Some facts derived from the testing of bro-1.4prerelease:
First,I run bro on a DebianLinuxPPC workstation,which I use for
webbrowsing(ADSL connection) and offline use(for several purposes).
I capture the traffic with tcpdump and bro does the analysis of the
captured traffic.As only the related http traffic services/ports
are enabled it’s not a specially rich testing.Anyway,I get a much
less number of weird events(I have never had more troublesome notices)
than when I do the analysis of the same files with bro-1.2.1.
As weird events are generally considered traffic that “should never
happen”,shouldn’t both versions signal approximately the same number
of weird events?
The compiling of bro-1.4prerelease on the above system(Debian testing)
was done normally,I got some compiler warnings but at first sight
the usual harmless ones.
As I run both bro versions on the same files I got warnings like that:
line 1: run-time error: wrong data format, expected version 13 but got
version 18
(running bro-1.2.1)
line 1: run-time error: wrong data format, expected version 18 but got
version 13
(running bro-1.4prerelease)
It seems related to the use of both versions of bro in the same
computer session.
When I do bro -r tcpdumpcapturefile backdoor.bro I get:
(using 1.4release)
line 1: warning: event handlers never invoked:
line 1: warning: Drop::restore_dropped_address
When I do bro -r tcpdumpcapturefile I don’t get the 2 above lines.
(using 1.4release).
Some facts derived from the testing of bro-1.4prerelease:
Thanks for testing 1.4.
As weird events are generally considered traffic that "should never
happen",shouldn't both versions signal approximately the same number
of weird events?
Generally, yes, though there might be changes which change how
things are interpreted (in some cases there's no crisp definition
of whether something's weird or not). I don't remember anything
specific for HTTP in this context though. It would be very helpful
if you could single out a connection or two which show the
difference between 1.2 and 1.4 and sent us the trace file as well as
the command-line you're using.
line 1: run-time error: wrong data format, expected version 13 but got
version 18
[...]
It seems related to the use of both versions of bro in the same
computer session.
Right, each run creates a .state directory where any persistent
state is stored. The format of the state file is not compatible
between 1.2 and 1.4, i.e., one Bro version cannot read the files
generated by the other.
line 1: warning: event handlers never invoked:
line 1: warning: Drop::restore_dropped_address
When I do bro -r tcpdumpcapturefile I don't get the 2 above lines.
(using 1.4release).
That's an intentional change as these warning are often not very
helpful and are therefore now suppressed by default. You can turn
them back on by setting check_for_unused_event_handlers=T.
> As weird events are generally considered traffic that "should never
> happen",shouldn't both versions signal approximately the same number
> of weird events?
Generally, yes, though there might be changes which change how
things are interpreted
Also, there have been some bug fixes that previously led to inappropriate
Weird's.