(no subject)

Hi

i try to start up bro on ubuntu but when i execute /usr/local/bro/etc/bro.rc --start, i recive the next output with a lot of errors, but i dont know where and how i can resolve them, anybody help me please

thanks

root@client-honeypot:/usr/local/src/Bro-ids/bro-1.2.1# /usr/local/bro/etc/bro.rc --start
bro.rc: Running as non-root user ddjimenez
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com
/usr/local/bro/policy/http-request.bro, line 34: run-time error: error compiling pattern /((((((((((((((((((((^?.*(etc\/(passwd|shadow|netconfig)))|(^?.*(IFS[ \t]*=)))|(^?.*(nph-test-cgi\?)))|(^?.*((%0a|\.\.)\/(bin|etc|usr|tmp))))|(^?.*(\/Admin_files\/order\.log)))|(^?.*(\/carbo\.dll)))|(^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))))|(^?.*(\/cgi-dos\/args\.bat)))|(^?.*(\/cgi-win\/uploader\.exe)))|(^?.*(\/search97\.vts)))|(^?.*(tk\.tgz)))|(^?.*(ownz)))|(^?.*(viewtopic\.php.*%.*\(.*\()))|(^?.*(sshd\.(tar|tgz).*)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(shv4\.(tar|tgz).*)))|(^?.*(lrk\.(tar|tgz).*)))|(^?.*(lyceum\.(tar|tgz).*)))|(^?.*(maxty\.(tar|tgz).*)))|(^?.*(rootII\.(tar|tgz).*)))|(^?.*(invader\.(tar|tgz).*))/
/usr/local/bro/policy/http-request.bro, line 42: run-time error: error compiling pattern /((^?.*(.*\/c\+dir))|(^?.*(.*cool.dll.*)))|(^?.*(.*Admin.dll.*Admin.dll.*))/
/usr/local/bro/policy/http-request.bro, line 48: run-time error: error compiling pattern /^?.*(\/cgi-bin\/(phf|php\.cgi|test-cgi))/
/usr/local/bro/policy/http-request.bro, line 50: run-time error: error compiling pattern /^?.*(wwwroot|WWWROOT)/
/usr/local/bro/policy/http-reply.bro, line 111: run-time error: error compiling pattern /^?.*(^ )/
/usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/
/usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling pattern /((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|(^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\.(tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?.*(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))|(^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/
/usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/
/usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/
/usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling pattern /^?.*(,0,0)/
/usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/
/usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling pattern /^?.*([\x00-\x7f])/
/usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc])/
/usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/
/usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/
/usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling pattern /^?.*((\/){2,})/
/usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling pattern /^?.*([\x80-\xff]{3})/
/usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling pattern /^?.*(USER|PASS|ACCT)/
/usr/local/bro/policy/portmapper.bro, line 310: run-time error: error compiling pattern /^?.*(^\[)/
/usr/local/bro/policy/portmapper.bro, line 311: run-time error: error compiling pattern /^?.*(\]$)/
/usr/local/bro/policy/login.bro, line 66: run-time error: error compiling pattern /((((((((((((((((((((((((((((((((^?.*(rewt))|(^?.*(eggdrop)))|(^?.*(\/bin\/eject)))|(^?.*(oir##t)))|(^?.*(ereeto)))|(^?.*((shell|xploit)_?code)))|(^?.*(execshell)))|(^?.*(ff\.core)))|(^?.*(unset[ \t]+(histfile|history|HISTFILE|HISTORY))))|(^?.*(neet\.tar)))|(^?.*(r0kk0)))|(^?.*(su[ \t]+(daemon|news|adm))))|(^?.*(\.\/clean)))|(^?.*(rm[ \t]+-rf[ \t]+secure)))|(^?.*(cd[ \t]+\/dev\/[a-zA-Z]{3})))|(^?.*(solsparc_lpset)))|(^?.*(\.\/[a-z]+[ \t]+passwd)))|(^?.*(\.\/bnc)))|(^?.*(bnc\.conf)))|(^?.*(\"\/bin\/ksh\")))|(^?.*(LAST STAGE OF DELIRIUM)))|(^?.*(SNMPXDMID_PROG)))|(^?.*(snmpXdmid for solaris)))|(^?.*(\"\/bin\/uname)))|(^?.*(gcc[ \t]+1\.c)))|(^?.*(>\/etc\/passwd)))|(^?.*(lynx[ \t]+-source[ \t]+.*(packetstorm|shellcode|linux|sparc))))|(^?.*(gcc.*\/bin\/login)))|(^?.*(#define NOP.*0x)))|(^?.*(printf\(\"overflowing)))|(^?.*(exec[a-z]*\(\"\/usr\/openwin)))|(^?.*(perl[ \t]+.*x.*[0-9][0-9][0-9][0-9])))|(^?.*(ping.*-s.*%d))/
/usr/local/bro/policy/login.bro, line 72: run-time error: error compiling pattern /^?.*([ \t]*(cd|pushd|more|less|cat|vi|emacs|pine)[ \t]+((['"]?\.\.\.)|(["'](\.*)[ \t])))/
/usr/local/bro/policy/login.bro, line 75: run-time error: error compiling pattern /^?.*(No such file or directory)/
/usr/local/bro/policy/login.bro, line 84: run-time error: error compiling pattern /^?.*(.*loadmodule.*)/
/usr/local/bro/policy/login.bro, line 138: run-time error: error compiling pattern /(((((((((((((((((((((((((((((((((((((((((((((((((^?.*(^-r.s.*root.*\/bin\/(sh|csh|tcsh)))|(^?.*(Jumping to address)))|(^?.*(Jumping Address)))|(^?.*(smashdu\.c)))|(^?.*(PATH_UTMP)))|(^?.*(Log started at =)))|(^?.*(www\.anticode\.com)))|(^?.*(www\.uberhax0r\.net)))|(^?.*(smurf\.c by TFreak)))|(^?.*(Super Linux Xploit)))|(^?.*(^# \[root@)))|(^?.*(^-r.s.*root.*\/bin\/(time|sh|csh|tcsh|bash|ksh))))|(^?.*(invisibleX)))|(^?.*(PATH_(UTMP|WTMP|LASTLOG))))|(^?.*([0-9]{5,} bytes from)))|(^?.*((PATH|STAT):\ .*=>)))|(^?.*(----- \[(FIN|RST|DATA LIMIT|Timed Out)\])))|(^?.*(IDLE TIMEOUT)))|(^?.*(DATA LIMIT)))|(^?.*(-- TCP\/IP LOG --)))|(^?.*(STAT: (FIN|TIMED_OUT) )))|(^?.*((shell|xploit)_code)))|(^?.*(execshell)))|(^?.*(x86_bsd_compaexec)))|(^?.*(\\xbf\\xee\\xee\\xee\\x08\\xb8)))|(^?.*(Coded by James Seter)))|(^?.*(Irc Proxy v)))|(^?.*(Daemon port\.\.\.\.)))|(^?.*(BOT_VERSION)))|(^?.*(NICKCRYPT)))|(^?.*(\/etc\/\.core)))|(^?.*(exec.*\/bin\/newgrp)))|(^?.*(deadcafe)))|(^?.*([ \/]snap\.sh)))|(^?.*(Secure atime,ctime,mtime)))|(^?.*(Can\'t fix checksum)))|(^?.*(Promisc Dectection)))|(^?.*(ADMsn0ofID)))|(^?.*((cd \/; uname -a; pwd; id))))|(^?.*(drw0rm)))|(^?.*([Rr][Ee3][Ww][Tt][Ee3][Dd])))|(^?.*(rpc\.sadmin)))|(^?.*(AbraxaS)))|(^?.*(\[target\])))|(^?.*(ID_SENDSYN)))|(^?.*(ID_DISTROIT)))|(^?.*(by Mixter)))|(^?.*(rap(e?)ing.*using weapons)))|(^?.*(spsiod)))|(^?.*([aA][dD][oO][rR][eE][bB][sS][dD]))/
/usr/local/bro/policy/login.bro, line 141: run-time error: error compiling pattern /^?.*(.*Trojaning in progress.*)/
/usr/local/bro/policy/login.bro, line 147: run-time error: error compiling pattern /((^?.*(^[!-~]*( ?)[#%$] ))|(^?.*(.*no job control)))|(^?.*(WinGate>))/
/usr/local/bro/policy/login.bro, line 149: run-time error: error compiling pattern /^?.*(^ *#.*#)/
/usr/local/bro/policy/login.bro, line 151: run-time error: error compiling pattern /^?.*(VT666|007)/
/usr/local/bro/policy/irc.bro, line 60: run-time error: error compiling pattern /(((^?.*(.*etc\/shadow.*))|(^?.*(.*etc\/ldap.secret.*)))|(^?.*(.*phatbot.*)))|(^?.*(.*botnet.*))/
/usr/local/bro/policy/irc.bro, line 171: run-time error: error compiling pattern /^?.*(.*:$)/
/usr/local/bro/policy/stepping.bro, line 75: run-time error: error compiling pattern /(^?.*(^([Ll]ast +(successful)? *login)))|(^?.*(^Last interactive login))/
/usr/local/bro/policy/stepping.bro, line 78: run-time error: error compiling pattern /^?.*(\001)/
/usr/local/bro/policy/smtp.bro, line 19: run-time error: error compiling pattern /^?.*(.*@.*lbl.gov)/
/usr/local/bro/policy/smtp.bro, line 22: run-time error: error compiling pattern /^?.*(@)/
/usr/local/bro/policy/smtp.bro, line 84: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/
/usr/local/bro/policy/smtp.bro, line 85: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/
/usr/local/bro/policy/smtp.bro, line 86: run-time error: error compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 87: run-time error: error compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 88: run-time error: error compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 267: run-time error: error compiling pattern /^?.*((<|:|>)*)/
/usr/local/bro/policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/
/usr/local/bro/policy/smtp.bro, line 292: run-time error: error compiling pattern /^?.*(( |\t)*>)/
/usr/local/bro/policy/smtp.bro, line 303: run-time error: error compiling pattern /^?.*(:)/
/usr/local/bro/policy/notice-policy.bro, line 58: run-time error: error compiling pattern /^?.*(Solaris listen service)/
/usr/local/bro/policy/notice-policy.bro, line 67: run-time error: error compiling pattern /^?.*(.*\.(gif|GIF|png|PNG|jpg|JPG))/
/usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /^?.*(.*exe)/
/usr/local/bro/policy/brolite.bro, line 138: run-time error: error compiling pattern /(^?.*(^?(.*exe)$?))|(^?.*((((^?(.*etc\/shadow.*)$?)|(^?(.*etc\/ldap.secret.*)$?))|(^?(.*phatbot.*)$?))|(^?(.*botnet.*)$?)))/
/usr/local/bro/bin/bro: problem with interface eth0 - pcap_open_live: socket: Operation not permitted
... FAILED

Please see if this helps:

       http://www.bro-ids.org/wiki/index.php/"Error_compiling_pattern"

Robin

Thanks for reply my email

well i do the things of the web page : http://www.bro-ids.org/wiki/index.php/"Error_compiling_pattern"

but i still have problems with bro, after do this three lines:

  $ cd src/
  $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h}
  $ make

i have the next output

root@lobito:~/Desktop# bro -r seg190-5-21-19febrero08.tcpdump tcp alarm weird ftp smtp
/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host: j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host: j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host: si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host: si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host: wm3018.inktomi.com
/usr/local/bro/policy/hot-ids.bro, line 15: run-time error: error compiling pattern /^?.*((y[o0]u)(r|ar[e3])([o0]wn.*))/
/usr/local/bro/policy/ftp.bro, line 43: run-time error: error compiling pattern /((((((((((((((((((((((^?.*(.*(etc\/|master\.)?(passwd|shadow|s?pwd\.db)))|( ^?.*(.*snoop\.(tar|tgz).*)))|(^?.*(.*bnc\.(tar|tgz).*)))|(^?.*(.*datapipe.*)))|(^?.*(.*ADMw0rm.*)))|(^?.*(.*newnick.*)))|(^?.*(.*sniffit.*)))|(^?.*(.*neet\. (tar|tgz).*)))|(^?.*(.*\.\.\..*)))|(^?.*(.*ftpscan.txt.*)))|(^?.*(.*jcc.pdf.*)))|(^?.*(.*\.[Ff]rom.*)))|(^?.*(.*sshd\.(tar|tgz).*)))|(^?.*(.*\/rk7.*)))|(^?. *(.*rk7\..*)))|(^?.*(.*[aA][dD][oO][rR][eE][bB][sS][dD].*)))|(^?.*(.*[tT][aA][gG][gG][eE][dD].*)))|(^?.*(.*shv4\.(tar|tgz).*)))|(^?.*(.*lrk\.(tar|tgz).*)))| (^?.*(.*lyceum\.(tar|tgz).*)))|(^?.*(.*maxty\.(tar|tgz).*)))|(^?.*(.*rootII\.(tar|tgz).*)))|(^?.*(.*invader\.(tar|tgz).*))/
/usr/local/bro/policy/ftp.bro, line 48: run-time error: error compiling pattern /(^?.*(.*\.rhosts))|(^?.*(.*\.forward))/
/usr/local/bro/policy/ftp.bro, line 51: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc].*)/
/usr/local/bro/policy/ftp.bro, line 63: run-time error: error compiling pattern /^?.*(,0,0)/
/usr/local/bro/policy/ftp.bro, line 154: run-time error: error compiling pattern /^?.*((\/|[A-Za-z]:[\\\/]).*)/
/usr/local/bro/policy/ftp.bro, line 349: run-time error: error compiling pattern /^?.*([\x00-\x7f])/
/usr/local/bro/policy/ftp.bro, line 462: run-time error: error compiling pattern /^?.*([Ee][Xx][Ee][Cc])/
/usr/local/bro/policy/ftp.bro, line 527: run-time error: error compiling pattern /^?.*(\"([^\"]|\"\")*(\/|\\)([^\"]|\"\")*\")/
/usr/local/bro/policy/ftp.bro, line 545: run-time error: error compiling pattern /^?.*(((\/)+([^\/]|\\\/)+)?((\/)+\.\.(\/)+))/
/usr/local/bro/policy/ftp.bro, line 555: run-time error: error compiling pattern /^?.*((\/){2,})/
/usr/local/bro/policy/ftp.bro, line 700: run-time error: error compiling pattern /^?.*([\x80-\xff]{3})/
/usr/local/bro/policy/ftp.bro, line 735: run-time error: error compiling pattern /^?.*(USER|PASS|ACCT)/
/usr/local/bro/policy/smtp.bro, line 19: run-time error: error compiling pattern /^?.*(.*@.*lbl.gov)/
/usr/local/bro/policy/smtp.bro, line 22: run-time error: error compiling pattern /^?.*(@)/
/usr/local/bro/policy/smtp.bro, line 84: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/
/usr/local/bro/policy/smtp.bro, line 85: run-time error: error compiling pattern /^?.*(.*<.*@.*:.*>.*)/
/usr/local/bro/policy/smtp.bro, line 86: run-time error: error compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 87: run-time error: error compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 88: run-time error: error compiling pattern /^?.*(.*)/
/usr/local/bro/policy/smtp.bro, line 267: run-time error: error compiling pattern /^?.*((<|:|>)*)/
/usr/local/bro/policy/smtp.bro, line 281: run-time error: error compiling pattern /^?.*(<( |\t)*)/
/usr/local/bro/policy/smtp.bro, line 292: run-time error: error compiling pattern /^?.*(( |\t)*>)/
/usr/local/bro/policy/smtp.bro, line 303: run-time error: error compiling pattern /^?.*(:)/

This error alter the final traffic analyse???
This problem creates a lot of false/positives???
How can i resolve this problem???

thanks for all

Robin Sommer <robin@icir.org> ha escrito: