From mthompson at hexwave.com Tue Apr 3 12:55:26 2012 From: mthompson at hexwave.com (Matt Thompson) Date: Tue, 03 Apr 2012 14:55:26 -0500 Subject: [Bro-Dev] BinPAC &restofflow Message-ID: <4F7B55AE.6060305@hexwave.com> Hi, I've been trying to get &restofflow to work in BinPAC. Here is a simple .pac file: http://pastebin.com/tmYgnXkd And the code to call it: http://pastebin.com/2rA3KuU1 With the input file HEADER body I would expect that body_done() and message_done() would be called (but they aren't). TEST_Flow::FlowEOF() is calling set_eof() in the upstream FlowBuffer which sets frame_length_ = 5 (correct for 'body' + '\n'.) It then calls NewData(0,0) (NULL start/end pointers). The orig_data_begin_ and orig_data_end_ pointers get squashed and no data is passed back to the TEST_Body::ParseBuffer(). In FlowBuffer::NewData(), if I add if(begin != NULL) { } around everything before MarkOrCopy(), things work as expected. I'm not sure if this is the place to fix this bug or if I'm just doing something wrong so would like to get some feedback on this. Regards, Matt Thompson From noreply at bro-ids.org Wed Apr 4 00:00:07 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 4 Apr 2012 00:00:07 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204040700.q34707vZ003512@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 9695948 | Daniel Thayer | 2012-04-03 | Update to work with conn.log in bro 2.0 [1] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/96959487663864fe6cdb8dc13cdb84785adc7aeb/broctl From bro at tracker.bro-ids.org Wed Apr 4 09:12:34 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 04 Apr 2012 16:12:34 -0000 Subject: [Bro-Dev] #806: trace-summary does not support IPv6 Message-ID: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> #806: trace-summary does not support IPv6 -----------------------------+------------------------ Reporter: dnthayer | Owner: dnthayer Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: trace-summary | Version: git/master Keywords: ipv6 | -----------------------------+------------------------ This ticket depends on ticket #750 (Patch adding IPv6 support for pysubnettree). -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Wed Apr 4 12:59:44 2012 From: robin at icir.org (Robin Sommer) Date: Wed, 4 Apr 2012 12:59:44 -0700 Subject: [Bro-Dev] Threaded logging about to be merged In-Reply-To: <201204040519.q345JinL015256@bro-ids.icir.org> References: <201204040519.q345JinL015256@bro-ids.icir.org> Message-ID: <20120404195943.GJ90910@icir.org> On Tue, Apr 03, 2012 at 22:19 -0700, I wrote: > This could be fixing the memory problems finally. A heads-up: It looks good on my cluster, so I'll be merging the threaded logging into master soon now. It took a while to find the real problem but on the upside, I'm now pretty sure that there aren't furhter leaks. :) Also, the code now automatically links to tcmalloc when it finds it. At least on FreeBSD that not only helps with memory usage but also significantly reduces CPU (and that even if no threads are used at all). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Thu Apr 5 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 5 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204050700.q35702mA016598@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | d8d83f5 | Jon Siwek | 2012-04-04 | Fix handling of IPv6 atomic fragments. [1] broctl | 9695948 | Daniel Thayer | 2012-04-03 | Update to work with conn.log in bro 2.0 [2] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/d8d83f590bb9836205f71a596b2868ffb6d486f4/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/96959487663864fe6cdb8dc13cdb84785adc7aeb/broctl From bro at tracker.bro-ids.org Thu Apr 5 14:34:07 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 05 Apr 2012 21:34:07 -0000 Subject: [Bro-Dev] #806: trace-summary does not support IPv6 In-Reply-To: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> References: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> Message-ID: <065.8333dbbcab99f9802ba710d30f3b513e@tracker.bro-ids.org> #806: trace-summary does not support IPv6 ------------------------------+------------------------ Reporter: dnthayer | Owner: dnthayer Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: trace-summary | Version: git/master Resolution: | Keywords: ipv6 ------------------------------+------------------------ Comment (by dnthayer): In [9d8520500a6ceecc5e0365b1b94ebb0c12fea596/trace-summary]: {{{ #!CommitTicketReference repository="trace-summary" revision="9d8520500a6ceecc5e0365b1b94ebb0c12fea596" Add support for IPv6 Addresses #806. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Apr 5 17:03:19 2012 From: robin at icir.org (Robin Sommer) Date: Thu, 5 Apr 2012 17:03:19 -0700 Subject: [Bro-Dev] Proxy problems In-Reply-To: <20120306014507.GC30213@icir.org> References: <20120306014507.GC30213@icir.org> Message-ID: <20120406000319.GB85909@icir.org> On Mon, Mar 05, 2012 at 17:45 -0800, I wrote: > On a cluster running current git, I'm seeing reproducible proxy > crashes: CPU goes up to 100% within seconds after the workers connect, So this seems to have went away with the new logging code but now I'm seeing memory problems with the proxy: a few GBs after a few hours. I don't think it's the new code because there're aren't any threads spawned (with the latest master commit), but hard to say. Anybody else seeing this? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Fri Apr 6 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 6 Apr 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204060700.q36703vI003382@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 9695948 | Daniel Thayer | 2012-04-03 | Update to work with conn.log in bro 2.0 [1] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/96959487663864fe6cdb8dc13cdb84785adc7aeb/broctl From bro at tracker.bro-ids.org Fri Apr 6 09:03:58 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 06 Apr 2012 16:03:58 -0000 Subject: [Bro-Dev] #750: Patch adding IPv6 support for pysubnettree In-Reply-To: <047.e6d50f498ca5a5aca3d4d44bb09a0d18@tracker.bro-ids.org> References: <047.e6d50f498ca5a5aca3d4d44bb09a0d18@tracker.bro-ids.org> Message-ID: <062.5e782a9f648ef5965aed17225a7a6dc0@tracker.bro-ids.org> #750: Patch adding IPv6 support for pysubnettree ----------------------------+---------------------- Reporter: robin | Owner: dnthayer Type: Merge Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: pysubnettree | Version: Resolution: | Keywords: ipv6 ----------------------------+---------------------- Changes (by dnthayer): * type: Patch => Merge Request Comment: On branch topic/dnthayer/bug750, the following commits add IPv6 support to pysubnettree: b7abab4b21c2cbfde1db652b81ddd13d1d4447c5 bdee238dcff7e5b7292dff6698b350cf6f6757e7 39860870ce009c0174f8f97290efaad7e3f23977 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Apr 6 09:09:56 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 06 Apr 2012 16:09:56 -0000 Subject: [Bro-Dev] #806: trace-summary does not support IPv6 In-Reply-To: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> References: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> Message-ID: <065.e0a0b9329093752aaf32c244ed671ee0@tracker.bro-ids.org> #806: trace-summary does not support IPv6 ----------------------------+------------------------ Reporter: dnthayer | Owner: dnthayer Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: trace-summary | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Changes (by dnthayer): * type: Feature Request => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From christian at icir.org Fri Apr 6 19:10:10 2012 From: christian at icir.org (Christian Kreibich) Date: Fri, 06 Apr 2012 19:10:10 -0700 Subject: [Bro-Dev] Spot the real brogrammer Message-ID: <4F7FA202.50108@icir.org> http://lmbgp.tumblr.com/post/20624908427/via-the-amazing-jon-kuroda -C. From seth at icir.org Fri Apr 6 20:09:04 2012 From: seth at icir.org (Seth Hall) Date: Fri, 6 Apr 2012 23:09:04 -0400 Subject: [Bro-Dev] Spot the real brogrammer In-Reply-To: <4F7FA202.50108@icir.org> References: <4F7FA202.50108@icir.org> Message-ID: <6FC4CAB2-7655-41D4-9C17-DA65C0157204@icir.org> On Apr 6, 2012, at 10:10 PM, Christian Kreibich wrote: > http://lmbgp.tumblr.com/post/20624908427/via-the-amazing-jon-kuroda Wow. This is awesome. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From vern at icir.org Fri Apr 6 21:05:39 2012 From: vern at icir.org (Vern Paxson) Date: Fri, 06 Apr 2012 21:05:39 -0700 Subject: [Bro-Dev] Spot the real brogrammer In-Reply-To: <6FC4CAB2-7655-41D4-9C17-DA65C0157204@icir.org> (Fri, 06 Apr 2012 23:09:04 EDT). Message-ID: <20120407040539.473992C4008@rock.ICSI.Berkeley.EDU> > > http://lmbgp.tumblr.com/post/20624908427/via-the-amazing-jon-kuroda > > Wow. This is awesome. I don't know how; I don't know when. But I *will* get back at Justine for this ;-). Vern From noreply at bro-ids.org Sat Apr 7 00:00:06 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 7 Apr 2012 00:00:06 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204070700.q37706Ir005059@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ pysubnettree | 750 [1] | robin | dnthayer | Normal | Patch adding IPv6 support for pysubnettree trace-summary | 806 [2] | dnthayer | dnthayer | Normal | trace-summary does not support IPv6 > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | fcd8f9b | Jon Siwek | 2012-04-06 | Fix table expiry for values assigned in bro_init() when reading live. [3] broctl | 9695948 | Daniel Thayer | 2012-04-03 | Update to work with conn.log in bro 2.0 [4] [1] #750: http://tracker.bro-ids.org/bro/ticket/750 [2] #806: http://tracker.bro-ids.org/bro/ticket/806 [3] fastpath: http://tracker.bro-ids.org/bro/changeset/fcd8f9b77e6117d6d540e9543921682a2596e563/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/96959487663864fe6cdb8dc13cdb84785adc7aeb/broctl From noreply at bro-ids.org Sun Apr 8 00:00:04 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 8 Apr 2012 00:00:04 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204080700.q38704iA018103@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ pysubnettree | 750 [1] | robin | dnthayer | Normal | Patch adding IPv6 support for pysubnettree trace-summary | 806 [2] | dnthayer | dnthayer | Normal | trace-summary does not support IPv6 > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | fcd8f9b | Jon Siwek | 2012-04-06 | Fix table expiry for values assigned in bro_init() when reading live. [3] broctl | 9695948 | Daniel Thayer | 2012-04-03 | Update to work with conn.log in bro 2.0 [4] [1] #750: http://tracker.bro-ids.org/bro/ticket/750 [2] #806: http://tracker.bro-ids.org/bro/ticket/806 [3] fastpath: http://tracker.bro-ids.org/bro/changeset/fcd8f9b77e6117d6d540e9543921682a2596e563/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/96959487663864fe6cdb8dc13cdb84785adc7aeb/broctl From noreply at bro-ids.org Mon Apr 9 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 9 Apr 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204090700.q39703RI002643@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ pysubnettree | 750 [1] | robin | dnthayer | Normal | Patch adding IPv6 support for pysubnettree trace-summary | 806 [2] | dnthayer | dnthayer | Normal | trace-summary does not support IPv6 > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | fcd8f9b | Jon Siwek | 2012-04-06 | Fix table expiry for values assigned in bro_init() when reading live. [3] broctl | 9695948 | Daniel Thayer | 2012-04-03 | Update to work with conn.log in bro 2.0 [4] [1] #750: http://tracker.bro-ids.org/bro/ticket/750 [2] #806: http://tracker.bro-ids.org/bro/ticket/806 [3] fastpath: http://tracker.bro-ids.org/bro/changeset/fcd8f9b77e6117d6d540e9543921682a2596e563/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/96959487663864fe6cdb8dc13cdb84785adc7aeb/broctl From bro at tracker.bro-ids.org Mon Apr 9 07:40:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 09 Apr 2012 14:40:16 -0000 Subject: [Bro-Dev] #756: notice_policy.log keeps causing test failures In-Reply-To: <047.bac7534465dcb1b2a632464464adcb12@tracker.bro-ids.org> References: <047.bac7534465dcb1b2a632464464adcb12@tracker.bro-ids.org> Message-ID: <062.0f1dff5d3c5049c1906f6c056e240a19@tracker.bro-ids.org> #756: notice_policy.log keeps causing test failures -----------------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: closed Priority: High | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by jsiwek): * status: new => closed * resolution: => Solved/Applied Comment: This looks fixed by [fb0614b5c64a544e44ba30441f498c8a36b62406/bro] -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Apr 9 07:45:03 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 09 Apr 2012 14:45:03 -0000 Subject: [Bro-Dev] #793: istate.broccoli-ipv6 fails on FreeBSD In-Reply-To: <047.06a7b6c1d5b8682c072c3076abd9a768@tracker.bro-ids.org> References: <047.06a7b6c1d5b8682c072c3076abd9a768@tracker.bro-ids.org> Message-ID: <062.4497ddc69469a99119ba280e40ef5665@tracker.bro-ids.org> #793: istate.broccoli-ipv6 fails on FreeBSD -----------------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by jsiwek): * status: new => closed * resolution: => Solved/Applied Comment: Looks like fix was merged for this. -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Mon Apr 9 10:51:18 2012 From: vallentin at icir.org (Matthias Vallentin) Date: Mon, 9 Apr 2012 10:51:18 -0700 Subject: [Bro-Dev] Introspection: obtaining events and types at startup Message-ID: I would like to dump all events and types at Bro startup. E.g., the desired output looks somewhat like this: type conn_id: record { orig_h: addr, ... } type connection: record { id : conn_id, orig: endpoint, ... } event new_connection(c : connection) Two BiFs seem to be very close: (1) record_type_to_vector(rt: string): vector of string Converts the record type name rt into a vector of strings, where each element is the name of a record field. Nested records are flattened. (2) global_ids(): table[string] of script_id Returns a table with information about all global identifiers. The table value is a record containing the type name of the identifier, whether it is exported, a constant, an enum constant, redefinable, and its value (if it has one). For example, bro -e 'event bro_init() { print record_type_to_vector("connection"); }' prints [, id, orig, resp, start_time, duration, service, addl, hot, history, uid, dpd, conn, extract_orig, extract_resp, dns, dns_state, ftp, http, http_state, irc, smtp, smtp_state, ssh, ssl, syslog] and bro -e 'event bro_init() { print global_ids(); }' returns a list of identifiers. Here are some connection-related ones: [connection] = [type_name=record, exported=F, constant=F, enum_constant=F, redefinable=F, value=], [remote_connection_established] = [type_name=func, exported=T, constant=T, enum_constant=F, redefinable=F, value=remote_connection_established Communication::do_script_log(Communication::p, connection established); [lookup_connection] = [type_name=func, exported=T, constant=F, enum_constant=F, redefinable=F, value=lookup_connection], [connection_finished] = [type_name=func, exported=T, constant=T, enum_constant=F, redefinable=F, value=connection_finished [connection_established] = [type_name=func, exported=T, constant=T, enum_constant=F, redefinable=F, value=connection_established The problem is that (i) record_type_to_vector flattens nested records, which makes it impossible to recover the true underlying type structure, and (ii) events are merely listed as a function, without named arguments. Has anyone come across a similar problem? My hope is to get this information at the script land, but it looks like the information is not readily available without tweaking some BiFs. Matthias From bro at tracker.bro-ids.org Mon Apr 9 13:02:54 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 09 Apr 2012 20:02:54 -0000 Subject: [Bro-Dev] #807: topic/jsiwek/mobile-ipv6 Message-ID: <048.1b7ac232459ff1b084734717b1a5f31f@tracker.bro-ids.org> #807: topic/jsiwek/mobile-ipv6 ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This branch primarily adds mobile IPv6 analysis support when configuring with `--enable-mobile-ipv6`. That includes making mobility header with message content available to scripts through the 'mobile_ipv6_message' event and internally handling the type 2 routing header and home address destination option so that the correct endpoints are used for determining what connection a packet's payload is a part of. It also changes the default behavior for type 0 routing headers regardless of `--enable-mobile-ipv6` to always keep analyzing such packets, using the correct destination endpoint, but always raise the 'routing0_hdr' weird since that type of routing header is supposed to be deprecated. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Apr 9 17:53:07 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 10 Apr 2012 00:53:07 -0000 Subject: [Bro-Dev] #750: Patch adding IPv6 support for pysubnettree In-Reply-To: <047.e6d50f498ca5a5aca3d4d44bb09a0d18@tracker.bro-ids.org> References: <047.e6d50f498ca5a5aca3d4d44bb09a0d18@tracker.bro-ids.org> Message-ID: <062.c9583d2d004222eefa5418a3e8f7f932@tracker.bro-ids.org> #750: Patch adding IPv6 support for pysubnettree ----------------------------+---------------------- Reporter: robin | Owner: dnthayer Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: pysubnettree | Version: Resolution: fixed | Keywords: ipv6 ----------------------------+---------------------- Changes (by robin): * status: accepted => closed * resolution: => fixed Comment: In [df3f7366bf876fb5bc3f6c7a4c5bd8fcf739a3fe/pysubnettree]: {{{ #!CommitTicketReference repository="pysubnettree" revision="df3f7366bf876fb5bc3f6c7a4c5bd8fcf739a3fe" Merge remote-tracking branch 'origin/topic/dnthayer/bug750' * origin/topic/dnthayer/bug750: Update the swig auto-generated files Update pysubnettree for IPv6 Apply patch from ticket #750 Closes #750. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Apr 9 17:53:17 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 10 Apr 2012 00:53:17 -0000 Subject: [Bro-Dev] #806: trace-summary does not support IPv6 In-Reply-To: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> References: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> Message-ID: <065.0b85b0e0b677c9a9fb825cbac0d98d8d@tracker.bro-ids.org> #806: trace-summary does not support IPv6 ----------------------------+------------------------ Reporter: dnthayer | Owner: dnthayer Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: trace-summary | Version: git/master Resolution: fixed | Keywords: ipv6 ----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => fixed Comment: In [5c65d0c0d641b83cd5beed79eb5c6260bafa3e77/trace-summary]: {{{ #!CommitTicketReference repository="trace-summary" revision="5c65d0c0d641b83cd5beed79eb5c6260bafa3e77" Merge remote-tracking branch 'origin/topic/dnthayer/bug806' * origin/topic/dnthayer/bug806: Add support for IPv6 Closes #806. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Apr 9 17:53:17 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 10 Apr 2012 00:53:17 -0000 Subject: [Bro-Dev] #806: trace-summary does not support IPv6 In-Reply-To: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> References: <050.651771234781627891ff4ad44160e0e1@tracker.bro-ids.org> Message-ID: <065.19ffc0694a6630ccb121ce10c55afd8f@tracker.bro-ids.org> #806: trace-summary does not support IPv6 ----------------------------+------------------------ Reporter: dnthayer | Owner: dnthayer Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: trace-summary | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by dnthayer): In [9d8520500a6ceecc5e0365b1b94ebb0c12fea596/trace-summary]: {{{ #!CommitTicketReference repository="trace-summary" revision="9d8520500a6ceecc5e0365b1b94ebb0c12fea596" Add support for IPv6 Addresses #806. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Tue Apr 10 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 10 Apr 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204100700.q3A703u7021508@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 807 [1] | jsiwek | | Normal | topic/jsiwek/mobile-ipv6 [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b705e2b | Daniel Thayer | 2012-04-09 | Update broctl help information [3] [1] #807: http://tracker.bro-ids.org/bro/ticket/807 [2] mobile-ipv6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/mobile-ipv6 [3] fastpath: http://tracker.bro-ids.org/bro/changeset/b705e2b285358856b4253599f0337162df5df7f1/broctl From robin at icir.org Tue Apr 10 08:21:32 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 10 Apr 2012 08:21:32 -0700 Subject: [Bro-Dev] Introspection: obtaining events and types at startup In-Reply-To: References: Message-ID: <20120410152131.GA64316@icir.org> Have you looked at record_fields()? On Mon, Apr 09, 2012 at 10:51 -0700, you wrote: > readily available without tweaking some BiFs. Seems we a need another bif that returns information about functions/events. You could then use globals_ids() to get all the events and then call that bif for each. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Wed Apr 11 00:00:08 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 11 Apr 2012 00:00:08 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204110700.q3B708Yl029200@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 807 [1] | jsiwek | | Normal | topic/jsiwek/mobile-ipv6 [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b705e2b | Daniel Thayer | 2012-04-09 | Update broctl help information [3] [1] #807: http://tracker.bro-ids.org/bro/ticket/807 [2] mobile-ipv6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/mobile-ipv6 [3] fastpath: http://tracker.bro-ids.org/bro/changeset/b705e2b285358856b4253599f0337162df5df7f1/broctl From bro at tracker.bro-ids.org Wed Apr 11 15:18:32 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 11 Apr 2012 22:18:32 -0000 Subject: [Bro-Dev] #808: topic/icmp6 Message-ID: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> #808: topic/icmp6 ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ I think this ICMPv6 analysis branch can be considered for merging now. I also added a `topic/icmp6` branch in the `bro-testing` repo with updated baselines after checking that the ICMPv6-related changes looked correct. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Apr 12 00:01:51 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 12 Apr 2012 00:01:51 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204120701.q3C71o7x030750@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 807 [1] | jsiwek | | Normal | topic/jsiwek/mobile-ipv6 [2] Bro | 808 [3] | jsiwek | | Normal | topic/icmp6 [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 09723eb | Daniel Thayer | 2012-04-11 | Fix documentation typos [5] broctl | b705e2b | Daniel Thayer | 2012-04-09 | Update broctl help information [6] [1] #807: http://tracker.bro-ids.org/bro/ticket/807 [2] mobile-ipv6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/mobile-ipv6 [3] #808: http://tracker.bro-ids.org/bro/ticket/808 [4] icmp6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/icmp6 [5] fastpath: http://tracker.bro-ids.org/bro/changeset/09723eb2fe1054bb896d33873ecfda48296e7145/broctl [6] fastpath: http://tracker.bro-ids.org/bro/changeset/b705e2b285358856b4253599f0337162df5df7f1/broctl From bro at tracker.bro-ids.org Thu Apr 12 08:25:52 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 12 Apr 2012 15:25:52 -0000 Subject: [Bro-Dev] #807: topic/jsiwek/mobile-ipv6 In-Reply-To: <048.1b7ac232459ff1b084734717b1a5f31f@tracker.bro-ids.org> References: <048.1b7ac232459ff1b084734717b1a5f31f@tracker.bro-ids.org> Message-ID: <063.874c59f92c95ba47aaea26eb048ceef4@tracker.bro-ids.org> #807: topic/jsiwek/mobile-ipv6 -----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by jsiwek): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 12 09:21:34 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 12 Apr 2012 16:21:34 -0000 Subject: [Bro-Dev] #269: broctl doesn't support v6 networks in networks.cfg In-Reply-To: <047.3e65f08bb843eaf3b0c1f0b12556d57d@tracker.bro-ids.org> References: <047.3e65f08bb843eaf3b0c1f0b12556d57d@tracker.bro-ids.org> Message-ID: <062.3b09af1e2f11799a1c003dc60978603f@tracker.bro-ids.org> #269: broctl doesn't support v6 networks in networks.cfg -------------------------+-------------------- Reporter: robin | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: 1.5.2 Resolution: | Keywords: ipv6 -------------------------+-------------------- Changes (by dnthayer): * milestone: => Bro2.1 Comment: This works for me (tested with the newest code in master). The IPv6 addresses in networks.cfg must be wrapped in square brackets (as required by the bro scripting language). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 12 09:26:23 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 12 Apr 2012 16:26:23 -0000 Subject: [Bro-Dev] #575: PySubnetTree does not support IPv6 prefixes In-Reply-To: <048.85047f5d342118b53753a8939f6f2ee0@tracker.bro-ids.org> References: <048.85047f5d342118b53753a8939f6f2ee0@tracker.bro-ids.org> Message-ID: <063.216fed62393e086e488d0afb33cb7755@tracker.bro-ids.org> #575: PySubnetTree does not support IPv6 prefixes ------------------------------+-------------------- Reporter: gregor | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: pysubnettree | Version: Resolution: | Keywords: ipv6 ------------------------------+-------------------- Changes (by dnthayer): * keywords: => ipv6 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 12 09:35:50 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 12 Apr 2012 16:35:50 -0000 Subject: [Bro-Dev] #809: HTTP file extraction not correct Message-ID: <048.d5583020c5109b182563ee362ef3e1a5@tracker.bro-ids.org> #809: HTTP file extraction not correct --------------------+--------------------- Reporter: dalton | Type: Problem Status: new | Priority: Normal Milestone: | Component: Bro Version: 2.0 | Keywords: HTTP --------------------+--------------------- I'm trying to use BRO to look at some pipelined HTTP traffic. I'm asking for file extraction but one of the extracted files is the wrong size. In the attached pcap, packet #225 shows the content length as 41931. In the http.log file, I see this: 1312412117.323323 d8RHszXqnfi 192.168.123.105 37621 74.208.60.21 80 7 GET crev.info /images/interface/resources.png http://crev.info/ Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; HTC Dream Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 0 '''41931''' 200 OK - - - (empty) - - - image/png - http- item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat 1312412117.710518 d8RHszXqnfi 192.168.123.105 37621 74.208.60.21 80 8 GET crev.info /images/interface/navbar_li.png http://crev.info/ Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; HTC Dream Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 0 928 200 OK - - - (empty) - - - application/octet-stream - http- item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat output dir listing: ---- -rw-r--r-- 1 dporter dporter 1150 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_10.dat -rw-r--r-- 1 dporter dporter 60901 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_1.dat -rw-r--r-- 1 dporter dporter 72217 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_2.dat -rw-r--r-- 1 dporter dporter 330 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_3.dat -rw-r--r-- 1 dporter dporter 851 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_4.dat -rw-r--r-- 1 dporter dporter 716 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_5.dat -rw-r--r-- 1 dporter dporter 3408 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_6.dat -rw-r--r-- 1 dporter dporter '''32931''' 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat -rw-r--r-- 1 dporter dporter 771040 2012-04-10 21:59 http- item_192.168.123.105:37621-74.208.60.21:80_resp_9.dat ---- The content length is correct in http.log, but the output file (..._resp_7) has length 32931. Also, why does http.log indicate that both resources.png AND navbar_li.png are both written to resp_7.dat ? The results from xplico and wireshark when run on this pcap file look correct to me. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 12 09:43:25 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 12 Apr 2012 16:43:25 -0000 Subject: [Bro-Dev] #809: HTTP file extraction not correct In-Reply-To: <048.d5583020c5109b182563ee362ef3e1a5@tracker.bro-ids.org> References: <048.d5583020c5109b182563ee362ef3e1a5@tracker.bro-ids.org> Message-ID: <063.0376827267db4a2911d25ab837323bec@tracker.bro-ids.org> #809: HTTP file extraction not correct ----------------------+------------------ Reporter: dalton | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: 2.0 Resolution: | Keywords: HTTP ----------------------+------------------ Comment (by dalton): *pcap file sent by mail* -- Ticket URL: Bro Tracker Bro Issue Tracker From bernhard at ICSI.Berkeley.EDU Thu Apr 12 11:36:49 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Thu, 12 Apr 2012 20:36:49 +0200 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/input-benchmark: test latencies for different rates separately (b7eb584) In-Reply-To: <201204121834.q3CIYbpJ031827@bro-ids.icir.org> References: <201204121834.q3CIYbpJ031827@bro-ids.icir.org> Message-ID: Hallo Robin, koenntest du benchmarscripts/latencydump_*.bro ausfuehren? :) Vielen Dank, Bernhard On Apr 12, 2012, at 8:34 PM, Bernhard Amann wrote: > Repository : ssh://git at bro-ids.icir.org/bro > > On branch : topic/bernhard/input-benchmark > Link : http://tracker.bro-ids.org/bro/changeset/b7eb584596ca2fde2610bb2fcb5a85bf2fd61230/bro > >> --------------------------------------------------------------- > > commit b7eb584596ca2fde2610bb2fcb5a85bf2fd61230 > Author: Bernhard Amann > Date: Thu Apr 12 20:34:10 2012 +0200 > > test latencies for different rates separately > > >> --------------------------------------------------------------- > > > Diff suppressed because of size. To see it, use: > > git diff-tree --patch-with-stat --no-color --find-copies-harder --ignore-space-at-eol --cc b7eb584596ca2fde2610bb2fcb5a85bf2fd61230 > _______________________________________________ > bro-commits mailing list > bro-commits at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits From bernhard at ICSI.Berkeley.EDU Thu Apr 12 11:40:02 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Thu, 12 Apr 2012 20:40:02 +0200 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/input-benchmark: test latencies for different rates separately (b7eb584) In-Reply-To: References: <201204121834.q3CIYbpJ031827@bro-ids.icir.org> Message-ID: <01A5FF5A-3EAF-404C-8DA8-90881C8F95E6@icsi.berkeley.edu> Sorry, used the wrong mail address? :) On Apr 12, 2012, at 8:36 PM, Bernhard Amann wrote: > Hallo Robin, > > koenntest du benchmarscripts/latencydump_*.bro ausfuehren? :) > > Vielen Dank, > Bernhard > > On Apr 12, 2012, at 8:34 PM, Bernhard Amann wrote: > >> Repository : ssh://git at bro-ids.icir.org/bro >> >> On branch : topic/bernhard/input-benchmark >> Link : http://tracker.bro-ids.org/bro/changeset/b7eb584596ca2fde2610bb2fcb5a85bf2fd61230/bro >> >>> --------------------------------------------------------------- >> >> commit b7eb584596ca2fde2610bb2fcb5a85bf2fd61230 >> Author: Bernhard Amann >> Date: Thu Apr 12 20:34:10 2012 +0200 >> >> test latencies for different rates separately >> >> >>> --------------------------------------------------------------- >> >> >> Diff suppressed because of size. To see it, use: >> >> git diff-tree --patch-with-stat --no-color --find-copies-harder --ignore-space-at-eol --cc b7eb584596ca2fde2610bb2fcb5a85bf2fd61230 >> _______________________________________________ >> bro-commits mailing list >> bro-commits at bro-ids.org >> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From noreply at bro-ids.org Fri Apr 13 00:00:56 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 13 Apr 2012 00:00:56 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204130700.q3D70uGp020579@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 808 [1] | jsiwek | | Normal | topic/icmp6 [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | c90148d | Daniel Thayer | 2012-04-12 | Sync up patricia.c/h with pysubnettree repo [3] broctl | 09723eb | Daniel Thayer | 2012-04-11 | Fix documentation typos [4] broctl | b705e2b | Daniel Thayer | 2012-04-09 | Update broctl help information [5] [1] #808: http://tracker.bro-ids.org/bro/ticket/808 [2] icmp6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/icmp6 [3] fastpath: http://tracker.bro-ids.org/bro/changeset/c90148d073c276e3434b5977ed9e96498434b611/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/09723eb2fe1054bb896d33873ecfda48296e7145/broctl [5] fastpath: http://tracker.bro-ids.org/bro/changeset/b705e2b285358856b4253599f0337162df5df7f1/broctl From katrina at csail.mit.edu Fri Apr 13 08:56:33 2012 From: katrina at csail.mit.edu (Katrina LaCurts) Date: Fri, 13 Apr 2012 11:56:33 -0400 Subject: [Bro-Dev] Bro fails on clean checkout Message-ID: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> After doing: git clone --recursive git://git.bro-ids.org/bro ./configure --with-libmagic=/usr/local/Cellar/libmagic/5.04/ I get the following errors when building: /Users/katrina/test-bro/bro/src/IP.cc: In function ?VectorVal* BuildOptionsVal(const u_char*, int)?: /Users/katrina/test-bro/bro/src/IP.cc:46: error: invalid use of incomplete type ?const struct ip6_opt? /Users/katrina/test-bro/bro/src/IP.cc:44: error: forward declaration of ?const struct ip6_opt? (they continue for subsequent lines in IP.cc) I see similar errors when trying to merge my branch with master. Am I doing something dumb? Thanks, Katrina From seth at icir.org Fri Apr 13 09:08:44 2012 From: seth at icir.org (Seth Hall) Date: Fri, 13 Apr 2012 12:08:44 -0400 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> Message-ID: On Apr 13, 2012, at 11:56 AM, Katrina LaCurts wrote: > After doing: > git clone --recursive git://git.bro-ids.org/bro > ./configure --with-libmagic=/usr/local/Cellar/libmagic/5.04/ I'm working with someone else right now who has packages installed through homebrew and he's seeing really weird errors too. I'm still not sure what's going on. At the moment I suspect it has something to do with a package or packages installed through homebrew. I don't have any answers yet, but please let us know if you figure out the problem. Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From katrina at csail.mit.edu Fri Apr 13 09:13:32 2012 From: katrina at csail.mit.edu (Katrina LaCurts) Date: Fri, 13 Apr 2012 12:13:32 -0400 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> Message-ID: Not that this is necessarily helpful, but the problem occurred recently. Previous merges/checkouts have always worked fine for me, even with homebrew-installed packages. On Apr 13, 2012, at 12:08 PM, Seth Hall wrote: > > On Apr 13, 2012, at 11:56 AM, Katrina LaCurts wrote: > >> After doing: >> git clone --recursive git://git.bro-ids.org/bro >> ./configure --with-libmagic=/usr/local/Cellar/libmagic/5.04/ > > I'm working with someone else right now who has packages installed through homebrew and he's seeing really weird errors too. I'm still not sure what's going on. At the moment I suspect it has something to do with a package or packages installed through homebrew. > > I don't have any answers yet, but please let us know if you figure out the problem. > > Thanks! > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > From seth at icir.org Fri Apr 13 09:28:35 2012 From: seth at icir.org (Seth Hall) Date: Fri, 13 Apr 2012 12:28:35 -0400 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> Message-ID: <877DF50B-8113-45C0-89BE-1FC152BD183B@icir.org> On Apr 13, 2012, at 12:13 PM, Katrina LaCurts wrote: > Not that this is necessarily helpful, but the problem occurred recently. Previous merges/checkouts have always worked fine for me, even with homebrew-installed packages. Are you having the problem with the released version of Bro 2.0 too? The other person I'm working with is having odd failures for that too. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jsiwek at illinois.edu Fri Apr 13 09:57:50 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 13 Apr 2012 16:57:50 +0000 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> Message-ID: <36C17DDC-3547-4877-81BD-8F24862411BA@illinois.edu> > I get the following errors when building: > /Users/katrina/test-bro/bro/src/IP.cc: In function ?VectorVal* BuildOptionsVal(const u_char*, int)?: > /Users/katrina/test-bro/bro/src/IP.cc:46: error: invalid use of incomplete type ?const struct ip6_opt? > /Users/katrina/test-bro/bro/src/IP.cc:44: error: forward declaration of ?const struct ip6_opt? I get the ip6_opt type from my . On OS X 10.7.3: /* IPv6 options: common part */ struct ip6_opt { u_int8_t ip6o_type; u_int8_t ip6o_len; } __attribute__((__packed__)); If that's not a standard type, we might add a configure-time check to see if it exists and define it if not. Or we might just always define our own type. I'll look more into what standard ways of defining the IPv6 header structures are. +Jon From katrina at csail.mit.edu Fri Apr 13 11:27:14 2012 From: katrina at csail.mit.edu (Katrina LaCurts) Date: Fri, 13 Apr 2012 14:27:14 -0400 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: <877DF50B-8113-45C0-89BE-1FC152BD183B@icir.org> References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> <877DF50B-8113-45C0-89BE-1FC152BD183B@icir.org> Message-ID: Nope, the released version builds fine (configured the same way) On Apr 13, 2012, at 12:28 PM, Seth Hall wrote: > > On Apr 13, 2012, at 12:13 PM, Katrina LaCurts wrote: > >> Not that this is necessarily helpful, but the problem occurred recently. Previous merges/checkouts have always worked fine for me, even with homebrew-installed packages. > > Are you having the problem with the released version of Bro 2.0 too? The other person I'm working with is having odd failures for that too. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > From katrina at csail.mit.edu Fri Apr 13 11:31:55 2012 From: katrina at csail.mit.edu (Katrina LaCurts) Date: Fri, 13 Apr 2012 14:31:55 -0400 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: <36C17DDC-3547-4877-81BD-8F24862411BA@illinois.edu> References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> <36C17DDC-3547-4877-81BD-8F24862411BA@illinois.edu> Message-ID: On OS X 10.6.8, I don't have netinet/ip6.h, and I don't see the struct defined in any other file (in particular, in none of the .h files in netinet or netinet6) On Apr 13, 2012, at 12:57 PM, Siwek, Jonathan Luke wrote: > >> I get the following errors when building: >> /Users/katrina/test-bro/bro/src/IP.cc: In function ?VectorVal* BuildOptionsVal(const u_char*, int)?: >> /Users/katrina/test-bro/bro/src/IP.cc:46: error: invalid use of incomplete type ?const struct ip6_opt? >> /Users/katrina/test-bro/bro/src/IP.cc:44: error: forward declaration of ?const struct ip6_opt? > > I get the ip6_opt type from my . On OS X 10.7.3: > > /* IPv6 options: common part */ > struct ip6_opt { > u_int8_t ip6o_type; > u_int8_t ip6o_len; > } __attribute__((__packed__)); > > If that's not a standard type, we might add a configure-time check to see if it exists and define it if not. Or we might just always define our own type. I'll look more into what standard ways of defining the IPv6 header structures are. > > +Jon From jsiwek at illinois.edu Fri Apr 13 11:43:24 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 13 Apr 2012 18:43:24 +0000 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> <36C17DDC-3547-4877-81BD-8F24862411BA@illinois.edu> Message-ID: > On OS X 10.6.8, I don't have netinet/ip6.h, and I don't see the struct defined in any other file (in particular, in none of the .h files in netinet or netinet6) Strange, I went to an old 10.5.8 machine it even has netinet/ip6.h, though it's missing the ip6_opt struct. I thought that was would be the difference between conforming to RFC 2292 instead of newer 3542. I'll try to add enough so the missing netinet/ip6.h case works, too. +Jon From bro at tracker.bro-ids.org Fri Apr 13 11:52:42 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 13 Apr 2012 18:52:42 -0000 Subject: [Bro-Dev] #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro In-Reply-To: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> References: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> Message-ID: <064.86dc438f3c8cb86665458db197345509@tracker.bro-ids.org> #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro -------------------------+---------------------- Reporter: aashish | Owner: dnthayer Type: Problem | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: 2.0 Resolution: | Keywords: -------------------------+---------------------- Changes (by dnthayer): * owner: => dnthayer * status: new => accepted * component: Bro => BroControl -- Ticket URL: Bro Tracker Bro Issue Tracker From jsiwek at illinois.edu Fri Apr 13 13:06:19 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 13 Apr 2012 20:06:19 +0000 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> <36C17DDC-3547-4877-81BD-8F24862411BA@illinois.edu> Message-ID: <6B1B0AE6-5899-40E2-A218-6A3BDB97B4BB@illinois.edu> > On OS X 10.6.8, I don't have netinet/ip6.h, and I don't see the struct defined in any other file (in particular, in none of the .h files in netinet or netinet6) Can you try the `topic/jsiwek/ipv6-configure-checks` branch in `bro` and `cmake` repos and tell me what errors you still get, if any? Also, do you have a ? +Jon From katrina at csail.mit.edu Fri Apr 13 13:34:14 2012 From: katrina at csail.mit.edu (Katrina LaCurts) Date: Fri, 13 Apr 2012 16:34:14 -0400 Subject: [Bro-Dev] Bro fails on clean checkout In-Reply-To: <6B1B0AE6-5899-40E2-A218-6A3BDB97B4BB@illinois.edu> References: <3EF2DEA7-E8F5-4EE3-BB1F-4BC066EAEC56@csail.mit.edu> <36C17DDC-3547-4877-81BD-8F24862411BA@illinois.edu> <6B1B0AE6-5899-40E2-A218-6A3BDB97B4BB@illinois.edu> Message-ID: > Can you try the `topic/jsiwek/ipv6-configure-checks` branch in `bro` and `cmake` repos and tell me what errors you still get, if any? None! > Also, do you have a ? No, but apparently I was blind before (sorry!); netinet/ip6.h exists, it just doesn't contain the correct struct. From bro at tracker.bro-ids.org Fri Apr 13 14:58:43 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 13 Apr 2012 21:58:43 -0000 Subject: [Bro-Dev] #810: topic/jsiwek/ipv6-configure-checks Message-ID: <048.0925ef78fe34aef1be80ce15b9782a49@tracker.bro-ids.org> #810: topic/jsiwek/ipv6-configure-checks ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This branch in `bro` and `cmake` repos adds some definitions for IPv6 extension header structures in case they're missing from -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat Apr 14 00:02:21 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 14 Apr 2012 00:02:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204140702.q3E72LYL032013@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 808 [1] | jsiwek | | Normal | topic/icmp6 [2] Bro | 810 [3] | jsiwek | | Normal | topic/jsiwek/ipv6-configure-checks [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | c90148d | Daniel Thayer | 2012-04-12 | Sync up patricia.c/h with pysubnettree repo [5] broctl | 09723eb | Daniel Thayer | 2012-04-11 | Fix documentation typos [6] broctl | b705e2b | Daniel Thayer | 2012-04-09 | Update broctl help information [7] [1] #808: http://tracker.bro-ids.org/bro/ticket/808 [2] icmp6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/icmp6 [3] #810: http://tracker.bro-ids.org/bro/ticket/810 [4] ipv6-configure-checks: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-configure-checks [5] fastpath: http://tracker.bro-ids.org/bro/changeset/c90148d073c276e3434b5977ed9e96498434b611/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/09723eb2fe1054bb896d33873ecfda48296e7145/broctl [7] fastpath: http://tracker.bro-ids.org/bro/changeset/b705e2b285358856b4253599f0337162df5df7f1/broctl From noreply at bro-ids.org Mon Apr 16 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 16 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204160700.q3G702xv022155@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 808 [1] | jsiwek | | Normal | topic/icmp6 [2] Bro | 810 [3] | jsiwek | | Normal | topic/jsiwek/ipv6-configure-checks [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bfa2720 | Seth Hall | 2012-04-15 | Removing QR flag from DNS log in response to question on mailing list. [5] bro | c90148d | Daniel Thayer | 2012-04-12 | Sync up patricia.c/h with pysubnettree repo [6] broctl | 09723eb | Daniel Thayer | 2012-04-11 | Fix documentation typos [7] broctl | b705e2b | Daniel Thayer | 2012-04-09 | Update broctl help information [8] [1] #808: http://tracker.bro-ids.org/bro/ticket/808 [2] icmp6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/icmp6 [3] #810: http://tracker.bro-ids.org/bro/ticket/810 [4] ipv6-configure-checks: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-configure-checks [5] fastpath: http://tracker.bro-ids.org/bro/changeset/bfa2720a81efbab660fa34b7e382b81b10cb12c5/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/c90148d073c276e3434b5977ed9e96498434b611/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/09723eb2fe1054bb896d33873ecfda48296e7145/broctl [8] fastpath: http://tracker.bro-ids.org/bro/changeset/b705e2b285358856b4253599f0337162df5df7f1/broctl From noreply at bro-ids.org Tue Apr 17 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 17 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204170700.q3H702BF032744@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 808 [1] | jsiwek | | Normal | topic/icmp6 [2] Bro | 810 [3] | jsiwek | | Normal | topic/jsiwek/ipv6-configure-checks [4] [1] #808: http://tracker.bro-ids.org/bro/ticket/808 [2] icmp6: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/icmp6 [3] #810: http://tracker.bro-ids.org/bro/ticket/810 [4] ipv6-configure-checks: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-configure-checks From bro at tracker.bro-ids.org Tue Apr 17 08:47:10 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 17 Apr 2012 15:47:10 -0000 Subject: [Bro-Dev] #811: Redefing Notice::policy in local.bro not removing default notice action Message-ID: <046.697ad84ed40fde86da0e018602a995df@tracker.bro-ids.org> #811: Redefing Notice::policy in local.bro not removing default notice action -------------------------+------------------------------------------------- Reporter: will | Type: Problem Status: new | Priority: Normal Milestone: Bro2.1 | Component: Bro Version: 2.0 | Keywords: Notice, action, redef, | PacketFilter::Dropped_Packets -------------------------+------------------------------------------------- Redefining the 'Notice::policy' adds an additional notice action, vice replacing the default notice action. redef Notice::policy += { [$pred(n: Notice::Info) = {return n$note == PacketFilter::Dropped_Packets; }, $action = Notice::ACTION_NONE] }; Example: "Notice::ACTION_NONE,Notice::ACTION_LOG" 1334676573.295616 - - - - - - PacketFilter::Dropped_Packets 3479 packets dropped after filtering, 163199 received, 162958 on link - - - - - worker-2 Notice::ACTION_NONE,Notice::ACTION_LOG 9,11,3 3600.000000 F This requires that '$halt=T' be added to the redef: redef Notice::policy += { [$pred(n: Notice::Info) = {return n$note == PacketFilter::Dropped_Packets; }, $action = Notice::ACTION_NONE, $halt = T] }; -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 09:23:26 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 17 Apr 2012 16:23:26 -0000 Subject: [Bro-Dev] #811: Redefing Notice::policy in local.bro not removing default notice action In-Reply-To: <046.697ad84ed40fde86da0e018602a995df@tracker.bro-ids.org> References: <046.697ad84ed40fde86da0e018602a995df@tracker.bro-ids.org> Message-ID: <061.d163080342fe7490fcef7b1319924d37@tracker.bro-ids.org> #811: Redefing Notice::policy in local.bro not removing default notice action -------------------------+------------------------------------------------- Reporter: will | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: 2.0 Resolution: | Keywords: Notice, action, redef, | PacketFilter::Dropped_Packets -------------------------+------------------------------------------------- Comment (by robin): For more context, the original problem was that ignore_notices doesn't seem to take effect over the default rule. The above works around that but we should fix the underlying problem. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 09:28:59 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 17 Apr 2012 16:28:59 -0000 Subject: [Bro-Dev] #761: 64bit types in binpac In-Reply-To: <046.f2a3f50e7112af8700c18859d13a283d@tracker.bro-ids.org> References: <046.f2a3f50e7112af8700c18859d13a283d@tracker.bro-ids.org> Message-ID: <061.0198277336f08213ec0d0b962c4c59b3@tracker.bro-ids.org> #761: 64bit types in binpac ----------------------+------------------------ Reporter: seth | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [a6d3ea80ac99066a845b3e4472d38cbe9b5ea4ea/binpac]: {{{ #!CommitTicketReference repository="binpac" revision="a6d3ea80ac99066a845b3e4472d38cbe9b5ea4ea" Change binpac.h integral typedefs and reimplement 64-bit pac_swap(). Integer types now use , and the 64-bit byte-swapping function uses a union approach instead of masking/bit-shifting. Addresses #761. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 09:40:40 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 17 Apr 2012 16:40:40 -0000 Subject: [Bro-Dev] #761: 64bit types in binpac In-Reply-To: <046.f2a3f50e7112af8700c18859d13a283d@tracker.bro-ids.org> References: <046.f2a3f50e7112af8700c18859d13a283d@tracker.bro-ids.org> Message-ID: <061.fdd34ba4abe5b99c0bdb93a0c26372e6@tracker.bro-ids.org> #761: 64bit types in binpac ----------------------------+------------------------ Reporter: seth | Owner: seth Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by jsiwek): * type: Problem => Merge Request Comment: Compiles and passes tests now on Mac & Linux for me. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 18:58:33 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 18 Apr 2012 01:58:33 -0000 Subject: [Bro-Dev] #808: topic/icmp6 In-Reply-To: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> References: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> Message-ID: <063.b8d5144f72f11dc6240a8bf4c54b135c@tracker.bro-ids.org> #808: topic/icmp6 ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): This code actually turned out to be quite nice now. Thanks everybody involved! -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 19:02:37 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 18 Apr 2012 02:02:37 -0000 Subject: [Bro-Dev] #808: topic/icmp6 In-Reply-To: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> References: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> Message-ID: <063.42129be1fe36b101704f69749284580a@tracker.bro-ids.org> #808: topic/icmp6 ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): One question though: In {{{ICMP_Analyzer::RouterAdvert}}}: {{{ vl->append(new Val(htons(icmpp->icmp_lifetime), TYPE_COUNT)); vl->append(new Val(reachable, TYPE_INTERVAL)); vl->append(new Val(retrans, TYPE_INTERVAL)); }}} These don't look right. (1) Is hton really correct for the lifetime? Should the lifetime be of TYPE_INTERVAL as well? (2) TYPE_INTERVAL must be initialized with doubles, not with uint32; and it's needs seconds, not ms, as I believe the reachable/retrans fields record, don't they? (Merging it as it is, please commit fixes to fast path as appropriate and then close this ticket). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 19:03:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 18 Apr 2012 02:03:16 -0000 Subject: [Bro-Dev] #810: topic/jsiwek/ipv6-configure-checks In-Reply-To: <048.0925ef78fe34aef1be80ce15b9782a49@tracker.bro-ids.org> References: <048.0925ef78fe34aef1be80ce15b9782a49@tracker.bro-ids.org> Message-ID: <063.77790db3fbe64ef728af324732b7db57@tracker.bro-ids.org> #810: topic/jsiwek/ipv6-configure-checks ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [ecfdf7d33c098f24ef059dc41947a7d45ee50b72/bro]: {{{ #!CommitTicketReference repository="bro" revision="ecfdf7d33c098f24ef059dc41947a7d45ee50b72" Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-configure-checks' * origin/topic/jsiwek/ipv6-configure-checks: Add more support for 's that lack some structure definitions. Closes #810. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 19:03:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 18 Apr 2012 02:03:16 -0000 Subject: [Bro-Dev] #761: 64bit types in binpac In-Reply-To: <046.f2a3f50e7112af8700c18859d13a283d@tracker.bro-ids.org> References: <046.f2a3f50e7112af8700c18859d13a283d@tracker.bro-ids.org> Message-ID: <061.7a17938d17a4252f1fdf1b7dcd230c30@tracker.bro-ids.org> #761: 64bit types in binpac ----------------------------+------------------------ Reporter: seth | Owner: seth Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [eae55caa84ac13b381f91a37fbe10fbb2aaa2739/bro]: {{{ #!CommitTicketReference repository="bro" revision="eae55caa84ac13b381f91a37fbe10fbb2aaa2739" Merge remote-tracking branch 'origin/topic/seth/64bit-binpac-updates' * origin/topic/seth/64bit-binpac-updates: Small updates for the bittorrent analyzer to support 64bit types in binpac. Closes #761. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 17 19:03:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 18 Apr 2012 02:03:16 -0000 Subject: [Bro-Dev] #808: topic/icmp6 In-Reply-To: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> References: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> Message-ID: <063.b6c7304121993c3e517d7f9d6fe8933e@tracker.bro-ids.org> #808: topic/icmp6 ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [5350cab371971f75d6ba1b7840881a72d3fa79d0/bro]: {{{ #!CommitTicketReference repository="bro" revision="5350cab371971f75d6ba1b7840881a72d3fa79d0" Merge remote-tracking branch 'origin/topic/icmp6' * origin/topic/icmp6: Fixes for IPv6 truncation and ICMP/ICMP6 analysis. Change ICMPv6 checksum calculation to use IP_Hdr wrapper. Update IPv6 atomic fragment unit test to filter output of ICMPv6. Add more data to icmp events More code cleanup Add more icmpv6 events, and general code cleanup Fix compile failure after merge from master Significant edit pass over ICMPv6 code. Porting Matti's branch to git. Closes #808. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Apr 18 07:39:36 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 18 Apr 2012 14:39:36 -0000 Subject: [Bro-Dev] #808: topic/icmp6 In-Reply-To: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> References: <048.f05d25e37c2b283195d6e862b7450587@tracker.bro-ids.org> Message-ID: <063.84532cb371f3ef6c4290c1a792f80f5a@tracker.bro-ids.org> #808: topic/icmp6 ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Comment (by jsiwek): Replying to [comment:2 robin]: > One question though: In {{{ICMP_Analyzer::RouterAdvert}}}: > > {{{ > vl->append(new Val(htons(icmpp->icmp_lifetime), TYPE_COUNT)); > vl->append(new Val(reachable, TYPE_INTERVAL)); > vl->append(new Val(retrans, TYPE_INTERVAL)); > }}} > > These don't look right. > > (1) Is hton really correct for the lifetime? Should the lifetime be of TYPE_INTERVAL as well? > (2) TYPE_INTERVAL must be initialized with doubles, not with uint32; and it's needs seconds, not ms, as I believe the reachable/retrans fields record, don't they? > > > (Merging it as it is, please commit fixes to fast path as appropriate and then close this ticket). Good catches, I'll take a closer look at this. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Apr 18 13:24:22 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 18 Apr 2012 20:24:22 -0000 Subject: [Bro-Dev] #812: topic/dnthayer/remove-unused-options Message-ID: <050.e571e62500ad43ccc1180b63051af3a7@tracker.bro-ids.org> #812: topic/dnthayer/remove-unused-options ---------------------------+------------------------ Reporter: dnthayer | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Keywords: | ---------------------------+------------------------ In this branch, some apparently unused broctl options were removed. There were also a couple broctl options that were named incorrectly (i.e., the name defined didn't match the name actually being used), so these were also fixed. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Apr 19 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 19 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204190700.q3J702gj018814@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 812 [1] | dnthayer | | Normal | topic/dnthayer/remove-unused-options [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | b933184 | Jon Siwek | 2012-04-18 | Changes related to ICMPv6 Neighbor Discovery messages. [3] [1] #812: http://tracker.bro-ids.org/bro/ticket/812 [2] remove-unused-options: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/remove-unused-options [3] fastpath: http://tracker.bro-ids.org/bro/changeset/b933184b2590edc6e835bc93466e682e2318acc8/bro From bro at tracker.bro-ids.org Thu Apr 19 09:28:49 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 19 Apr 2012 16:28:49 -0000 Subject: [Bro-Dev] #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro In-Reply-To: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> References: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> Message-ID: <064.ae850ffb6c8fecb75a348567d7544d47@tracker.bro-ids.org> #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro -------------------------+---------------------- Reporter: aashish | Owner: dnthayer Type: Problem | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: 2.0 Resolution: | Keywords: -------------------------+---------------------- Comment (by dnthayer): When doing a "broctl install", broctl copies all files from each directory listed in "sitepolicypath" to the directory specified in "policydirsiteinstall", but bro does not automatically load any files in either location (the word "path" in "sitepolicypath" is very confusing; I would prefer the name "sitepolicydirs"). The "sitepolicystandalone" option is defined in the broctl source code but is never used anywhere (you can change the value of that option, but it has no effect because broctl has the default value "local" hardcoded where it is actually used). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 19 09:37:57 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 19 Apr 2012 16:37:57 -0000 Subject: [Bro-Dev] #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro In-Reply-To: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> References: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> Message-ID: <064.17782b87bba0e945016fdbe113ba7297@tracker.bro-ids.org> #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro -------------------------+---------------------- Reporter: aashish | Owner: dnthayer Type: Problem | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: 2.0 Resolution: | Keywords: -------------------------+---------------------- Comment (by dnthayer): In [a409aa43328a65e4129b95f2b661c463d5ee8f16/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="a409aa43328a65e4129b95f2b661c463d5ee8f16" Fix some unused broctl options The sitepolicystandalone, sitepolicymanager, and sitepolicyworker broctl options were defined but never used. Fixed by replacing the hard-coded default values with the actual config option value. Addresses #797. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 19 09:47:07 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 19 Apr 2012 16:47:07 -0000 Subject: [Bro-Dev] #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro In-Reply-To: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> References: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> Message-ID: <064.364a31707f904fd81acae7dd35158b69@tracker.bro-ids.org> #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro ----------------------------+---------------------- Reporter: aashish | Owner: dnthayer Type: Merge Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: 2.0 Resolution: | Keywords: ----------------------------+---------------------- Changes (by dnthayer): * type: Problem => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 19 10:02:26 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 19 Apr 2012 17:02:26 -0000 Subject: [Bro-Dev] #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro In-Reply-To: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> References: <049.10ac0122cad154cc2df5706bda12aac8@tracker.bro-ids.org> Message-ID: <064.cebe4f8974b2ad03ad7d38d4739cc974@tracker.bro-ids.org> #797: broctl doesn't load policy specified in the SitePolicyPath and defaults to local.bro ----------------------------+---------------------- Reporter: aashish | Owner: dnthayer Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: 2.0 Resolution: fixed | Keywords: ----------------------------+---------------------- Changes (by robin): * status: accepted => closed * resolution: => fixed Comment: In [a2f29c0cfbaf39da2770113256a5c22bf0a46cfe/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="a2f29c0cfbaf39da2770113256a5c22bf0a46cfe" Merge remote-tracking branch 'origin/topic/dnthayer/bug797' I tweaked it a bit to use split() on the options so that one can give more than one script (which I how I believe it used to be). Closes #797. (Btw, I'm fine renaming options where they aren't intuitive, per the comment on the tracker). * origin/topic/dnthayer/bug797: Fix some unused broctl options }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 19 10:12:35 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 19 Apr 2012 17:12:35 -0000 Subject: [Bro-Dev] #805: Make the various "weird" events stop printing to stderr (was: Make the various "weird" events stop printing to stdout) In-Reply-To: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> References: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> Message-ID: <061.95624b5662a4375344ae39d41489d2bf@tracker.bro-ids.org> #805: Make the various "weird" events stop printing to stderr ----------------------+------------------------ Reporter: seth | Owner: dnthayer Type: Problem | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by dnthayer): * owner: => dnthayer * status: new => accepted Comment: Actually, it seems they're printed to stderr (not to stdout). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Apr 19 11:48:42 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 19 Apr 2012 18:48:42 -0000 Subject: [Bro-Dev] #805: Make the various "weird" events stop printing to stderr In-Reply-To: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> References: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> Message-ID: <061.90d5dc6c6fa65d4c5daa9862a314cd60@tracker.bro-ids.org> #805: Make the various "weird" events stop printing to stderr ----------------------+------------------------ Reporter: seth | Owner: dnthayer Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------+------------------------ Changes (by dnthayer): * status: accepted => closed * resolution: => fixed Comment: In [faa89913dee1e6fbc09ca5feaab724c0dfb8222c/bro]: {{{ #!CommitTicketReference repository="bro" revision="faa89913dee1e6fbc09ca5feaab724c0dfb8222c" Don't print the various "weird" events to stderr Fixes #805. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Fri Apr 20 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 20 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204200700.q3K702QF002699@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 812 [1] | dnthayer | | Normal | topic/dnthayer/remove-unused-options [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 7471b47 | Daniel Thayer | 2012-04-19 | Update broctl option descriptions [3] [1] #812: http://tracker.bro-ids.org/bro/ticket/812 [2] remove-unused-options: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/remove-unused-options [3] fastpath: http://tracker.bro-ids.org/bro/changeset/7471b47bd41aecdfc6877afa86ba63f04c3bfa4f/broctl From bro at tracker.bro-ids.org Fri Apr 20 09:05:48 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 20 Apr 2012 16:05:48 -0000 Subject: [Bro-Dev] #713: IPv6 session extraction failure In-Reply-To: <046.cada0c993d930ef613daa5ace3fb9d8c@tracker.bro-ids.org> References: <046.cada0c993d930ef613daa5ace3fb9d8c@tracker.bro-ids.org> Message-ID: <061.a9473eee1d6b0fd11ec11c2351735d79@tracker.bro-ids.org> #713: IPv6 session extraction failure ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: ipv6 ----------------------+-------------------- Comment (by dnthayer): I tested this with the latest code in master (I had to first set "default_extract = T" in base/protocols/conn/contents.bro), and I see two files created that are both non-zero length (filenames are of the form: contents_:-:_orig.dat and contents_:-:_resp.dat). One small issue I see is that a colon is used in the output filename to separate the IP address from the port number, which looks OK for IPv4, but could be a little confusing for IPv6. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Apr 20 10:55:48 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 20 Apr 2012 17:55:48 -0000 Subject: [Bro-Dev] #713: IPv6 session extraction failure In-Reply-To: <046.cada0c993d930ef613daa5ace3fb9d8c@tracker.bro-ids.org> References: <046.cada0c993d930ef613daa5ace3fb9d8c@tracker.bro-ids.org> Message-ID: <061.e91221b09fe24da9389fe88738db87b2@tracker.bro-ids.org> #713: IPv6 session extraction failure ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: ipv6 ----------------------+-------------------- Comment (by seth): > contents_:-:_orig.dat > and contents_:-:_resp.dat). > > One small issue I see is that a colon is used in the output filename to > separate the IP address from the port number, which looks OK for IPv4, > but could be a little confusing for IPv6. Good catch. Does anyone think that IPv6 addresses include the square brackets when they are serialized (ODesc'd?) to strings? It would make sense now that that's how it needs to be done in Bro. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Apr 20 15:02:07 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 20 Apr 2012 22:02:07 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.14665f334327ad04effb400f41a83821@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ------------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Feature Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Changes (by dnthayer): * owner: => dnthayer * status: new => accepted -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat Apr 21 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 21 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204210700.q3L702Zo032013@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 812 [1] | dnthayer | | Normal | topic/dnthayer/remove-unused-options [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 7471b47 | Daniel Thayer | 2012-04-19 | Update broctl option descriptions [3] [1] #812: http://tracker.bro-ids.org/bro/ticket/812 [2] remove-unused-options: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/remove-unused-options [3] fastpath: http://tracker.bro-ids.org/bro/changeset/7471b47bd41aecdfc6877afa86ba63f04c3bfa4f/broctl From bro at tracker.bro-ids.org Sat Apr 21 11:24:22 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 21 Apr 2012 18:24:22 -0000 Subject: [Bro-Dev] #813: Problem with libmagic in file analyzer Message-ID: <046.9db067578007089bb913064fae522ddc@tracker.bro-ids.org> #813: Problem with libmagic in file analyzer ---------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ This is current master running on an FTP trace. It seems that when something is transferred over a data channel and the file analyzer tries to load libmagic it's failing. {{{ (gdb) bt #0 0x00007fff8b6dbce2 in __pthread_kill () #1 0x00007fff977d87d2 in pthread_kill () #2 0x00007fff977c9a7a in abort () #3 0x00000001006ef9c3 in TCMalloc_CRASH_internal () #4 0x00000001006efa62 in TCMalloc_CrashReporter::PrintfAndDie () #5 0x00000001006e8753 in (anonymous namespace)::do_free_with_callback () #6 0x000000010018c1e9 in magic_getpath () at MsgThread.h:352 #7 0x000000010018ca97 in file_apprentice () at MsgThread.h:352 #8 0x000000010018c34b in magic_load () at MsgThread.h:352 #9 0x00000001000bb51c in File_Analyzer::InitMagic (magic=0x1002a22a8, flags=3595) at FileAnalyzer.cc:72 #10 0x00000001000bb71f in File_Analyzer::File_Analyzer (this=0x101df8a00, conn=0x0) at FileAnalyzer.cc:16 #11 0x000000010005a2c2 in File_Analyzer::InstantiateAnalyzer (conn=0x6) at FileAnalyzer.h:19 #12 0x00000001000588b7 in Analyzer::InstantiateAnalyzer (tag=3595, c=0xe0b) at Analyzer.cc:197 #13 0x000000010008dcda in DPM::BuildInitialAnalyzerTree (this=0x1009d5000, proto=TRANSPORT_TCP, conn=0x101da58c0, data=0x7fff5fbfe698 "?}??") at DPM.cc:208 #14 0x0000000100145675 in Connection::IsExternal () at /Users/seth/bro/bro.work8/src/Conn.h:1063 #15 0x0000000100145675 in NetSessions::NewConn (this=0x7fff5fbfef50, k=0x7fff5fbfef50, t=6.9532229756608527e-310, data=0x7fff5fbfef50 "??_?", proto=2090397624) at Sessions.cc:1065 #16 0x0000000100146d72 in NetSessions::DoNextPacket (this=0x7fff5fbff090, t=6.9532229756766628e-310, hdr=0x101e262e0, ip_hdr=0x0, pkt=0x7fff5fbff090 "??_?", hdr_size=2090397624) at Sessions.cc:605 #17 0x00000001001476b0 in IP_Hdr::~IP_Hdr () at /Users/seth/bro/bro.work8/src/IP.h:291 #18 0x00000001001476b0 in NetSessions::NextPacket (this=0x1009d6c00, t=6.9532229756916824e-310, hdr=0x1009d6440, pkt=0x10100f200 "?0bH??,\003;l???`", hdr_size=14, pkt_elem=0x7fff5fbff0b0) at Sessions.cc:291 #19 0x0000000100107c39 in net_packet_dispatch (t=6.9532229756956349e-310, hdr=0x1009d6440, pkt=0x10100f200 "?0bH??,\003;l???`", hdr_size=1606414864, src_ps=0x1009d6400, pkt_elem=0x7fff5fbff210) at Net.cc:352 #20 0x0000000100117638 in PktSrc::Process (this=0x1009d6c00) at PktSrc.cc:273 #21 0x0000000100107e31 in net_run () at Net.cc:445 #22 0x00000001000525c8 in main (argc=2761576, argv=0x1002a2368) at main.cc:1034 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sun Apr 22 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 22 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204220700.q3M7023A030218@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 812 [1] | dnthayer | | Normal | topic/dnthayer/remove-unused-options [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 6e2205a | Seth Hall | 2012-04-21 | Fix problem with extracting FTP passwords. [3] broctl | 7471b47 | Daniel Thayer | 2012-04-19 | Update broctl option descriptions [4] [1] #812: http://tracker.bro-ids.org/bro/ticket/812 [2] remove-unused-options: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/remove-unused-options [3] fastpath: http://tracker.bro-ids.org/bro/changeset/6e2205aa686cb1c77da8d2b56ed9a1881cb72e7a/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/7471b47bd41aecdfc6877afa86ba63f04c3bfa4f/broctl From noreply at bro-ids.org Mon Apr 23 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 23 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204230700.q3N702nc009976@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 812 [1] | dnthayer | | Normal | topic/dnthayer/remove-unused-options [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 6e2205a | Seth Hall | 2012-04-21 | Fix problem with extracting FTP passwords. [3] broctl | 7471b47 | Daniel Thayer | 2012-04-19 | Update broctl option descriptions [4] [1] #812: http://tracker.bro-ids.org/bro/ticket/812 [2] remove-unused-options: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/remove-unused-options [3] fastpath: http://tracker.bro-ids.org/bro/changeset/6e2205aa686cb1c77da8d2b56ed9a1881cb72e7a/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/7471b47bd41aecdfc6877afa86ba63f04c3bfa4f/broctl From bro at tracker.bro-ids.org Mon Apr 23 09:18:06 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 23 Apr 2012 16:18:06 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.96aa4fc99ed600e4415452a2bc4e0950@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ------------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Feature Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Comment (by dnthayer): In [65eb974f5db90a6c52820899dcd54a2514db37bb/bro]: {{{ #!CommitTicketReference repository="bro" revision="65eb974f5db90a6c52820899dcd54a2514db37bb" Added an option to specify the 'etc' directory Addresses #801. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Apr 23 09:22:09 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 23 Apr 2012 16:22:09 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.25d2f95f5ddeaf52ae31d64b29f0aba6@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ------------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Feature Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Comment (by dnthayer): In [cf90b8448d838614040d23beb0e963a37b2ba6d2/broccoli]: {{{ #!CommitTicketReference repository="broccoli" revision="cf90b8448d838614040d23beb0e963a37b2ba6d2" Add option for 'etc' directory Addresses #801. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Apr 23 09:22:21 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 23 Apr 2012 16:22:21 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.289f47d80595eff5ac7050a3055c438c@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ------------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Feature Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Comment (by dnthayer): In [3aa58e23c47e1fee0928f145128c48c11fb867b0/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="3aa58e23c47e1fee0928f145128c48c11fb867b0" Added an option to specify 'etc' directory Addresses #801. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Apr 23 09:23:39 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 23 Apr 2012 16:23:39 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.39ceb1b339d79a5b58f6eb01f8159627@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ----------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Merge Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by dnthayer): * type: Feature Request => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Tue Apr 24 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 24 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204240700.q3O702dV026105@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 801 [1] | aashish | dnthayer | Normal | Configure option for specifying path for ../etc/ BroControl | 812 [2] | dnthayer | | Normal | topic/dnthayer/remove-unused-options [3] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 6e2205a | Seth Hall | 2012-04-21 | Fix problem with extracting FTP passwords. [4] broctl | 7471b47 | Daniel Thayer | 2012-04-19 | Update broctl option descriptions [5] [1] #801: http://tracker.bro-ids.org/bro/ticket/801 [2] #812: http://tracker.bro-ids.org/bro/ticket/812 [3] remove-unused-options: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/remove-unused-options [4] fastpath: http://tracker.bro-ids.org/bro/changeset/6e2205aa686cb1c77da8d2b56ed9a1881cb72e7a/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/7471b47bd41aecdfc6877afa86ba63f04c3bfa4f/broctl From bro at tracker.bro-ids.org Tue Apr 24 10:04:09 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 24 Apr 2012 17:04:09 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo Message-ID: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> #814: Fix MailAlarmsTo ----------------------------+-------------------------- Reporter: Tyler.Schoenke | Type: Problem Status: new | Priority: Normal Milestone: | Component: BroControl Version: git/master | Keywords: MailAlarmsTo ----------------------------+-------------------------- In 1.5 there was a MailAlarmsTo variable that could be set in the broctl.cfg file. That functionality seems to be missing from 2.0. It is handy to send only alerts (alarms) to a separate email address than the summary reports. Here were the default variables in 1.5 etc/broctl.cfg: {{{ MailTo = bromessage at localhost MailAlarmsTo = broalert at localhost }}} Thanks, Tyler -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 24 14:51:15 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 24 Apr 2012 21:51:15 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.448a35b6a0cb3434febf16c93fa44c9f@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ----------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Merge Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): Merged. When changing multiple repositories, please include a summarizing note in the merge request which ones are affected and what the branch name is. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 24 14:51:58 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 24 Apr 2012 21:51:58 -0000 Subject: [Bro-Dev] #812: topic/dnthayer/remove-unused-options In-Reply-To: <050.e571e62500ad43ccc1180b63051af3a7@tracker.bro-ids.org> References: <050.e571e62500ad43ccc1180b63051af3a7@tracker.bro-ids.org> Message-ID: <065.3139fe55266e8696d09167a2c45e6850@tracker.bro-ids.org> #812: topic/dnthayer/remove-unused-options -----------------------------+------------------------ Reporter: dnthayer | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 24 15:13:14 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 24 Apr 2012 22:13:14 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo In-Reply-To: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> References: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> Message-ID: <071.e1ccf6d0bacac58fcbd436b46872a6c1@tracker.bro-ids.org> #814: Fix MailAlarmsTo -----------------------------+-------------------------- Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: BroControl | Version: git/master Resolution: | Keywords: MailAlarmsTo -----------------------------+-------------------------- Comment (by seth): > broctl.cfg file. That functionality seems to be missing from 2.0. It is > handy to send only alerts (alarms) to a separate email address than the > summary reports. For more context, when I looked into this yesterday, the option is implemented partially in broctl, but it seems that I missed the implementation in Bro. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 24 15:18:09 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 24 Apr 2012 22:18:09 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.a076ad3e8ef10b0724bd9305fd4c3e74@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ----------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Merge Request | Status: accepted Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): I was getting configure/cmake errors in sub-modules when the new option wasn't explicitly set. I fixed it, but please check. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 24 15:18:46 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 24 Apr 2012 22:18:46 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo In-Reply-To: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> References: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> Message-ID: <071.6c9691bc4b703dacf6134916b9de18c8@tracker.bro-ids.org> #814: Fix MailAlarmsTo -----------------------------+-------------------------- Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Resolution: | Keywords: MailAlarmsTo -----------------------------+-------------------------- Changes (by robin): * milestone: => Bro2.1 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Apr 24 17:34:02 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 25 Apr 2012 00:34:02 -0000 Subject: [Bro-Dev] #801: Configure option for specifying path for ../etc/ In-Reply-To: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> References: <049.b7db21b4f1420f3f6902534231deb9b2@tracker.bro-ids.org> Message-ID: <064.270c92cb414c242ec069aeb414f4ed3a@tracker.bro-ids.org> #801: Configure option for specifying path for ../etc/ ----------------------------+------------------------ Reporter: aashish | Owner: dnthayer Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: accepted => closed * resolution: => fixed Comment: In [c9c180eebe68de37356afe1de2ba5a0f567df66d/bro]: {{{ #!CommitTicketReference repository="bro" revision="c9c180eebe68de37356afe1de2ba5a0f567df66d" Merge remote-tracking branch 'origin/topic/dnthayer/bug801' * origin/topic/dnthayer/bug801: Added an option to specify the 'etc' directory Closes #801. Note, I've adapted the code in configure a bit to make it independent of the argument order (same for an older option). Hope that works ... }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Wed Apr 25 06:54:03 2012 From: seth at icir.org (Seth Hall) Date: Wed, 25 Apr 2012 09:54:03 -0400 Subject: [Bro-Dev] Decapsulating "payload" tunnels Message-ID: <0328875F-A062-472F-8688-A7F26798223C@icir.org> Jon and I have been working on the 2.1 tunnel decapsulation recently and we encountered some major architectural questions. We seem to have the groundwork laid for doing IP encapsulation tunnels (AYIYA, Teredo, 6to4), but I want to support tunnels like SOCKS and HTTP CONNECT which are essentially session payload tunnels since they are tunneling reassembled TCP streams. This brings up a problem if we want to create logs that are useful forensically because right now any connection to a SOCKS proxy looks like the client is sending all the traffic to the proxy. The HTTP logs will show the client doing HTTP requests to the proxy even though the proxy is really sending them onward to other hosts. In environments with pervasive proxying, this makes the logs much less useful. Robin, Jon, and I discussed this for a while yesterday and we came up with a proposal where we would extract the payload from the proxy connection and mock up IP headers for the Sessions::DoNextPacket method which looks like the client connecting to the host it's requesting to actually talk to. We would need to extend the DoNextPacket method to provide a short circuit for skipping the TCP reassembly and analysis since it would be reassembled payload bytes immediately after the fake IP header. This would result in two connections showing up in conn.log when there was *really* There is one other niggle in this. It seems that most proxy protocols (SOCKS and HTTP at least) support requesting a proxy connection by name instead of IP address. I fully expect to be beat up over this, but I think it would be great to be able to support doing a lookup to create the fake ip header. I'm sure we'll end up sticking configuration options all over the place to turn things off and we'll definitely figure out a good set of things to turn on by default. Does anyone have reservations with this design? It definitely seems nasty on some levels and Robin pointed out yesterday that it would probably be much better to pass data around with abstracted metadata instead of packets, but packets are what we deal with internally for now so that's what we would have to fake without doing a major redesign. Robin, Jon: please follow up if there are any points that I didn't make clear enough. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Wed Apr 25 07:10:52 2012 From: seth at icir.org (Seth Hall) Date: Wed, 25 Apr 2012 10:10:52 -0400 Subject: [Bro-Dev] Decapsulating "payload" tunnels In-Reply-To: <0328875F-A062-472F-8688-A7F26798223C@icir.org> References: <0328875F-A062-472F-8688-A7F26798223C@icir.org> Message-ID: <29858393-6799-42EB-B44C-9277BE438D93@icir.org> oops? On Apr 25, 2012, at 9:54 AM, Seth Hall wrote: > We would need to extend the DoNextPacket method to provide a short circuit for skipping the TCP reassembly and analysis since it would be reassembled payload bytes immediately after the fake IP header. This would result in two connections showing up in conn.log when there was *really* only one. The main idea I wanted to get across is that we're trying to consider the forensics process with our approach to the logging and we're trying to make the logs understandable but also give enough information to easily hunt for compromised machines. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From noreply at bro-ids.org Thu Apr 26 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 26 Apr 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204260700.q3Q703hU011133@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [1] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [2] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [3] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [3] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From adave at cyberpointllc.com Thu Apr 26 08:45:16 2012 From: adave at cyberpointllc.com (Dave, Anil) Date: Thu, 26 Apr 2012 15:45:16 +0000 Subject: [Bro-Dev] Binpac Message-ID: <8212326D69ABF544A5B87C9FD12E453A01DC3A7A@bltmmd1-exch1.cyberpointllc.com> What is the best way to create a composite binpac analyzer from several (two or more) .pac files: Need to create a parser for an ipv6 session that encapsulates and parses portions of an http session and html5 mime following a successful ipv6 parse Specifically: using http-protcol.pac and a simple ipv6.pac need to create derived classes for http from the ipv6 base class. Generally : how are linked analyzers created beyond using constructs like %include XYZ.pac which result in binpac build errors such as undeclared variables. Can reference types cross analyzer .pac files as in normal C++ #include provides ? - Neil -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120426/35292719/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5369 bytes Desc: not available Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120426/35292719/attachment.bin From seth at icir.org Thu Apr 26 13:28:29 2012 From: seth at icir.org (Seth Hall) Date: Thu, 26 Apr 2012 16:28:29 -0400 Subject: [Bro-Dev] Binpac In-Reply-To: <8212326D69ABF544A5B87C9FD12E453A01DC3A7A@bltmmd1-exch1.cyberpointllc.com> References: <8212326D69ABF544A5B87C9FD12E453A01DC3A7A@bltmmd1-exch1.cyberpointllc.com> Message-ID: <815FB0F9-C0C3-4C7C-99F4-E622861599FD@icir.org> On Apr 26, 2012, at 11:45 AM, Dave, Anil wrote: > What is the best way to create a composite binpac analyzer from several (two or more) .pac files: Need to create a parser for an ipv6 session that encapsulates and parses portions of an http session and html5 mime following a successful ipv6 parse I'm not sure I understand your question, could you try rephrasing it maybe? It might help us too if you explained what you're ultimately trying to do regardless of how you want to get to that point. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Thu Apr 26 19:34:34 2012 From: robin at icir.org (Robin Sommer) Date: Thu, 26 Apr 2012 19:34:34 -0700 Subject: [Bro-Dev] Decapsulating "payload" tunnels In-Reply-To: <0328875F-A062-472F-8688-A7F26798223C@icir.org> References: <0328875F-A062-472F-8688-A7F26798223C@icir.org> Message-ID: <20120427023434.GA23767@icir.org> Thinking about this some more, below's an idea how we could structure it. It's messy, but we don't have much of a way around that without doing some major restructuring. But this would at least encapsulate the messieness somewhat. Note, I haven't fully thought this through, so there might be more stumling blocks; there often are some dependencies internally that are hard to spot before starting to work on the code ... That said, how about this: We create a new class TunnelConnection that encapsulates that all the messy stuff. Interface could look something liek this: class TunnelConnection { // Associate a (fake) conn ID with the tunnel. TunnelConnection(ConnID id, Connection *parent, ); // Feed data in for parsing. void NextStream() // See below. [... probably more methods ...] private: Conn* fake_conn; Conn* parent; }; The TunnelConnection internally creates a new (fake) Connection object, stores it, and uses it for all the parsing when it needs a Connection object. But we don't store that Connection in the normal session tables. Instead, NetSessions gets a new method: TunnelConnection* NewTunnelConnection(ConnID id, ); The higher-level analyzers that decapsulate the tunnel use NewTunnelConnection() to get a tunnel and then feed data in via NextStream(). That method does whatever's necessary to pass data to the parsers, faking IP packets if necessary (but see below). NetSessions tracks all TunnelConnections in their own dictionary (similar to tcp_conns, udp_conns, icmp_conns) and handles state management (i.e., removes if the parent connection goes away). As Seth suggested, we should short-circuit the tunnel analysis to skip the transport-layer where we don't have one. I'm not totally sure how to do that best, but one option would be internally add an new TUNNEL transport-layer besides the standard TCP/UDP/ICMP ones (drawback: there are a number of locations that currently expect to not see other transport-layers than the current set). About faking IP packets: we may not be able to avoid that---but we can try. :) The stream-based Analyzer interface doesn't need a packet, just data chunks. We might be able to directly feed in there.[1] (that's why the method above is called NextStream() :). Robin [1] Without further work this would break signature matching though. -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Fri Apr 27 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 27 Apr 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204270700.q3R703nm024264@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [1] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [2] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [3] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [4] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [5] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [5] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From seth at icir.org Fri Apr 27 07:10:37 2012 From: seth at icir.org (Seth Hall) Date: Fri, 27 Apr 2012 10:10:37 -0400 Subject: [Bro-Dev] Decapsulating "payload" tunnels In-Reply-To: <20120427023434.GA23767@icir.org> References: <0328875F-A062-472F-8688-A7F26798223C@icir.org> <20120427023434.GA23767@icir.org> Message-ID: <8E7B81A4-2C29-45BC-8BE5-3AFEDE433FD2@icir.org> On Apr 26, 2012, at 10:34 PM, Robin Sommer wrote: > We create a new class TunnelConnection that encapsulates that all the > messy stuff. Interface could look something liek this: I think that makes a lot of sense. > one option would be internally add an new TUNNEL > transport-layer besides the standard TCP/UDP/ICMP ones (drawback: > there are a number of locations that currently expect to not see other > transport-layers than the current set). I think we'll need to be doing this before too long for SCTP anyway so becoming familiar with how painful this could be might not even be such a bad thing in the long run. > The stream-based Analyzer interface doesn't need a packet, > just data chunks. We might be able to directly feed in there.[1] > (that's why the method above is called NextStream() :). Hah! It's as if someone had been thinking about this eventuality from the beginning. :) > [1] Without further work this would break signature matching though. Oh, good point. We really need signatures so that DPD would work on the proxied data. Are you thinking that it would mostly break the TCP semantics of the signatures? I suspect that we'd be able to statically set some flags for "established" and "tcp". Another approach to consider might be to back away from using ip-proto in signatures. If SCTP does ever gain traction it would greatly complicate many signatures relying on the specific transport protocol. We could just indicate connection-oriented or packet-oriented signatures. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Fri Apr 27 09:01:20 2012 From: robin at icir.org (Robin Sommer) Date: Fri, 27 Apr 2012 09:01:20 -0700 Subject: [Bro-Dev] Decapsulating "payload" tunnels In-Reply-To: <8E7B81A4-2C29-45BC-8BE5-3AFEDE433FD2@icir.org> References: <0328875F-A062-472F-8688-A7F26798223C@icir.org> <20120427023434.GA23767@icir.org> <8E7B81A4-2C29-45BC-8BE5-3AFEDE433FD2@icir.org> Message-ID: <20120427160120.GH36685@icir.org> On Fri, Apr 27, 2012 at 10:10 -0400, you wrote: > Hah! It's as if someone had been thinking about this eventuality from > the beginning. :) Who might that have been? :-) > Oh, good point. We really need signatures so that DPD would work on > the proxied data. Are you thinking that it would mostly break the TCP > semantics of the signatures? The signature engine uses the initial packet of a connection to initialize state. Can't tell off the top of my head if we can easily get around that. In the worst case, we'd need to fake a packet just for that. > Another approach to consider might be to back away from using ip-proto > in signatures. If SCTP does ever gain traction it would greatly > complicate many signatures relying on the specific transport protocol. > We could just indicate connection-oriented or packet-oriented > signatures. Would prefer to avoid the latter as it's not the signature that determines whether matching is packet- or stream-orientedd (but the transport protocol in use itself). The ip-proto doesn't do anything else than mathcing the corresponding IP field and using it is primarily an optimization to avoid payload matching when possible. So just skipping it is fine I'd think. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Sat Apr 28 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 28 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204280700.q3S702YG018208@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bff3cba | Bernhard Amann | 2012-04-27 | Add two more TLS extension values that we see in live traffic. [1] bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [2] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [3] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [4] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [5] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [6] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/bff3cba129720f208a8931d59861b9e2ba841e83/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From noreply at bro-ids.org Sun Apr 29 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 29 Apr 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204290700.q3T7030r030052@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bff3cba | Bernhard Amann | 2012-04-27 | Add two more TLS extension values that we see in live traffic. [1] bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [2] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [3] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [4] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [5] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [6] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/bff3cba129720f208a8931d59861b9e2ba841e83/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From noreply at bro-ids.org Mon Apr 30 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 30 Apr 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201204300700.q3U702Jq017577@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bff3cba | Bernhard Amann | 2012-04-27 | Add two more TLS extension values that we see in live traffic. [1] bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [2] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [3] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [4] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [5] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [6] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/bff3cba129720f208a8931d59861b9e2ba841e83/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From adave at cyberpointllc.com Mon Apr 30 11:08:00 2012 From: adave at cyberpointllc.com (Dave, Anil) Date: Mon, 30 Apr 2012 18:08:00 +0000 Subject: [Bro-Dev] Debug mode to resolve root cause Binpac exceptions Message-ID: <8212326D69ABF544A5B87C9FD12E453A01DC3BDE@bltmmd1-exch1.cyberpointllc.com> 1. Need to parse complex embedded types within each other that ultimately process regular expressions in the input stream that selectively parse/reject that input stream to isolate viral contamination. 2. Tried embedding an {type id : regular expression} within a Binpac [type = record{ id = RE/?/ ]}], which compiles, but causes a run-time Binpac exception. 3. Other embedded record types cause Binpac exceptions also. 4. Need a debug mode of Binpac to isolate my ?user-caused? error: any mechanism? Gdb was not much help since the exception lands in a Linux library .so. 5. How are people debugging this category of problem? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120430/0971c2f0/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5369 bytes Desc: not available Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120430/0971c2f0/attachment.bin From seth at icir.org Mon Apr 30 12:10:34 2012 From: seth at icir.org (Seth Hall) Date: Mon, 30 Apr 2012 15:10:34 -0400 Subject: [Bro-Dev] Debug mode to resolve root cause Binpac exceptions In-Reply-To: <8212326D69ABF544A5B87C9FD12E453A01DC3BDE@bltmmd1-exch1.cyberpointllc.com> References: <8212326D69ABF544A5B87C9FD12E453A01DC3BDE@bltmmd1-exch1.cyberpointllc.com> Message-ID: <381A48C5-5C7B-4487-9802-C3BB9F61A73B@icir.org> On Apr 30, 2012, at 2:08 PM, Dave, Anil wrote: > 1. Need to parse complex embedded types within each other that ultimately process regular expressions in the input stream that selectively parse/reject that input stream to isolate viral contamination. > 2. Tried embedding an {type id : regular expression} within a Binpac [type = record{ id = RE/?/ ]}], which compiles, but causes a run-time Binpac exception. You are going to have to give more complete examples that we can test. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/