enabling dpd results in run-time error

Hi All,

running bro-1.2.1 under CentOS 5.0.

I'm attempting to enable dpd via brolite.bro. When I change the:
const use_dpd = F;
to
const use_dpd = T;

bro fails to start with the following errors:

/usr/local/bro/policy/http-request.bro, line 34: run-time error: error
compiling pattern
/((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[
\t]*=)))|(^?.*(nph-test-cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/
/usr/local/bro/policy/http-request.bro, line 42: run-time error: error
compiling pattern
/((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/
/usr/local/bro/policy/http-request.bro, line 48: run-time error: error
compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/
/usr/local/bro/policy/http-request.bro, line 50: run-time error: error
compiling pattern /^?.*(wwwroot|WWWROOT)/
/usr/local/bro/policy/http-reply.bro, line 111: run-time error: error
compiling pattern /^?.*(^ )/
/usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error
compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/
/usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling
pattern
/((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/
/usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling
pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/
/usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling
pattern /^?.*([Ee][Xx][Ee][Cc].*)/
/usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling
pattern /^?.*(,0,0)/
/usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling
pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/
/usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling
pattern /^?.*([\x00-\x7f])/
/usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling
pattern /^?.*([Ee][Xx][Ee][Cc])/
/usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling
pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/
/usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling
pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/
/usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling
pattern /^?.*((\/){2,})/
/usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling
pattern /^?.*([\x80-\xff]{3})/
/usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling
pattern /^?.*(USER|PASS|ACCT)/
/usr/local/bro/policy/portmapper.bro, line 310: run-time error: error
compiling pattern /^?.*(^\[)/
/usr/local/bro/policy/portmapper.bro, line 311: run-time error: error
compiling pattern /^?.*(\]$)/
/usr/local/bro/policy/login.bro, line 66: run-time error: error compiling
pattern
/((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bin\/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|(^?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[
\t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk0)))|(^?.*(su[
\t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[
\t]+secure)))|(^?.*(cd[
\t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[
\t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\")))|(^?.*(LAST
STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for
solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[
\t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[
\t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|(^?.*(#define
NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-z]*\(\"\/usr\/openwin)))|(^?.*(perl[
\t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/
/usr/local/bro/policy/login.bro, line 72: run-time error: error compiling
pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[
\t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/
/usr/local/bro/policy/login.bro, line 75: run-time error: error compiling
pattern /^?.*(No such file or directory)/

Any ideas why? I've search the lists and google but nothing is coming up.
Also, checked the configure.log to see if perhaps I missed something
there.

Cheers,
Harry

Try the following:

cd /usr/local/bro
cp policy/sigs/dpd.sig site/dpd.sig

Bill Jones

From: bro-bounces@ICSI.Berkeley.EDU

[mailto:bro-bounces@ICSI.Berkeley.EDU]

On Behalf Of Harry Hoffman
Sent: Wednesday, May 09, 2007 3:20 PM
To: bro@ICSI.Berkeley.EDU
Subject: [Bro] enabling dpd results in run-time error

Hi All,

running bro-1.2.1 under CentOS 5.0.

I'm attempting to enable dpd via brolite.bro. When I change the:
const use_dpd = F;
to
const use_dpd = T;

bro fails to start with the following errors:

/usr/local/bro/policy/http-request.bro, line 34: run-time error: error
compiling pattern
/((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[
\t]*=)))|(^?.*(nph-test-

cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/ord
er

\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-
cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-

win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ow
nz

)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*(
[a

A][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk
\.

(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|
(^

?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/
/usr/local/bro/policy/http-request.bro, line 42: run-time error: error
compiling pattern

/((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.
*)

)/
/usr/local/bro/policy/http-request.bro, line 48: run-time error: error
compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/
/usr/local/bro/policy/http-request.bro, line 50: run-time error: error
compiling pattern /^?.*(wwwroot|WWWROOT)/
/usr/local/bro/policy/http-reply.bro, line 111: run-time error: error
compiling pattern /^?.*(^ )/
/usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error
compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/
/usr/local/bro/policy/ftp.bro, line 43: run-time error: error

compiling

pattern

/((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)
))

(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datap

ip

e.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^
?.

*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^
?.

*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?
.*

(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD
].

*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|
(^

?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.
(t

ar>tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*
))

/
/usr/local/bro/policy/ftp.bro, line 48: run-time error: error

compiling

pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/
/usr/local/bro/policy/ftp.bro, line 51: run-time error: error

compiling

pattern /^?.*([Ee][Xx][Ee][Cc].*)/
/usr/local/bro/policy/ftp.bro, line 63: run-time error: error

compiling

pattern /^?.*(,0,0)/
/usr/local/bro/policy/ftp.bro, line 154: run-time error: error

compiling

pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/
/usr/local/bro/policy/ftp.bro, line 349: run-time error: error

compiling

pattern /^?.*([\x00-\x7f])/
/usr/local/bro/policy/ftp.bro, line 462: run-time error: error

compiling

pattern /^?.*([Ee][Xx][Ee][Cc])/
/usr/local/bro/policy/ftp.bro, line 527: run-time error: error

compiling

pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/
/usr/local/bro/policy/ftp.bro, line 545: run-time error: error

compiling

pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/
/usr/local/bro/policy/ftp.bro, line 555: run-time error: error

compiling

pattern /^?.*((\/){2,})/
/usr/local/bro/policy/ftp.bro, line 700: run-time error: error

compiling

pattern /^?.*([\x80-\xff]{3})/
/usr/local/bro/policy/ftp.bro, line 735: run-time error: error

compiling

pattern /^?.*(USER|PASS|ACCT)/
/usr/local/bro/policy/portmapper.bro, line 310: run-time error: error
compiling pattern /^?.*(^\[)/
/usr/local/bro/policy/portmapper.bro, line 311: run-time error: error
compiling pattern /^?.*(\]$)/
/usr/local/bro/policy/login.bro, line 66: run-time error: error

compiling

pattern

/((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bi
n\

/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|
(^

?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[

\t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk
0)

))|(^?.*(su[
\t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[
\t]+secure)))|(^?.*(cd[
\t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[

\t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\"))
)|

(^?.*(LAST
STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for
solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[
\t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[

\t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|
(^

?.*(#define
NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-
z]*\(\"\/usr\/openwin)))|(^?.*(perl[
\t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/
/usr/local/bro/policy/login.bro, line 72: run-time error: error

compiling

pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[
\t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/
/usr/local/bro/policy/login.bro, line 75: run-time error: error

compiling

pattern /^?.*(No such file or directory)/

Any ideas why? I've search the lists and google but nothing is coming

up.