pt::7.31989pt::51.61522pt.
[48
]
Overfull \hbox (41.0pt too wide) in paragraph at lines 1037--1037
[] \OT1/pcr/m/n/10 is_orig: bool; # True if current endpoint is origin
ator[]
[]
Overfull \hbox (95.0pt too wide) in paragraph at lines 1037--1037
[] \OT1/pcr/m/n/10 payload_size: count; # Payload size of the first pkt of c
urr. endpoint[]
[]
l2hSize :figure39539:83.09998pt::0.0pt::349.0pt.
[49
]
l2hSize :tex2html_wrap_inline39988:6.83331pt::0.0pt::9.625pt.
[50
]
l2hSize :tex2html_wrap_inline39992:7.33331pt::7.33331pt::17.4028pt.
[51
] (/home/jaguar/u0/vern/bro/bro-doc/index.tex (/home/jaguar/u0/vern/bro/bro-doc
/doc.ind
LaTeX Font Info: Font shape `OT1/ptm/bx/n' in size <24.88> not available
(Font) Font shape `OT1/ptm/b/n' tried instead on input line 1.
LaTeX Font Info: Font shape `OT1/pcr/m/it' in size <10> not available
(Font) Font shape `OT1/pcr/m/sl' tried instead on input line 1539.
! TeX capacity exceeded, sorry [main memory size=263001].
\par ...@m \@noitemerr {\@@par }\fi \else {\@@par
}\fi
l.2843 \subitem
reading, 17
If you really absolutely need more capacity,
you can ask a wizard to enlarge me.
Here is how much of TeX's memory you used:
1313 strings out of 10901
15527 string characters out of 72380
263001 words of memory out of 263001
4278 multiletter control sequences out of 10000+0
6696 words of font info for 23 fonts, out of 400000 for 1000
14 hyphenation exceptions out of 1000
23i,5n,19p,429b,425s stack positions out of 300i,100n,500p,50000b,4000s
Output written on images.dvi (51 pages, 17976 bytes).

332
doc/old/manual/images.pl
View file

@ -1,332 +0,0 @@
# LaTeX2HTML 2002-2 (1.70)
# Associate images original text with physical files.
$key = q/B;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="19" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img24.gif"
ALT="$B$">|;
$key = q/A_i;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="29" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img4.gif"
ALT="$A\_i$">|;
$key = q/ge1024;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="55" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img43.gif"
ALT="$\ge 1024$">|;
$key = q/2^{24};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img5.gif"
ALT="$2^{24}$">|;
$key = q/S_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img30.gif"
ALT="$S_{o}$">|;
$key = q/ge256;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="47" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img42.gif"
ALT="$\ge 256$">|;
$key = q/pmN;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="33" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img51.gif"
ALT="$\pm N$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim312#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="645" HEIGHT="185" BORDER="0"
SRC="|."$dir".q|img37.gif"
ALT="\begin{figure}\begin{verbatim}type dns_mapping: record {
creation_time: time;...
... set[addr]; ...">|;
$key = q/_{2};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img13.gif"
ALT="$_{2}$">|;
$key = q/N_1{{tt{.}N_2{{tt{.};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="71" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img8.gif"
ALT="$N\_1 {\tt .} N\_2 {\tt .}$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim338#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="763" HEIGHT="166" BORDER="0"
SRC="|."$dir".q|img46.gif"
ALT="\begin{figure}\begin{verbatim}type ssl_connection_info: record {
id: count; ...">|;
$key = q/A_{l};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img27.gif"
ALT="$A_{l}$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim345#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="705" HEIGHT="109" BORDER="0"
SRC="|."$dir".q|img49.gif"
ALT="\begin{figure}\begin{verbatim}type signature_state: record {
id: string; ...">|;
$key = q/ge;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="18" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img44.gif"
ALT="$\ge$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim298#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="644" HEIGHT="299" BORDER="0"
SRC="|."$dir".q|img20.gif"
ALT="\begin{figure}\begin{verbatim}event bro_init()
{
if ( restrict_filter == '''...
...%s)'', capture_filter, restrict_filter);exit();
}\end{verbatim}
\end{figure}">|;
$key = q/S_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img31.gif"
ALT="$S_{r}$">|;
$key = q/P_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img33.gif"
ALT="$P_{o}$">|;
$key = q/2^8;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="21" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img7.gif"
ALT="$2^8$">|;
$key = q/A_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img29.gif"
ALT="$A_{o}$">|;
$key = q/p;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="14" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img35.gif"
ALT="$p$">|;
$key = q/D;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img32.gif"
ALT="$D$">|;
$key = q/_{1};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img14.gif"
ALT="$_{1}$">|;
$key = q/N;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="21" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img50.gif"
ALT="$N$">|;
$key = q/~tilde{~}~~~;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="26" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img1.gif"
ALT="$&nbsp;\tilde{&nbsp;}&nbsp;&nbsp;&nbsp;$">|;
$key = q/P_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="23" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img34.gif"
ALT="$P_{r}$">|;
$key = q/A_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img28.gif"
ALT="$A_{r}$">|;
$key = q/N_i;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="32" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img10.gif"
ALT="$N\_i$">|;
$key = q/B_{o};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img25.gif"
ALT="$B_{o}$">|;
$key = q/2cdotmbox{MSL}=4;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="87" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img48.gif"
ALT="$2 \cdot \mbox{MSL} = 4$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim300#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="703" HEIGHT="414" BORDER="0"
SRC="|."$dir".q|img22.gif"
ALT="\begin{figure}\begin{verbatim}type conn_id: record {
orig_h: addr; ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim319#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="551" HEIGHT="109" BORDER="0"
SRC="|."$dir".q|img40.gif"
ALT="\begin{figure}\begin{verbatim}972482763.371224 %1596 start 200.241.229.80 &gt; 13...
...g/movies/off.gif
%1596 GET /vfrog/new.frog.small.gif
\end{verbatim}
\end{figure}">|;
$key = q/{figure}preform{<verbatim_mark>verbatim317#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="652" HEIGHT="167" BORDER="0"
SRC="|."$dir".q|img39.gif"
ALT="\begin{figure}\begin{verbatim}972499885.784104 ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim315#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="667" HEIGHT="185" BORDER="0"
SRC="|."$dir".q|img38.gif"
ALT="\begin{figure}\begin{verbatim}type ftp_session_info: record {
id: count; ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim311#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="514" HEIGHT="394" BORDER="0"
SRC="|."$dir".q|img36.gif"
ALT="\begin{figure}\begin{verbatim}global msg_count: table[string] of count &amp;defaul...
... schedule +5 min { log_summary(msg) };return F;
}\end{verbatim}
\end{figure}">|;
$key = q/{figure}preform{<verbatim_mark>verbatim339#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="3949" HEIGHT="223" BORDER="0"
SRC="|."$dir".q|img47.gif"
ALT="\begin{figure}\begin{verbatim}1046778101.534846 ...">|;
$key = q/{figure}preform{<verbatim_mark>verbatim337#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="515" HEIGHT="70" BORDER="0"
SRC="|."$dir".q|img45.gif"
ALT="\begin{figure}\begin{verbatim}type x509: record {
issuer: string; ...">|;
$key = q/^*;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img12.gif"
ALT="$^*$">|;
$key = q/{figure}preform{<verbatim_mark>verbatim299#preform{{{{figure};FSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="684" HEIGHT="109" BORDER="0"
SRC="|."$dir".q|img21.gif"
ALT="\begin{figure}\begin{verbatim}type net_stats: record {
...">|;
$key = q/h;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="15" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img19.gif"
ALT="$h$">|;
$key = q/B_{r};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="25" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img26.gif"
ALT="$B_{r}$">|;
$key = q/m;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="20" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img17.gif"
ALT="$m$">|;
$key = q/le2;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="31" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img41.gif"
ALT="$\le 2$">|;
$key = q/2^{16};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="27" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img6.gif"
ALT="$2^{16}$">|;
$key = q/le26;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="39" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img16.gif"
ALT="$\le 26$">|;
$key = q/A;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img23.gif"
ALT="$A$">|;
$key = q/A_1{{tt{.}A_2{{tt{.}A_3{{tt{.}A_4;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="122" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img3.gif"
ALT="$A\_1 {\tt .} A\_2 {\tt .} A\_3 {\tt .} A\_4$">|;
$key = q/_{3};MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="13" HEIGHT="32" ALIGN="MIDDLE" BORDER="0"
SRC="|."$dir".q|img15.gif"
ALT="$_{3}$">|;
$key = q/^+;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="17" HEIGHT="20" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img11.gif"
ALT="$^+$">|;
$key = q/N_1{{tt{.}N_2{{tt{.}N_3;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="99" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img9.gif"
ALT="$N\_1 {\tt .} N\_2 {\tt .} N\_3 $">|;
$key = q/tilde{~}~~;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="18" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img2.gif"
ALT="$\tilde{&nbsp;}&nbsp;&nbsp;$">|;
$key = q/n;MSF=1.6;AAT/;
$cached_env_img{$key} = q|<IMG
WIDTH="16" HEIGHT="18" ALIGN="BOTTOM" BORDER="0"
SRC="|."$dir".q|img18.gif"
ALT="$n$">|;
1;

1104
doc/old/manual/images.tex
View file

File diff suppressed because it is too large Load diff

BIN
doc/old/manual/img1.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 111 B

BIN
doc/old/manual/img10.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 224 B

BIN
doc/old/manual/img11.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 108 B

BIN
doc/old/manual/img12.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 139 B

BIN
doc/old/manual/img13.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 160 B

BIN
doc/old/manual/img14.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 120 B

BIN
doc/old/manual/img15.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 159 B

BIN
doc/old/manual/img16.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 284 B

BIN
doc/old/manual/img17.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 182 B

BIN
doc/old/manual/img18.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 159 B

BIN
doc/old/manual/img19.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 161 B

BIN
doc/old/manual/img2.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 104 B

BIN
doc/old/manual/img20.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.6 KiB

BIN
doc/old/manual/img21.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.9 KiB

BIN
doc/old/manual/img22.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 15 KiB

BIN
doc/old/manual/img23.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 166 B

BIN
doc/old/manual/img24.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 174 B

BIN
doc/old/manual/img25.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 230 B

BIN
doc/old/manual/img26.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 228 B

BIN
doc/old/manual/img27.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 221 B

BIN
doc/old/manual/img28.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 222 B

BIN
doc/old/manual/img29.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 223 B

BIN
doc/old/manual/img3.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 478 B

BIN
doc/old/manual/img30.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 224 B

BIN
doc/old/manual/img31.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 223 B

BIN
doc/old/manual/img32.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 173 B

BIN
doc/old/manual/img33.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 215 B

BIN
doc/old/manual/img34.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 213 B

BIN
doc/old/manual/img35.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 179 B

BIN
doc/old/manual/img36.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 9.1 KiB

BIN
doc/old/manual/img37.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 6.9 KiB

BIN
doc/old/manual/img38.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 7.9 KiB

BIN
doc/old/manual/img39.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 12 KiB

BIN
doc/old/manual/img4.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 205 B

BIN
doc/old/manual/img40.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 5.4 KiB

BIN
doc/old/manual/img41.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 229 B

BIN
doc/old/manual/img42.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 331 B

BIN
doc/old/manual/img43.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 331 B

BIN
doc/old/manual/img44.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 173 B

BIN
doc/old/manual/img45.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 2.6 KiB

BIN
doc/old/manual/img46.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 6.5 KiB

BIN
doc/old/manual/img47.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 27 KiB

BIN
doc/old/manual/img48.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 427 B

BIN
doc/old/manual/img49.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 4.4 KiB

BIN
doc/old/manual/img5.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 207 B

BIN
doc/old/manual/img50.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 183 B

BIN
doc/old/manual/img51.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 240 B

BIN
doc/old/manual/img6.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 207 B

BIN
doc/old/manual/img7.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 196 B

BIN
doc/old/manual/img8.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 335 B

BIN
doc/old/manual/img9.gif
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 434 B

3978
doc/old/manual/internals.pl
View file

File diff suppressed because it is too large Load diff

3985
doc/old/manual/labels.pl
View file

File diff suppressed because it is too large Load diff

30
doc/old/manual/manual.css
View file

@ -1,30 +0,0 @@
/* Century Schoolbook font is very similar to Computer Modern Math: cmmi */
.MATH { font-family: "Century Schoolbook", serif; }
.MATH I { font-family: "Century Schoolbook", serif; font-style: italic }
.BOLDMATH { font-family: "Century Schoolbook", serif; font-weight: bold }
/* implement both fixed-size and relative sizes */
SMALL.XTINY { font-size : xx-small }
SMALL.TINY { font-size : x-small }
SMALL.SCRIPTSIZE { font-size : smaller }
SMALL.FOOTNOTESIZE { font-size : small }
SMALL.SMALL { }
BIG.LARGE { }
BIG.XLARGE { font-size : large }
BIG.XXLARGE { font-size : x-large }
BIG.HUGE { font-size : larger }
BIG.XHUGE { font-size : xx-large }
/* heading styles */
H1 { }
H2 { }
H3 { }
H4 { }
H5 { }
/* mathematics styles */
DIV.displaymath { } /* math displays */
TD.eqno { } /* equation-number cells */
/* document-specific styles come next */

5025
doc/pubs/bro-CN99.ps
View file

File diff suppressed because it is too large Load diff

229
doc/quick-start/Bro-installation.texi
View file

@ -1,229 +0,0 @@
@menu
* Download ::
* Install ::
* Configuration ::
* Encrypted Reports ::
@end menu
@node Download
@section Download
@cindex download
Download Bro from: @uref{http://www.bro-ids.org/}
You can unpack the distribution anywhere except into the directory
you plan to install into. To untar the file, type:
@example
tar xvzf bro-0.9a6.6.tar.gz
@end example
@node Install
@section Install
You'll need to collect the following information before beginning the installation.
@itemize
@item localnets: a list of local subnets for your network. Bro needs to know which networks are "internal" and which are "external".
@item interface names: the names of the capture interfaces in your host (e.g. sk0 or en1). Use @code{ifconfig -a} to get the list of all network interfaces on your Bro host.
@end itemize
If you want to use Bro's periodic email report feature, you'll also need:
@itemize
@item email list: a list of email addresses to send the reports to.
@item pgp keys: if you want to encrypt all email reports, the location of the
@uref{http://www.gnupg.org/,GPG keyring} of all recipients.
@end itemize
Bro is very easy to install. Just log in as @code{root}, and type:
@example
./configure
@end example
or to install Bro in a location other than @file{/usr/local/bro}, use:
@example
./configure --prefix=/path/to/bro
@end example
and then type:
@example
make
make install
@end example
To update an existing Bro installation with new binaries and standard policy file, instead
of @code{'make install'} do a @code{'make update'}. This will preserve all your local customizations.
@node Configuration
@section Configuration
@cindex bro_config
@cindex bro.cfg
The @emph{Bro-Lite} configuration script can be used to automatically configure Bro for you. It
checks your system's BPF settings, creates a 'bro' user account, installs
a script to start bro at boot time, and installs a number of @code{cron} jobs
to checkpoint bro every night, run perioidic reports, and manage log files.
To run this configuration script type:
@example
make install-brolite
@end example
This will run the script @code{bro_config}, which creates the file @file{$BROHOME/etc/bro.cfg}.
@code{bro_config} will ask a number of simple questions.
Sample output of @code{bro_config}, along with explanation, is shown below:
@quotation
@verbatim
Running Bro Configuration Utility
Checking interfaces .... Done.
Reading /usr/local/bro/etc/bro.cfg.example for defaults.
@end verbatim
@quotation
@quotation
The @code{bro_config} script looks first at ./bro.cfg, then /usr/local/bro/etc,
for default values to use below.
@end quotation
@end quotation
@verbatim
Bro Log archive location [/usr/local/bro/archive]
@end verbatim
@quotation
@quotation
This is the directory where log file archives are kept.
If you expect the log files to be very large, it is recommended to put these in a separate disk partition.
@end quotation
@end quotation
@verbatim
User id to install and run Bro under [bro]
@end verbatim
@quotation
@quotation
@code{bro_config} will create a new user account with this username if the user does not exist.
@end quotation
@end quotation
@verbatim
Interface names to listen on. [en1,en2]
@end verbatim
@quotation
@quotation
@code{bro_config} looks for all network interfaces and does a short test to determine which interfaces see the most traffic, and selects these interfaces as the default.
@end quotation
@end quotation
@verbatim
Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG) []
Starting Report Time [0600]
Report interval (in hours) [24]
Email addresses for internal reports [bro@localhost]
Do you want to send external reports to a incident
reporting org (e.g.: CERT, CIAC, etc) (Y/N)
Y
Email addresses for external reports []
@end verbatim
@quotation
@quotation
Daily reports will be created.
Enter the site name you want to appear at the top and in the subject of all email reports.
The 'start time' and 'interval' define the window of
network activity that the daily report will cover, starting at 'Starting Report Time' and
lasting through 'Report interval'. The start time should be entered using 24hr clock notation.
For example: 12:30am = 0030, 2pm = 1400
Two types of reports will be generated,
"internal" and "external". Internal reports contain the same basic information as
the external reports, along with traffic statistics and more detailed information on
incidents. Both internal and external reports will be sent to the "internal" email address list.
External reports are only sent if you answer "Y" and enter an external email address.
(Note: currently only internal reports are generated)
@end quotation
@end quotation
@verbatim
Do you want to encrypt the email reports (Y/N) [N]
Y
@end verbatim
@quotation
@quotation
If you want the email reports encrypted, you will need to set up GPG (@uref{http://www.gnupg.org})
and create a GPG keyring containing the public keys of all email recipients. Instructions
for this are in @ref{Encrypted Reports}.
@end quotation
@end quotation
@verbatim
Running script to determine your local subnets ...
Your Local subnets [198.129.224.1/32]
@end verbatim
@quotation
@quotation
Bro needs to know a list of your local subnets. @code{bro_config} runs a tool
that attempts to discover this automatically.
You should always verify the results of this tool. The format is a list of subnet/significant
bits of address.
For example: 131.243.0.0/16, 198.128.0.0/18, 198.129.224.1/32
@end quotation
This information will be stored in the file @code{$BROHOME/site/local.site.bro}
@end quotation
@verbatim
Saving settings to file: /usr/local/bro/etc/bro.cfg
Bro configuration finished.
To change these values, you can rerun bro_config at any time.
@end verbatim
@quotation
@quotation
Indicates that the script finished successfully.
@end quotation
@end quotation
@end quotation
For site monitoring very high traffic rates on Gigabit ethernet, there is some
additional system tuning that should be done. See the @uref{http://www.bro-ids.org/, Bro User Guide} for more details.
To reconfigure Bro, just type:
@example
bro_config
@end example
This will update your @file{/usr/local/bro/etc/bro.cfg} file. You can also edit this file using your favorite editor if you prefer.
For other site customizations, you can edit the file $BROHOME/site/local.site.bro.
For example, to tell bro to not look at traffic for host 198.162.44.66, add:
@verbatim
redef restrict_filters += { ["ignore host 198.162.44.66 "] = "not (host 198.162.44.66)" };
@end verbatim
Or to disable alarms for "WeirdActivity", you can add this:
@verbatim
redef notice_action_filters += { [[WeirdActivity]] = ignore_notice, };
@end verbatim
Any changes you make in $BROHOME/site will not be touched during an upgrade
or reinstall of Bro. You should avoid editing files in $BROHOME/policy,
as these will be overwritten.
More details are available in the Bro user guide.
@node Encrypted Reports
@section Encrypted Reports
@cindex GPG
Bro can use GPG (@uref{http://www.gnupg.org/}) to encrypt
the reports that it sends. To have Bro encrypt your
reports you must have said 'yes' to the bro_config question to
encrypt your reports. For information on configuring
GPG for Bro reports, see the @uref{http://www.bro-ids.org/, Bro User Manual}.

143
doc/quick-start/Bro-overview.texi
View file

@ -1,143 +0,0 @@
@menu
* What is Bro? ::
* Bro features and benefits ::
* Getting more Information ::
@end menu
@node What is Bro?
@section What is Bro?
@cindex Network Intrusion Detection System
Bro is a Unix-based Network Intrusion Detection System (IDS). Bro monitors network traffic and detects intrusion attempts based on the traffic
characteristics and content. Bro detects intrusions by comparing network traffic against rules describing events that are deemed troublesome. These rules
might describe activities (e.g., certain hosts connecting to certain services), what activities are worth alerting (e.g., attempts to a given number of different hosts constitutes
a "scan"), or signatures describing known attacks or access to known vulnerabilities. If Bro detects something of interest, it can be instructed to either issue a log entry or initiate the execution of an operating system command.
Bro targets high-speed (Gbit/second), high-volume intrusion detection. By judiciously leveraging packet filtering techniques,
Bro is able to achieve the performance necessary to do so while running on commercially
available PC hardware, and thus can serve as a cost effective means of monitoring a site's Internet connection.
@node Bro features and benefits
@section Bro features and benefits
@itemize
@item @strong{Network Based}
@quotation
Bro is a network-based IDS. It collects, filters, and analyzes traffic that passes through a specific
network location. A single Bro monitor, strategically placed at a key network junction, can be
used to monitor all incoming and outgoing traffic for the entire site. Bro does not use or
require installation of client software on each individual, networked computer.
@end quotation
@item @strong{Custom Scripting Language}
@quotation
Bro policy scripts are programs written in the Bro language. They contain the "rules" that
describe what sorts of activities are deemed troublesome. They analyze the network activity and
initiate actions based on the analysis. Although the Bro language takes some time and effort to
learn, once mastered, the Bro user can write or modify Bro policies to detect and alert on virtually
any type of network activity.
@end quotation
@item @strong{Pre-written Policy Scripts}
@quotation
Bro comes with a rich set of policy scripts designed to detect the most common Internet attacks
while limiting the number of false positives, i.e., alerts that confuse uninteresting activity with the
important attack activity. These supplied policy scripts will run "out of the box" and do not
require knowledge of the Bro language or policy script mechanics.
@end quotation
@item @strong{Powerful Signature Matching Facility}
@quotation
Bro policies incorporate a signature matching facility that looks for specific traffic content. For
Bro, these signatures are expressed as regular expressions, rather than fixed strings. Bro adds a
great deal of power to its signature-matching capability because of its rich language. This allows
Bro to not only examine the network content, but to understand the context of the signature,
greatly reducing the number of false positives. Bro comes with a set of high value signatures
policies, selected for their high detection and low false positive characteristics.
@end quotation
@item @strong{Network Traffic Analysis}
@quotation
Bro not only looks for signatures, but can also analyze network protocols, connections,
transactions, data amounts, and many other network characteristics. It has powerful facilities for
storing information about past activity and incorporating it into analyses of new activity.
@end quotation
@item @strong{Detection Followed by Action}
@quotation
Bro policy scripts can generate output files recording the activity seen on the network (including
normal, non-attack activity). They can also send alarms to event logs, including the
operating system syslog facility. In addition, scripts can execute programs, which can, in turn,
send e-mail messages, page the on-call staff, automatically terminate existing connections, or, with
appropriate additional software, insert access control blocks into a router's access control list.
With Bro's ability to execute programs at the operating system level, the actions that Bro can
initiate are only limited by the computer and network capabilities that support Bro.
@end quotation
@item @strong{@uref{http://www.snort.org/,Snort} Compatibility Support}
@cindex Snort
@quotation
The Bro distribution includes a tool, snort2bro, which converts Snort signatures into Bro
signatures. Along with translating the format of the signatures, snort2bro also incorporates a large
number of enhancements to the standard set of Snort signatures to take advantage of Bro's
additional contextual power and reduce false positives.
@end quotation
@end itemize
@node Getting more Information
@section Getting more Information
@itemize
@item @strong{Reference manual}
@quotation
An extensive @uref{http://www.bro-ids.org/manuals.html,reference manual} is provided detailing the Bro Policy Language
@end quotation
@item @strong{FAQ}
@cindex FAQ
@quotation
Several Frequently Asked Questions are outlined in the @uref{http://www.bro-ids.org/FAQ.html,Bro FAQ}.
Do you have a question that's not
in the FAQ, send it to us and we'll add it.
@end quotation
@item @strong{E-mail list}
@cindex Email list
@quotation
Send questions on any Bro subject to Bro@@bro-ids.org
The list is frequented by all of the Bro developers, including the primary author of Bro, Dr. Vern
Paxson.
You can subscribe by going to the website:
@* @uref{http://mailman.icsi.berkeley.edu/mailman/listinfo/bro},
@*
or by placing the following command in either the subject or the body of a message addressed to
Bro-request@@ICSI.Berkeley.EDU.
@example
subscribe [password] [digest-option] [address=<address>]
@end example
A password must be given to
unsubscribe or change your options. Once subscribed to the
list, you'll be reminded of your password periodically.
The 'digest-option' may be either: 'nodigest' or 'digest' (no
quotes!) If you wish to subscribe an address other than the
address you use to send this request from, you may specify
"address=<email address>" (no brackets around the email
address, no quotes!)
@end quotation
@item @strong{Website}
@quotation
The official Bro website is located at:
@uref{http://www.bro-ids.org}.
It contains all of the above documentation and more.
@end quotation
@end itemize

BIN
doc/quick-start/Bro-quick-start.pdf
View file

Binary file not shown.

99
doc/quick-start/Bro-quick-start.texi
View file

@ -1,99 +0,0 @@
\input texinfo @c -*-texinfo-*-
@comment $Id: Bro-quick-start.texi 958 2004-12-21 16:51:44Z tierney $
@comment %**start of header
@setfilename Bro-quick-start.info
@settitle Bro Quick Start Guide
@setcontentsaftertitlepage
@comment %**end of header
@set VERSION 0.9
@set UPDATED 11-15-2004
@copying
This the Quick Start Guide for Bro
version @value{VERSION}.
This software is copyright @copyright{}
1995-2004, The Regents of the University of California
and the International Computer Science Institute. All rights reserved.
For further information about this notice, contact:
Vern Paxson
email: @email{vern@@icir.org}
@end copying
@dircategory Bro
@direntry
* Bro: Network Intrusion Detection System
@end direntry
@ifnottex
@node Top
@top Bro Quick Start Guide
@copyright{} Lawrence Berkeley National Laboratory
@end ifnottex
@titlepage
@title Bro Quick Start Guide
@subtitle version @value{VERSION}, @value{UPDATED}, @strong{DRAFT}
@author Vern Paxson, Jim Rothfuss, Brian Tierney
@author Contact: @email{vern@@icir.org}
@author @uref{http://www.bro-ids.org/}
@page
@insertcopying
@vskip 0pt plus 1filll
@end titlepage
@contents
@ifnottex
@strong{Bro Quick Start Guide}:
This manual contains info on installing, configuring, and running
Bro. For more details, see the @uref{http://www.bro-ids.org/Bro-user-manual/,
Bro User Manual}
@end ifnottex
@menu
* Overview of Bro::
* Requirements ::
* Installation and Configuration::
* Running Bro ::
* Index::
@end menu
@comment ********************************************
@node Overview of Bro
@chapter Overview of Bro
@include Bro-overview.texi
@comment ********************************************
@node Requirements
@chapter Requirements
@cindex Software requirements
@cindex Hardware requirements
@include Bro-requirements.texi
@comment ********************************************
@node Installation and Configuration
@chapter Installation and Configuration
@cindex Installation instructions
@include Bro-installation.texi
@cindex Configuration instructions
@comment ********************************************
@node Running Bro
@chapter Running Bro
@include Bro-running.texi
@comment ********************************************
@node Index
@unnumbered Index
@printindex cp
@bye

79
doc/quick-start/Bro-requirements.texi
View file

@ -1,79 +0,0 @@
@menu
* Network Tap ::
* Hardware and Software Requirements ::
@end menu
@node Network Tap
@section Network Tap
@cindex network tap
A network tap must be installed to provide Bro with access to live network traffic.
For Bro to be most effective, access to the network must be full-bandwidth (no bandwidth limitations) and full-duplex. A passive tap is recommended to ensure minimal impact on network operations.
Normally the network tap for Bro should be placed behind an external firewall and on the DMZ
(the portion of the network under the control of the organization but outside of the internal firewall),
as shown in the figure below. Some organizations might prefer to install the network tap before
the firewall in order to detect all scans or attacks. Placing Bro before the firewall will allow
the organization to better understand attacks, but will produce a much high number of alarms and alerts. Another option is to place Bro inside the internal firewall, allowing it to detect internal hosts with viruses or worms.
In addition to the connection to the network tap, a separate network connection is required
for management of Bro and access to log files.
For more information on taps and tap placement see the Netoptics White paper titled @emph{Deploying Network Taps with Intrusion Detection Systems} (@uref{http://www.netoptics.com/products/pdf/Taps-and-IDSs.pdf}).
@float Figure, tap location
@image{bro-deployment,6.3in}
@caption{Typical location for network tap and Bro system}
@end float
@node Hardware and Software Requirements
@section Hardware and Software Requirements
Bro requires no custom hardware, and runs on low-cost commodity PC-style system.
However, the Bro monitoring host must examine every packet into and out of
your site, so depending on your sites network traffic, you may need a fairly high-end machine.
If you are trying to monitor a link with a large number of connections, we recommend using
a second system for report generation, and run only Bro on the capture host.
@quotation
@multitable @columnfractions .25 .75
@comment only work with texiinfo 4.7 or higher: @headitem Item @tab Requirements
@item @strong{Item} @tab @strong{Requirements}
@item @strong{Processor}
@tab 1 GHz CPU (for 100 BT Ethernet with average packet rate <= 5,000 packets/second)
@* 2 GHz CPU (for 1000 BT Ethernet with average packet rate <= 10,000 packets/second)
@* 3 GHz CPU (for 1000 BT Ethernet with average packet rate <= 20,000 packets/second)
@* 4 GHz CPU (for 1000 BT Ethernet with average packet rate <= 50,000 packets/second)
@* (Note: these are @strong{very} rough estimates, and much depends on the types of
traffic on your network (e.g.: http, ftp, mail, etc.). See the Performance chapter of the Bro User Guide for more information)
@item @strong{Operating System}
@tab FreeBSD 4.10 (@uref{http://www.freebsd.org/}) Bro works with Linux
and Solaris as well,
but the performance is best under FreeBSD. In particular there are some performance issues with
packet capture under Linux. See the User Guide chapter on Bro and Linux for more information. FreeBSD 5.x should work, but may have performance issues. For sites with very high traffic loads, contact us for information on a FreeBSD 4.x patch to do @emph{bpf bonding}
@item @strong{Memory}
@tab 1 GB RAM is the minimum needed, but 2-3 GB is recommended
@item @strong{Hard disk}
@tab 10 GByte minimum, 50 GByte or more for log files recommended
@item @strong{User privileges}
@tab @emph{superuser} to install Bro, then Bro runs as user @emph{bro}
@item @strong{Network Interfaces}
@tab 3 interfaces are required: 2 for packet capture (1 for each direction), and 1 for host management. Capture interfaces should be identical.
@item @strong{Other Software}
@* - Perl version 5.6 or higher (@uref{http://www.perl.org})
@* - libpcap version 0.8 or higher (@uref{http://www.tcpdump.org})
@* - tcpdump version 3.8 or higher (@uref{http://www.tcpdump.org})
@* Note: FreeBSD 4.x comes with older versions perl, libpcap, and tcpdump. Bro
requires newer versions of these tools.
@end multitable
@end quotation

316
doc/quick-start/Bro-running.texi
View file

@ -1,316 +0,0 @@
@menu
* Starting Bro ::
* Bro Scripts ::
* Sending (E-mail) Bro Reports ::
* Reading a Bro Report ::
@end menu
@node Starting Bro
@section Starting Bro
@cindex starting Bro
@cindex bro.rc
Bro is automatically started at boot time via the @command{bro.rc}
script,
( located in /usr/local/bro/etc and /usr/local/etc/rc.d on FreeBSD or
/usr/init.d on Linux )
To run this script by hand, type:
@example
bro.rc start
@end example
or
@example
bro.rc checkpoint
@end example
or
@example
bro.rc stop
@end example
Use @code{checkpoint} to restart Bro, loading a new policy file.
To get feel for what Bro logs will look like on your traffic, do the following:
Generate some "offline" data to play with:
@example
# tcpdump -s 0 -w trace.out
@end example
Kill off the tcpdump after capturing traffic for a few minutes (use ctrl-C),
then to run Bro against this captured trace file:
@example
# setenv BROHOME /usr/local/bro
# setenv BROPATH $BROHOME/site:$BROHOME/policy
# bro -r trace.out hostname.bro
@end example
@node Bro Scripts
@section Bro Scripts
@cindex bro_generate_report
@cindex bro_log_compress
@cindex check_disk
@cindex managing disk space
Installing Bro automatically creates the following @command{cron} jobs,
which are
automatically run on a specified interval.
@itemize
@item @command{site-report.pl}: generates an email report of all alarms
and alerts
@item @command{mail_reports.sh}: send email reports
@end itemize
These scripts can also all be run by hand at any time.
Bro log files can get quick large, and it is important to make sure that
the Bro disk
does not fill up. Bro includes some simple scripts to help manage disk
space. Most
sites will want to customize these for their own requirements, and
integrate them into their
backup system to make sure files are not removed before they are
archived.
@itemize
@item @command{check_disk.sh}: check for low disk space, and send email
@item @command{bro_log_compress.sh}: removes/compresses old log files
@end itemize
These scripts can be customized by editing their settings in
@code{$BROHOME/etc/bro.cfg}.
The settings are as follows:
@itemize
@item @command{check_disk.sh}:
@itemize
@item @command{diskspace_pct}: when disk is >= this percent full, send
email
@item @command{diskspace_watcher}: list of email addresses to send mail
to
@end itemize
@end itemize
@itemize
@item @command{bro_log_compress.sh}:
@itemize
@item @command{Days2deletion}: remove files more than this many days old
(default = 60)
@item @command{Days2compression}: compress files more than this many days
old (default = 30)
@end itemize
@end itemize
@node Sending (E-mail) Bro Reports
@section Sending (E-mail) Bro Reports
@cindex e-mail reports
@cindex internal report
@cindex external report
A daily 'internal' report is created that covers three sets of
information:
@itemize
@item Incident information
@item Operational status of Bro
@item General network traffic information
@end itemize
If the local organization is asked to report incidents to another
incident analysis organization (i.e. CERT, CIAC, FedCIRC, etc.) an
auxiliary 'external' report can be created that only contains the
incident information. These reports are stored in $BRODIR/reports.
The two reports will be mailed to the e-mail addresses specified during
Bro installation. These e-mail addresses can be changed by re-running
the bro_config script or by editing $BROHOME/etc/bro.cfg directly. Each
report has it's own set of e-mail addresses. If it is desired to send
the auxiliary report directly to the external incident analysis
organization without inspection, enter their e-mail address directly.
Otherwise, have the external e-mail sent to someone who can inspect and
forward it appropriately.
@node Reading a Bro Report
@section Reading a Bro Report
@cindex incident
@cindex incident type
@cindex report period
@cindex alarm
@cindex connection, successful
@cindex connection, unsuccessful
@cindex connection, history
@cindex scans
@cindex system statistics
@cindex traffic statistics
The report is divided into three parts, the summary, incidents, and
scans. The summary includes a rollup of incident information, Bro
operational statistics, and network information. The incidents section
has details for each Bro alarm. The scans section gives details about
scans that Bro detected.
@subsection Parts of a Report
@subsubheading Summary
@quotation
@strong{Report Period:} The beginning and ending date/times that define
the window of network data used to produce the report.
@*@*
@strong{Incident Count:} The number of each type of incident that are
detailed in the report period
@*@*
@strong{System Statistics:} Operating system statistics that give some
idea of the 'health' of Bro's operation.
@*@*
@strong{Traffic Statistics:} Statistics gathered by Bro that may or may
not have significant value in evaluating intrusions, but are useful in
understanding the network environment.
@end quotation
@subsubheading Incidents
@quotation
@strong{Incident:} Each incident generated by the Bro installation is
assigned a unique identification number. This number is unique for all
incidents, not just to the daily report.
@*@*
@strong{Incident Type:} Bro can detect attacks, but cannot make a
definitive judgment if an attack is successful without further
investigation and/or knowledge of the unique network environment. Bro
uses an expert knowledge algorithm to make a determination if an incident
is 'Likely Successful', 'Unknown' (not enough information to make a
guess), or 'Likely Unsuccessful'.
@*@*
@strong{Local Host:} The local computer involved in the incident; usually
the victim.
@*@*
@strong{Remote Host:} The remote computer involved in the incident;
usually the attacker.
@*@*
@strong{Alarm(s}:) The network event(s) that Bro detected and identified
as probable attacks.
@*@*
@strong{Successful Connections:} Connections where one host initiates a
network request and the other host participates in the subsequent
requested transactions.
@*@*
@strong{Unsuccessful Connections:} Connections where one host initiates a
network request and the other host refuses the request.
@*@*
@strong{Unknown Connections:} Connections where one host initiated a
network request, but it is unclear if the other host participated in a
successful transaction.
@*@*
@strong{Connections History:} A summary tabulation of successful and
unsuccessful connections made in specific time periods. The tabulations
are accumulative. That is, the connections counted under 3 days will
also be counted in each subsequent column.
@end quotation
@subsubheading Scans
Scans are repetitive (similar) probes, searching several victim hosts for
vulnerabilities. The scan section gives the attack host instigating the
scan, the date/time of the scan, and the ports that were probed.
@subsection Example Report:
@example
@verbatim
Bro Report Organization Name
=========================================================================
Summary July 28, 2004 17:01 to July 29, 2004 17:00
=========================================================================
Incident Likely Successful 1
Summary Unknown 0
Likely Unsuccessful 0
Scans 10
System Bro disk space: <% at time of report generation>
Statistics Bro Process cpu: <time>
Bro restarts: <date/time>
System reboots: <date/time>
Traffic Number of packets: <count>
Statistics Number of valid packets: <count> <% of total>
Protocol summary
Http: <count> <% of total>
SSH : <count> <% of total>
SMTP: <count> <% of total>
Etc.
Average bandwidth:
Peak bandwidth:
=========================================================================
Incident Details
legend for connection type
> connection initiated by remote host
< connection initiated by local host
# number corresponds to alarm triggered by the connection
* successful connection, otherwise unsuccessful
=========================================================================
Incident ORGCODE-000002 LIKELY SUCCESSFUL
---------------------
Remote Host: 84.136.138.21 p54877614.dip.hacker.net
Local Host: 124.333.183.162 pooroljoe.dhcp.org.com
Alarm(s) 1 MS-SQL xp_cmdshell - program execution
Jul 29 12:43 84.135.118.20 -> 128.3.183.62
2 TFTP Get Runtime.exe
Jul 29 12:43 128.3.183.62 -> 84.135.118.20
Connections (only first 25 after alarm are listed)
-----------
time byte remote local byte
date time duration transfer port type port transfer protocol
----- -------- -------- --------- ----- ---- ------ --------- ----------
07/29 12:43:31 ? 566 b 4634 1 > 1433 467 b tcp/MSSQL
07/29 12:43:31 0 ? 2318 2 < 69 20 b udp/tftp
07/29 12:43:32 265.7 4 b 4638 * < 2318 3.0kb udp
07/29 12:48:56 ? ? 4640 > 2362 ? tcp
07/29 12:50:05 ? 11.4kb 4639 * < 3333 8.6kb tcp
07/29 12:53:00 0 ? 4684 * > 2362 ? tcp
07/29 12:53:07 ? ? 4685 * > 2362 ? tcp
07/29 12:53:59 ? ? 4689 * > 2362 ? tcp
07/29 12:54:14 6.1 0 4693 * < 2380 94.2kb tcp
07/29 12:54:21 .5 50 b 4694 > 2381 0 tcp
07/29 12:54:23 .7 ? 4695 < 2382 0 tcp
07/29 12:54:25 .5 51 b 4696 * > 2383 0 tcp
07/29 12:54:27 .5 61 b 4697 * > 2384 0 tcp
07/29 12:54:28 .7 39 b 4698 > 2385 0 tcp
07/29 12:54:31 .5 41 b 4699 * > 2386 0 tcp
07/29 12:54:33 1.2 4.9 kb 4700 > 2387 0 tcp
07/29 12:54:35 12.8 195.0 kb 4701 * < 2388 0 tcp
07/29 12:54:53 .2 ? 4703 < 2390 0 tcp
07/29 12:54:54 .5 37 b 4704 > 2391 0 tcp
07/29 12:54:56 3.4 23 b 4705 * > 2392 0 tcp
07/29 12:55:04 21.4 308.7 kb 4706 > 2393 0 tcp
07/29 12:55:27 50.7 ? 4707 > 2394 ? tcp
07/29 12:59:23 ? ? 4775 > 1433 ? tcp
07/29 12:59:25 ? ? 4774 * > 3333 ? tcp
Remote Host Connection History (all successful/unsuccessful to site)
24 hrs | 3 days | 7 days | 30 days
-------------------------------------------------------------------------
14/10 | 0/0 | 0/0 | 0/0
-------------------------------------------------------------------------
Total since remote host first seen on 07/29/04: 14/10
=========================================================================
Scans
=======================================================================
==
Date Dropped Host Port Scanned
-------------------------------------------------------------------------
Jul 29 13:14 n219077002119.netvigator.com (3128/tcp)
Jul 29 13:23 node1.lbnl.nodes.planet-lab.org (49702/tcp)
Jul 29 13:30 213-145-189-50.dd.nextgentel.com (4899/tcp)
Jul 29 13:32 211.55.52.67 (1034/tcp)
Jul 29 13:52 user-69-1-11-116.knology.net (3128/tcp)
*************************************************************************
@end verbatim
@end example

29
doc/quick-start/Makefile.am
View file

@ -1,29 +0,0 @@
prefix = @prefix@
bro_dir = ${prefix}/bro
EXTRA_DIST = README.txt bro.css bro-deployment.pdf \
bro-deployment.png Bro-installation.texi \
Bro-overview.texi Bro-quick-start.pdf \
Bro-quick-start.texi Bro-requirements.texi \
Bro-running.texi Bro-quick-start
clean-local: doc-clean
doc: html pdf
pdf:
texi2dvi -s --clean --pdf Bro-quick-start.texi
html:
@rm -rf Bro-quick-start
makeinfo --css-include=bro.css --html Bro-quick-start.texi
@cp *.png Bro-quick-start
doc-clean:
@echo "cleaning Quick Start Guide"
@rm -f *.log Bro-quick-start/*
doc-distclean: clean
@rm Makefile

8
doc/quick-start/README.txt
View file

@ -1,8 +0,0 @@
to generate html:
makeinfo --css-include=bro.css --html Bro-quick-start.texi
to generate PDF:
texi2dvi --clean --pdf Bro-quick-start.texi

BIN
doc/quick-start/bro-deployment.pdf
View file

Binary file not shown.

BIN
doc/quick-start/bro-deployment.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 36 KiB

Some files were not shown because too many files have changed in this diff Show more