three things

I'm back and I'm stirring up trouble. I've come across three different issues in the last couple days that the list might like to know about. None of this is a show stopper for me, just curiosities.

1)
I've spent quite a bit of time trying to get a regular expression to match packet contents returned by udp_contents(). An example snippet of the contents would be:

dopheide\xa2^J\x1b^HNCSA.EDU

I'd like to match against /.*NCSA.*/, but the match fails. This morning I finally found clean() which makes the pattern work, but then my bytes count gets shifted all around.

(Maybe I should be using signatures...)

2)
While looking at (1) I found that all patterns fail with bro-1.2.1 on Fedora Core 5:

line 54: run-time error: error compiling pattern /^?.*(.*NCSA.*)/

It happens with patterns I write or any patterns in the provided .bro files. bro-1.1d works just fine on FC5 and bro-1.2.1 works fine on RHEL4

3)
bro-1.2.1 won't compile on RHEL3 u8, but will on RHEL4. On RHEL3, make fails with this error:

g++ -DHAVE_CONFIG_H -I. -I. -I.. -I. -I../src/binpac/lib -I../src -I.
-I.. -Ilibedit -I/usr/kerberos/include -I../linux-include -O -W -Wall
-Wno-unused -I/usr/kerberos/include -I../linux-include -g -O2 -c -o
bif_parse.o bif_parse.cc
In file included from
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/iostream.h:31,
                 from
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/stl_algobase.h:53,
                 from
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/vector:30,
                 from ../src/builtin-func.y:2:
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:
In method `struct streampos streambuf::pubseekoff(long long int,
ios::seek_dir, int = 3)':
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:362:
conversion from `__off64_t' to non-scalar type `streampos' requested
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:
In method `struct streampos streambuf::pubseekpos(_G_fpos64_t, int =
3)':
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:364:
`struct streampos' used where a `long long int' was expected
/afs/.ncsa.uiuc.edu/packages/GNU/gcc-2.95.2/Linux/lib/gcc-lib/i686-pc-linux-gnu/2.95.2/../../../../include/g++-3/streambuf.h:364:
warning: control reaches end of non-void function
`streambuf::pubseekpos(_G_fpos64_t, int)'
make[2]: *** [bif_parse.o] Error 1
make[2]: Leaving directory `/tmp/dopheide/bro-1.2.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/dopheide/bro-1.2.1'
make: *** [all] Error 2

Hi Mike,

I'm back and I'm stirring up trouble.

uh-oh. I'll just comment on issues #2 and #3:

2)
While looking at (1) I found that all patterns fail with bro-1.2.1 on
Fedora Core 5:

line 54: run-time error: error compiling pattern /^?.*(.*NCSA.*)/

It happens with patterns I write or any patterns in the provided .bro
files. bro-1.1d works just fine on FC5 and bro-1.2.1 works fine on RHEL4

Thanks for this. We've received another report of this problem, but it
had us scratching our heads. It's great to know more precisely now where
it occurs. We'll look into it.

3)
bro-1.2.1 won't compile on RHEL3 u8, but will on RHEL4. On RHEL3, make
fails with this error:

Ouch. I'm afraid those errors are the installation's fault, since
they're all rooted in streambuf code.

Cheers,
Christian.

Just tried it with a DNS packet and this script works for me:

     redef udp_content_deliver_all_orig = T;

     event udp_contents(u: connection, is_orig: bool, contents: string)
     {
        print contents;
        print /.*bro-ids./ in contents;
     }

Output:
     
     /\xb8^A\0\0^A\0\0\0\0\0\0^Cwww^Gbro-ids^Corg\0\0^A\0^A
     T

Can you send me a trace and your script?

Robin

Trace attached. You'll need to run bro with -C to ignore checksum errors.

-Mike

Robin Sommer wrote:

trace2.out (13.7 KB)

Works for me:

      \xab\xf2^A\0\0^A\0\0\0\0\0\0^P_kerberos-master^D_udp^DNCSA^CEDU\0\0!\0^A
      T

With this script again:

      redef udp_content_deliver_all_orig = T;

      event udp_contents(u: connection, is_orig: bool, contents: string)
      {
         print contents;
         print /NCSA/ in contents;
      }

So, how does your script look like?

Robin

The packet you have printed is part of a DNS request (I think). I've been having problems specifically with the kerberos AS_REQ packets also included in the trace file that apparently have different special characters. (I apologize if that wasn't clear.)

Instead of:
udp_content_deliver_all_orig = T;

Try:
redef udp_content_delivery_ports_orig = { [88/udp] = T };
redef udp_content_delivery_ports_resp = { [88/udp] = T };

event udp_contents(u: connection, is_orig: bool, contents: string)
{
        local mystring: string = sub_bytes(contents,47,(number+8-47));
        print dop, fmt("%s",mystring);
        if(mystring == /.*NCSA.*/ ){
                print dop, fmt("YAY");
        }
}

I'm expecting your output to be:
dopheide\xa2^J\x1b^HNCSA.EDU
afsman\xa2^J\x1b^HNCSA.EDU

Rather than:
dopheide\xa2^J\x1b^HNCSA.EDU
YAY
afsman\xa2^J\x1b^HNCSA.EDU
YAY

-Mike

Robin Sommer wrote:

My previous code sample was incomplete, here's an accurate bro script to go along with my trace if anyone wants to try it out.

redef udp_content_delivery_ports_orig = { [88/udp] = T };
redef udp_content_delivery_ports_resp = { [88/udp] = T };

global dop = open_log_file("dop") &redef;
global realm = "NCSA.EDU";

event udp_contents(u: connection, is_orig: bool, contents: string)
{

        local number = strstr(contents,realm);
        local mystring: string = sub_bytes(contents,47,(number+8-47));
        print dop, fmt("%s",mystring);
        if(mystring == /.*NCSA.*/ ){
                print dop, fmt("YAY");
        }
}

Mike Dopheide wrote:

A quick update on this: we can confirm the issue. It seems that for some
reason the generated parser code shipped with 1.2.1 breaks on at least
FC5. We're unsure as to why this is, but it is likely related to the
fact that the bison that was used to create the parser is quite old. For
the time being, the fix is to remove the generated parser files and use
a local bison installation to regenerate them.

To do so, remove the following files in src/ before doing a make (this
removes all generated parser files, not just the regex-related ones):

  $ cd src/
  $ rm bif_parse.{cc,h} parse.cc re-parse.{cc,h} rule-parse.{cc,h}

Cheers,
Christian.

Thanks! I'm now able to confirm it, and I will look into it. I'm
pretty sure that it's because ".*" does not match across new-lines.
However, I need to check whether we can change that or whether that
would break something else.

Robin

Is the bro policy language pattern matching code separate from the signature pattern matching code? ".*" matches across newlines for me in signatures.

   .Seth

The code is the same but internally there is actually a flag
toggling multiline matching; it's enabled for signatures but not for
script-level regexps.

Robin

Seems that it would actually change semantics in an unexptected way.
But as a work-around you can use "(.|\n)", e.g.,

        if( mystring == /(.|\n)*NCSA(.|\n)*/ )

(This tip is from Vern.)

Robin