Bro signatures parse error?

Hi all,

I compiled Bro 0.8a34 & 0.8a20 on a FreeBSD 4.5 box, when I launch Bro with shipped signatures, I get parse error, anyone else encounted the same problem?

for the 0.8a34 package:
[root@ /root/source/bro-pub-0.8a34]> uname -a
FreeBSD FreeBSD_4_5 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
[root@ /root/source/bro-pub-0.8a34]> ls *.bro
sig.ex.ssl-worm.bro sig.ex.web-rules.bro
[root@ /root/source/bro-pub-0.8a34]> ./bro -F -i lnc0 -s sig.ex.web-rules.bro -S mt
Error in signature (sig.ex.web-rules.bro:8): parse error
[root@ /root/source/bro-pub-0.8a34]> ./bro -F -i lnc0 -s sig.ex.ssl-worm.bro -S mt
Error in signature (sig.ex.ssl-worm.bro:10): parse error

for the 0.8a20 package, sig.ex.web-rules.bro can be correctly handled, but sig.ex.ssl-worm.bro also has parse error:
[root@ /root/source/bro-pub-0.8a34]> cd ../bro-pub-0.8a20
[root@ /root/source/bro-pub-0.8a20]> ./bro -F -i lnc0 -s sig.ex.web-rules.bro mt
listening on lnc0
^C1063411972.838423 received termination signal
14 packets received on interface lnc0, 0 dropped
1063411972.663260 ? telnet ? 19 192.168.7.133 192.168.7.10 OTH X
[root@ /root/source/bro-pub-0.8a20]> ./bro -F -i lnc0 -s sig.ex.ssl-worm.bro -S mt
Error in rule (line 11): unknown identifier
Error in rule (line 19): unknown identifier
Error in rule (line 27): unknown identifier

I also compiled Bro on a RedHat 7.1 box and got the same error. Any hints or suggestions are welcome!

best regards
Wang

Some of the keywords have been renamed in newer versions, and I
forgot to adapt the examples. The attacked patch should fix
the problems (note that for sig.ex.ssl-worm.bro you need to load
policy/ssl-worm.bro, too).

Robin

example.diff (165 KB)

Thanks for your great help! Patched signatures now can be handled
correctly. There is still a minor problem , when I launch Bro with -S
option, Bro core dumps, it seems a problem in the code of printing debug
infomation.

[root@ /usr/local/sbin]> ./bro -s sig.ex.web-rules.bro -S -i lnc0 mt
    .
    .
    .
   snip
    .
    .
    .
Rule sid-1665 (638)
        HTTP |.*[\/\\][mM][kK][iI][lL][oO][gG]\.[eE][xX][eE]| (719)
        RuleHdrTest ip[9:1] == 0x00000006/0xffffffff
        RuleHdrTest ip[12:4] != 0x80030000/0xffff0000 0x83f30000/0xffff0000
        RuleHdrTest ip[16:4] == 0x80030000/0xffff0000 0x83f30000/0xffff0000
        RuleHdrTest tcp[2:2] == 0x00000050/0xffffffff
        RuleConditionTCPState: 0x3
        RuleActionEvent: |WEB-MISC mkilog.exe access|

ssl-worm.bro.diff (737 Bytes)

option, Bro core dumps, it seems a problem in the code of printing debug
infomation.

I cannot reproduce this here. Could you send me stack backtrace
generated from the core dump?

ssl-worm.bro also needs a little modification to work, attached is the
patch for 0.8a34 package

Thanks!

Robin

[root@ /usr/local/sbin]> gdb -c bro.core -s bro
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `bro'.
Program terminated with signal 11, Segmentation fault.
#0 0x282aa022 in ?? ()
(gdb) bt
#0 0x282aa022 in ?? ()
#1 0x282a8e1d in ?? ()
#2 0x282a915a in ?? ()
#3 0x282a8d59 in ?? ()
#4 0x80e6999 in RuleMatcher::PrintTreeDebug ()
#5 0x80e693e in RuleMatcher::PrintDebug ()
#6 0x804c6df in main ()
#7 0x804b211 in _start ()
(gdb) i f 4
Stack frame at 0xbfbff8c0:
eip = 0x80e6999 in RuleMatcher::PrintTreeDebug(RuleHdrTest *); saved eip 0x80e693e
Cannot access memory at address 0x80e6948.
(gdb) i f 3
Stack frame at 0xbfbff880:
eip = 0x282a8d59; saved eip 0x80e6999
called by frame at 0xbfbff8c0, caller of frame at 0xbfbff850
Arglist at 0xbfbff880, args:
Locals at 0xbfbff880, Previous frame's sp is 0x0
Saved registers:
  ebp at 0xbfbff880, eip at 0xbfbff884
(gdb) i f 2
Stack frame at 0xbfbff850:
eip = 0x282a915a; saved eip 0x282a8d59
called by frame at 0xbfbff880, caller of frame at 0xbfbff5e0
Arglist at 0xbfbff850, args:
Locals at 0xbfbff850, Previous frame's sp is 0x0
Saved registers:
  ebp at 0xbfbff850, eip at 0xbfbff854
(gdb) i r
eax 0x0 0
ecx 0xffffffff -1
edx 0x282a9f74 673881972
ebx 0x282bc664 673957476
esp 0xbfbfeef8 0xbfbfeef8
ebp 0xbfbff150 0xbfbff150
esi 0x1 1
edi 0x9fd 2557
eip 0x282aa022 0x282aa022
eflags 0x286 646
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x2f 47

It seems stack has been corrupted.

I tried the lastest 0.8a37 package, it does not have this problem.

This is interesting as there isn't any change in the signature code.
So, it may be worth a look nevertheless.

Robin