From noreply at bro-ids.org Tue Jan 1 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 1 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301010800.r01802QS019415@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From noreply at bro-ids.org Wed Jan 2 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 2 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301020800.r02802tp011183@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Wed Jan 2 08:05:25 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 Jan 2013 16:05:25 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.1fefe6818d04ca2093f2573465277a9d@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by jsiwek): Replying to [comment:7 vern]: > I do believe in a general rule of don't-add-features-without-a-specific- need, so if this isn't a motivated addition, I'd put it on hold. (I.e., okay to keep the current code in place, but don't turn it on until we find we need it - and then first analyze just what we really need.) It doesn't solve a specific/immediate problem, but the addition of a switch statement isn't entirely unmotivated. I know several times I've been writing a script and thought "a switch (C-style, constant case labels) makes sense here because the structure of it makes it easier to reason about the logic than a large sequence of conditionals" but then I find/remember there is no switch statement. I'm guessing that situation nags at other people, too? Anyone have opinions on whether to disable it for now, or if they have a use for non-constant case label expressions? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 2 10:32:52 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 Jan 2013 18:32:52 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.583ac8de6d8a178ef4e193db8ba7b31c@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by seth): > I'm guessing that situation nags at other people, too? Me too. I think it would be really nice to have that. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 2 10:34:53 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 Jan 2013 18:34:53 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.ed73a1239073c060913c6918a72492c8@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by slagell): On Jan 2, 2013, at 12:32 PM, Bro Tracker wrote: > Comment (by seth): > >> I'm guessing that situation nags at other people, too? > > Me too. I think it would be really nice to have that. It makes sense to me. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 2 10:41:50 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 Jan 2013 18:41:50 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.7bfdb9abe5124e8afec733913a37b371@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by robin): I think the switch-stmt with constants is sufficiently standard across languages that I don't see an issue with providing it. I'd be careful with the non-constant cases though; that comes with some trickyness and I'm not convinced that it'd really give us much. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 2 10:56:37 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 Jan 2013 18:56:37 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.ccf843fdce1a338644b567ed0539d494@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by seth): > I'd be careful with > the non-constant cases though; that comes with some trickyness and I'm not > convinced that it'd really give us much. Completely agreed. It doesn't feel weird to do that as a tree of "if else" statements. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Jan 3 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 3 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301030800.r03803Ux012216@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Thu Jan 3 14:31:26 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 Jan 2013 22:31:26 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.9ba8d3ed3da940f8072b8e53346fdabc@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by vern): Well, I remain not-a-fan of adding features without concrete use cases .... but since you're all gung-ho to have at least a constant-case version, and I do agree that it's the sort of thing one expects a language to have these days, I'll stop objecting. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Jan 3 18:30:13 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 04 Jan 2013 02:30:13 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.9aea01bbaeaf288fe1f1dadacca7a113@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by seth): > Well, I remain not-a-fan of adding features without concrete use cases The concrete use cases are already there. There are at least one or two existing "if else" trees I'll be replacing with switch statements once this is in master. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Fri Jan 4 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 4 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301040800.r04802Tu016037@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From seth at icir.org Fri Jan 4 19:35:38 2013 From: seth at icir.org (Seth Hall) Date: Fri, 4 Jan 2013 22:35:38 -0500 Subject: [Bro-Dev] flipped connections? Message-ID: <74B8777F-F58F-4855-B7DF-F23B1E726AA6@icir.org> Would it make sense for us to begin indicating if Bro "flipped" a connection in the conn.log? Occasionally I see stuff that shows up in various places (right now I'm seeing it in weird.log) and might just be a host doing a syn scan with src port 80, but Bro will flip that due to the likely_servers_ports variable. It seems to me like an additional boolean value in conn.log would be helpful to know if a connection was flipped or not. Right now though this information doesn't seem to be available at the script land anywhere. Am I correct on that? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130104/5d2554ef/attachment.bin From noreply at bro-ids.org Sat Jan 5 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 5 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301050800.r05803GR029940@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Sat Jan 5 15:05:54 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 05 Jan 2013 23:05:54 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.b1a4f8f9773fe40ffa0075edeeb5bfde@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by vern): Okay so can you describe them? That's all I was asking for originally. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sun Jan 6 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 6 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301060800.r06803HU010585@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From vern at icir.org Sun Jan 6 22:12:03 2013 From: vern at icir.org (Vern Paxson) Date: Sun, 06 Jan 2013 22:12:03 -0800 Subject: [Bro-Dev] flipped connections? In-Reply-To: <74B8777F-F58F-4855-B7DF-F23B1E726AA6@icir.org> (Fri, 04 Jan 2013 22:35:38 EST). Message-ID: <20130107061203.27B792C4002@rock.ICSI.Berkeley.EDU> > Would it make sense for us to begin indicating if Bro "flipped" a > connection in the conn.log? I've have several thoughts on this. First, yes, flipping is an ongoing source of problems due to errors that sometimes arise. Second, the right way to solve this is using connection history. That said, I think right now connection history lacks any indication of just which host was first seen on a flow. I think that's needed to solve this the correct way (i.e., using history). > It seems to me like an additional > boolean value in conn.log would be helpful to know if a connection was > flipped or not. I think the problem with this is knowing whether to view the information as actionable or not (i.e., you still have to decide whether the flipping was correct or erroneous). Doing it instead on history lets you make the full decision yourself in your postprocessing. Vern From noreply at bro-ids.org Mon Jan 7 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 7 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301070800.r07803U9023498@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Mon Jan 7 09:15:11 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 Jan 2013 17:15:11 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.3e10b7f2b82b288f4aff5db138bc4822@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by jsiwek): Replying to [comment:18 seth]: > There are at least one or two existing "if else" trees I'll be replacing with switch statements once this is in master. It's already merged. Replying to [comment:19 vern]: > Okay so can you describe them? That's all I was asking for originally. Here's some existing places I found that might benefit. policy/frameworks/control/controller.bro - handler for `remote_connection_handshake_done` has a sequence of conditional checks to see what command (constant string values) to ask the remote Bro to perform policy/protocols/http/software.bro - there's a sequence of checks for constant string values in the `http_header` event for integration with "software" detection base/frameworks/cluster/setup-connections.bro - setting up the connections between Bro nodes in a cluster setting has a lot of logic regarding node type (enums) comparisons that can be tough to follow the first time you read it. Changing some of the "outer layer" of the logic to a switch instead might help so that you don't have to read down the whole sequence of conditionals to understand the logic. base/protocols/http/main.bro - another `http_header` handler with several constant string comparisons against the header name base/protocols/ftp/main.bro - a couple places with constant string comparisons to check for a given FTP command out of 3-4 specific ones base/protocols/conn/main.bro - the connection state logic. There's the outer check for transport protocol enum (tcp/udp/icmp), probably not too helpful, but it could be a switch. But for the inner logic of the TCP state, I'm not sure if any of that can be reworked to use a switch, but it's brutal to try to reason about what's going on the way it is right now (7-8 branches in a conditional comparing orig/resp state, which are of constant count value). base/protocols/smtp/main.bro - SMTP command name and MIME header names are compared to specific sets of constant string values -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 7 11:34:30 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 Jan 2013 19:34:30 -0000 Subject: [Bro-Dev] #422: Array-style index accessor for strings In-Reply-To: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> References: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> Message-ID: <061.d59081b7cd2d0c105b8082746cb6fb13@tracker.bro-ids.org> #422: Array-style index accessor for strings ---------------------+---------------------- Reporter: seth | Owner: robin Type: Task | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: | Keywords: language ---------------------+---------------------- Comment (by jsiwek): In [8b46bbb1c0b3aefea7fa683b53165e497a14056d/bro]: {{{ #!CommitTicketReference repository="bro" revision="8b46bbb1c0b3aefea7fa683b53165e497a14056d" Change substring index notation to use a colon (addresses #422). String slice notation is written as `s[1:2]` instead of `s[1, 2]` because the later is ambiguous with composite index types. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 7 11:35:52 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 Jan 2013 19:35:52 -0000 Subject: [Bro-Dev] #422: Array-style index accessor for strings In-Reply-To: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> References: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> Message-ID: <061.c7913536733ef3b0581eb8d9229e7c6e@tracker.bro-ids.org> #422: Array-style index accessor for strings ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: | Keywords: language ----------------------------+---------------------- Changes (by jsiwek): * type: Task => Merge Request Comment: Notation for substring slicing is changed in `topic/jsiwek/string- indexing`. -- Ticket URL: Bro Tracker Bro Issue Tracker From vladg at cmu.edu Mon Jan 7 12:47:04 2013 From: vladg at cmu.edu (Vlad Grigorescu) Date: Mon, 7 Jan 2013 20:47:04 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/robin/hilti: Initial BinPAC++ interface for Bro. (1c12386) In-Reply-To: <27907_1357533555_r074dEhR024620_201301070429.r074TShT031248@bro-ids.icir.org> References: <27907_1357533555_r074dEhR024620_201301070429.r074TShT031248@bro-ids.icir.org> Message-ID: <1202BE242E080642B0CD0AD0A03E85528429E2@PGH-MSGMB-03.andrew.ad.cmu.edu> Awesome! On Jan 6, 2013, at 11:29 PM, Robin Sommer wrote: > # ./configure --enable-debug --enable-hilti --with-hilti-config=/path/to/hilti-config Could you share a sample hilti-config file? (Or point me to one if I missed it)? I'd like to play around with it. Thanks, --Vlad From robin at icir.org Mon Jan 7 13:20:43 2013 From: robin at icir.org (Robin Sommer) Date: Mon, 7 Jan 2013 13:20:43 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/robin/hilti: Initial BinPAC++ interface for Bro. (1c12386) In-Reply-To: <1202BE242E080642B0CD0AD0A03E85528429E2@PGH-MSGMB-03.andrew.ad.cmu.edu> References: <27907_1357533555_r074dEhR024620_201301070429.r074TShT031248@bro-ids.icir.org> <1202BE242E080642B0CD0AD0A03E85528429E2@PGH-MSGMB-03.andrew.ad.cmu.edu> Message-ID: <20130107212043.GJ50062@icir.org> On Mon, Jan 07, 2013 at 20:47 +0000, you wrote: > Could you share a sample hilti-config file? (Or point me to one if I > missed it)? I'd like to play around with it. Thanks, That's a bit more complicated actually. :) hilti-config is an executable coming with a separate project I'm working on, which needs to be installed first. I'm planing to write a short how-to soon and put it into README.hilti. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Tue Jan 8 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 8 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301080800.r08802nP003275@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 422 [1] | seth | robin | Normal | Array-style index accessor for strings Bro | 927 [2] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [3] [1] #422: http://tracker.bro-ids.org/bro/ticket/422 [2] #927: http://tracker.bro-ids.org/bro/ticket/927 [3] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Tue Jan 8 10:44:27 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 08 Jan 2013 18:44:27 -0000 Subject: [Bro-Dev] #422: Array-style index accessor for strings In-Reply-To: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> References: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> Message-ID: <061.cef937e2bd4fbed8c1b10c57388eece3@tracker.bro-ids.org> #422: Array-style index accessor for strings ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: fixed | Keywords: language ----------------------------+---------------------- Changes (by robin): * status: reopened => closed * resolution: => fixed Comment: In [564e27abb6f3f48c399d38d3840a81c5f02e8ffa/bro]: {{{ #!CommitTicketReference repository="bro" revision="564e27abb6f3f48c399d38d3840a81c5f02e8ffa" Merge remote-tracking branch 'origin/topic/jsiwek/string-indexing' * origin/topic/jsiwek/string-indexing: Change substring index notation to use a colon (addresses #422). Tweaked slightly to make it more generic, we may index other types with slices eventually too. Closes #422. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Wed Jan 9 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 9 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301090800.r09803Ow019492@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Wed Jan 9 22:23:30 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 10 Jan 2013 06:23:30 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.e70aed60ae6510af95bf5a641e980ec9@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by vern): Hmmmm I find most of those fairly modest arguments, though I agree some of them will clearly get good benefit. (The coupling with the global "cmd" in policy/frameworks/control/controller.bro is pretty weird ...) What are the semantics for "fall through"? Are cases exclusive, or do they require something like "break" to prevent fall-through? (I'm a fan of the former, but then you need a way of associating multiple labels with a single case-block. For example, "case A, B, C: ..." rather than C-style "case A: case B: case C:".) -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Jan 10 00:00:07 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 10 Jan 2013 00:00:07 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301100800.r0A807i5002438@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Thu Jan 10 08:54:51 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 10 Jan 2013 16:54:51 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.3a154d7dc5698cdf37b7791ca590d981@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by jsiwek): > What are the semantics for "fall through"? Are cases exclusive, or do they require something like "break" to prevent fall-through? (I'm a fan of the former, but then you need a way of associating multiple labels with a single case-block. For example, "case A, B, C: ..." rather than C-style "case A: case B: case C:".) Cases require a "break" to prevent fall-through, but it's not a hard change to make them exclusive. At the time I didn't have a particular reason to do fall-through; it was just the most familiar behavior to me. What are advantages of making them exclusive? I can see that way being less error-prone because programmers can forget the "break" occasionally. They're less flexible/powerful, though, right? E.g. this situation with fall-through: {{{ switch ( v ) { case A: x(); case B: y(); z(); } }}} would be equivalent without fall-through to either {{{ switch ( v ) { case A, B: if ( v == A ) x(); y(); z(); } }}} or {{{ switch ( v ) { case A: x(); y(); z(); case B: y(); z(); } }}} Meaning that situation needs duplicate code or that additional condition check without fall-through. Any other preferences/thoughts on the tradeoffs? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Jan 10 15:49:05 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 10 Jan 2013 23:49:05 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.82048434d0323442d4af6357e66307ae@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by vern): Yeah, the tradeoff is power vs. safety. The Bro language philosophy has been to go with safety when possible (i.e., when it's not too disruptive in terms of expressive power or performance). In my experience with C/C++, cases where you want fall-through are rare - and in fact come to think of it, probably occur less often than instances when I've left out a "break" and been surprised! We can always consider adding a "fallthrough" keyword that enables fall-through if we find use- cases that are too ugly without it. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Fri Jan 11 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 11 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301110800.r0B803hW006190@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 927 [1] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [2] [1] #927: http://tracker.bro-ids.org/bro/ticket/927 [2] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Fri Jan 11 09:52:02 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 11 Jan 2013 17:52:02 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.a471b20ec8affbf23640d2d57bcb74e0@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Comment (by jsiwek): In [8695053e278158ce40cb2a3d6aa04ff60653ca0e/bro]: {{{ #!CommitTicketReference repository="bro" revision="8695053e278158ce40cb2a3d6aa04ff60653ca0e" Disable automatic case fallthrough in switch stmts. Addresses #754. Case bodies now don't require a "break" statement to prevent fallthrough to case bodies below. Empty case bodies generate an error message at parse-time to help indicate the absence of automatic fallthrough; to associate multiple values with a case, use "case 1, 2:" instead of "case 1: case 2:". }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Jan 11 09:53:17 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 11 Jan 2013 17:53:17 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.49e18dd34ca5dc438063eec37f655e6c@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ----------------------------+------------------------ Changes (by jsiwek): * status: closed => reopened * resolution: fixed => Comment: Disabled the auto-fallthrough in `topic/jsiwek/no-switch-fallthrough`. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat Jan 12 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 12 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301120800.r0C803e3021006@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 927 [2] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [3] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #927: http://tracker.bro-ids.org/bro/ticket/927 [3] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: From bro at tracker.bro-ids.org Sat Jan 12 14:42:16 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 12 Jan 2013 22:42:16 -0000 Subject: [Bro-Dev] #929: Merge request for topic/bernhard/input-logging-commmon-functions Message-ID: <048.2509664a524fbc34a21ed8a972fc9c94@tracker.bro-ids.org> #929: Merge request for topic/bernhard/input-logging-commmon-functions ---------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ Branch moves the ascii handling functions for the input and logging framework to a separate class. Enables new readers/writers that need this functionality to access it. The whole thing is not as nice as I would like it - but I did not know of a nicer way to do it. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sun Jan 13 00:00:06 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 13 Jan 2013 00:00:06 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301130800.r0D8065R014442@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 927 [2] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [3] Bro | 929 [4] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [5] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #927: http://tracker.bro-ids.org/bro/ticket/927 [3] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: [4] #929: http://tracker.bro-ids.org/bro/ticket/929 [5] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions From noreply at bro-ids.org Mon Jan 14 00:00:05 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 14 Jan 2013 00:00:05 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301140800.r0E8059t026760@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 927 [2] | seth | robin | Normal | topic/seth/metrics-merge: Metrics framework updates [3] Bro | 929 [4] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [5] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #927: http://tracker.bro-ids.org/bro/ticket/927 [3] metrics-merge:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/metrics-merge: [4] #929: http://tracker.bro-ids.org/bro/ticket/929 [5] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions From bro at tracker.bro-ids.org Mon Jan 14 09:57:08 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 Jan 2013 17:57:08 -0000 Subject: [Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging In-Reply-To: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> References: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> Message-ID: <065.727828f4723288490445946d275d12ff@tracker.bro-ids.org> #928: Incorporate ICSI certificate notary into SSL logging ----------------------------+------------------------ Reporter: matthias | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by matthias): * type: Test Case Missing => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Mon Jan 14 10:01:30 2013 From: vallentin at icir.org (Matthias Vallentin) Date: Mon, 14 Jan 2013 10:01:30 -0800 Subject: [Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging In-Reply-To: <065.727828f4723288490445946d275d12ff@tracker.bro-ids.org> References: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> <065.727828f4723288490445946d275d12ff@tracker.bro-ids.org> Message-ID: > * type: Test Case Missing => Merge Request Unless we install a some dummy certificate for testing purposes in the notary, we have no reliable way test that the notary returns the same result twice. That's why I'm changing this ticket to Merge Request. Moreover, the new functionality is not enabled by default, one has to load the notary script in order to get the extra columns in the ssl.log. Matthias From bro at tracker.bro-ids.org Mon Jan 14 10:01:53 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 Jan 2013 18:01:53 -0000 Subject: [Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging In-Reply-To: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> References: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> Message-ID: <065.945c486cca27fb41d80fa7b33b05fb67@tracker.bro-ids.org> #928: Incorporate ICSI certificate notary into SSL logging ----------------------------+------------------------ Reporter: matthias | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by matthias): > * type: Test Case Missing => Merge Request Unless we install a some dummy certificate for testing purposes in the notary, we have no reliable way test that the notary returns the same result twice. That's why I'm changing this ticket to Merge Request. Moreover, the new functionality is not enabled by default, one has to load the notary script in order to get the extra columns in the ssl.log. Matthias -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 14 10:43:38 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 Jan 2013 18:43:38 -0000 Subject: [Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging In-Reply-To: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> References: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> Message-ID: <065.74a201b8f5183f8b87a8a3edeb5ab461@tracker.bro-ids.org> #928: Incorporate ICSI certificate notary into SSL logging ----------------------------+------------------------ Reporter: matthias | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by amannb): Well, we could just check the first_seen field for a well-known certificate... and ignore the other fields. But I do not know if having online tests is the best idea in any case. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 14 14:34:16 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 Jan 2013 22:34:16 -0000 Subject: [Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging In-Reply-To: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> References: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> Message-ID: <065.0a8b36e2adbac830b26986896fb8152c@tracker.bro-ids.org> #928: Incorporate ICSI certificate notary into SSL logging ----------------------------+------------------------ Reporter: matthias | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): Yeah, online tests are better to avoid (at least when they go to us) Seth, can you take a look at Matthias' script? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 14 15:46:15 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 Jan 2013 23:46:15 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.6d502f34a3bc9e3fa97b117d514d69e7@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ----------------------------+------------------------ Comment (by robin): Sorry to keep going here but now I have a problem with this: our syntax is pretty much exactly like C, and C does fall-through. Having the same syntax but no fall-through seems wrong to me, and actually I find *that* to be unsafe in the sense that when I read code like the following, I *expect* it to fall-through and hence will misunderstand what's happening: {{{ switch ( v ) { case A: x(); case B: y(); }}} I think we should do either fall-through or use a different syntax for the switch-statement. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 14 15:47:10 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 Jan 2013 23:47:10 -0000 Subject: [Bro-Dev] #927: topic/seth/metrics-merge: Metrics framework updates In-Reply-To: <046.c99bd3bd9ecee1538e5aa8f28b4f649e@tracker.bro-ids.org> References: <046.c99bd3bd9ecee1538e5aa8f28b4f649e@tracker.bro-ids.org> Message-ID: <061.6301ab612630da71bfcf900aeadd6813@tracker.bro-ids.org> #927: topic/seth/metrics-merge: Metrics framework updates ---------------------+------------------------ Reporter: seth | Owner: seth Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ---------------------+------------------------ Changes (by robin): * owner: robin => seth * status: new => assigned * type: Merge Request => Task Comment: We discussed some API changes so I'm unsetting the merge request for now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 14 15:47:28 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 Jan 2013 23:47:28 -0000 Subject: [Bro-Dev] #928: Incorporate ICSI certificate notary into SSL logging In-Reply-To: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> References: <050.670adea7e8363a03ddb2651421087ccb@tracker.bro-ids.org> Message-ID: <065.20fb87e018c3350b2ad612301c236245@tracker.bro-ids.org> #928: Incorporate ICSI certificate notary into SSL logging ----------------------------+------------------------ Reporter: matthias | Owner: seth Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => seth * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Tue Jan 15 00:00:07 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 15 Jan 2013 00:00:07 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301150800.r0F807l2017978@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions From bro at tracker.bro-ids.org Tue Jan 15 08:25:01 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 Jan 2013 16:25:01 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.fcd1892106c17c38e2a7b423c4cf503a@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ----------------------------+------------------------ Comment (by jsiwek): Replying to [comment:26 robin]: > Sorry to keep going here but now I have a problem with this: our syntax is pretty much exactly like C, and C does fall-through. Having the same syntax but no fall-through seems wrong to me, and actually I find *that* to be unsafe in the sense that when I read code like the following, I *expect* it to fall-through Yeah, does seem like it could get confusing to mix and match. Do you think it would be ok if case blocks were required to end in "break" (or later "fallthrough" if we want that) to make it clear, with a parse-time error resulting if it's missing? Otherwise I'm fine leaving the switch consistent with C-style (fallthrough/breaks are up to coder to do right). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Jan 15 09:17:38 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 Jan 2013 17:17:38 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.5127f0fb72a4048881ccab9ca68ac1f8@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ----------------------------+------------------------ Comment (by robin): I'd also just stay with C semantics and allow the fall-through. Vern? -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Tue Jan 15 10:32:38 2013 From: robin at icir.org (Robin Sommer) Date: Tue, 15 Jan 2013 10:32:38 -0800 Subject: [Bro-Dev] [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130115173928.GK44960@icir.org> References: <1358201379.3357.302.camel@titan> <20130115173928.GK44960@icir.org> Message-ID: <20130115183238.GB46634@icir.org> [Taking to bro-dev] On Tue, Jan 15, 2013 at 09:39 -0800, I wrote: > - we have been kicking around the idea of removing &synchronized > completely. it has a number of drawbacks (the loose semantics > and race condition; a lack of control for which nodes gets > updates) and internally it's very complex to implement. The idea > is to replace it with something simpler but more well-defined > (like a distributed key-value store) that would be wrapped with > script-layer frameworks to provide for easy use. Seth and I have been mulling over this, and I'd be curious what others think about this. If we'd remove the &synchronized stuff, we could throw out a lot of C++-level code and complexity. A distributed key-value store could probably be implemented simply as input/output plugins, and with the upcoming sqlite interface we'd get persistence built in there, too. That generally sounds quite appealing to me. The main drawback is that I/O capabilities would no longer directly map to Bro data structures, in particular it's not possible to keep references within non-atomic data types across the communication channel. Roughly speaking, we could exchange what we can currently log, but not more (i.e., no nested records, tables, etc.). On the other hand we could build script-level frameworks that get some of that back transparentky by rolling stuff out internally. We could even go a step further then and send events over that channel as well. And that in turn might let us eventually remove all the current communication code and replace with something nicer, maybe indeed an external library as we've been discussing earlier already. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Wed Jan 16 00:00:06 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 16 Jan 2013 00:00:06 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301160800.r0G806Dw027668@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | f7679a3 | Bernhard Amann | 2013-01-15 | add opaque type-ignoring for the accept_unsupported_types input framework option. [5] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] fastpath: http://tracker.bro-ids.org/bro/changeset/f7679a3d50538a48b5f7cb46fad287eb1e420527/bro From bro at tracker.bro-ids.org Wed Jan 16 10:14:16 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 16 Jan 2013 18:14:16 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.d2eb68de9d74722a3b1edf117dfc22d9@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ----------------------------+------------------------ Comment (by vern): I can abide mandatory either-break-or-fallthrough as ending a case block. That lets us keep the syntax while getting the safety property that I want to have. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 16 14:40:14 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 16 Jan 2013 22:40:14 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.bc725cbd1a8c484c198a253030da534a@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ----------------------------+------------------------ Comment (by jsiwek): In [be71a42f4c9cdde69b74f18203db062dbc18dea2/bro]: {{{ #!CommitTicketReference repository="bro" revision="be71a42f4c9cdde69b74f18203db062dbc18dea2" Add "fallthrough" keyword, require a flow statement to end case blocks. Case blocks in switch statements now must end in a break, return, or fallthrough statement to give best mix of safety, readability, and flexibility. The new fallthrough keyword explicitly allows control to be passed to the next case block in a switch statement. Addresses #754. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 16 15:36:51 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 16 Jan 2013 23:36:51 -0000 Subject: [Bro-Dev] #930: Segfault when logging strange record Message-ID: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> #930: Segfault when logging strange record ---------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ The following short script segfaults when run {{{ module MyMod; export { redef enum Log::ID += { LOG }; type Log: record { ss: set[string]; } &log; } event bro_init() { Log::create_stream(MyMod::LOG, [$columns=Log]); local test: string; Log::write(MyMod::LOG, [ $ss=set(test, "BB", "CC") ]); } }}} The backtrace is {{{ Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000030 Val::Type (this=0x0) at Val.h:197 197 const BroType* Type() const { return type; } (gdb) bt #0 Val::Type (this=0x0) at Val.h:197 #1 0x0000000100103717 in CompositeHash::ComputeSingletonHash (this=0x102828410, v=0x0, type_check=1) at /Users/bernhard/bro/bro/src/CompHash.cc:327 #2 0x00000001001032f1 in CompositeHash::ComputeHash (this=0x102828410, v=0x0, type_check=1) at /Users/bernhard/bro/bro/src/CompHash.cc:277 #3 0x00000001002f2489 in TableVal::ComputeHash (this=0x102828f90, index=0x0) at Val.h:846 #4 0x00000001002e752b in TableVal::Assign (this=0x102828f90, index=0x0, new_val=0x0, op=OP_ASSIGN) at /Users/bernhard/bro/bro/src/Val.cc:1451 #5 0x000000010018836d in SetConstructorExpr::Eval (this=0x102826540, f=0x102828430) at /Users/bernhard/bro/bro/src/Expr.cc:3527 #6 0x0000000100174f13 in UnaryExpr::Eval (this=0x102826780, f=0x102828430) at /Users/bernhard/bro/bro/src/Expr.cc:475 #7 0x0000000100190984 in ListExpr::Eval (this=0x102826830, f=0x102828430) at /Users/bernhard/bro/bro/src/Expr.cc:4885 #8 0x0000000100174f13 in UnaryExpr::Eval (this=0x102826a10, f=0x102828430) at /Users/bernhard/bro/bro/src/Expr.cc:475 #9 0x000000010018d406 in eval_list (f=0x102828430, l=0x102825cd0) at /Users/bernhard/bro/bro/src/Expr.cc:5482 #10 0x000000010018f17a in CallExpr::Eval (this=0x102826be0, f=0x102828430) at /Users/bernhard/bro/bro/src/Expr.cc:4633 #11 0x00000001002ae4a4 in ExprStmt::Exec (this=0x102826c70, f=0x102828430, flow=@0x7fff5fbfebb8) at /Users/bernhard/bro/bro/src/Stmt.cc:369 #12 0x00000001002b4f7f in StmtList::Exec (this=0x102824e80, f=0x102828430, flow=@0x7fff5fbfebb8) at /Users/bernhard/bro/bro/src/Stmt.cc:1574 #13 0x00000001001a3d55 in BroFunc::Call (this=0x101cfb340, args=0x102828220, parent=0x0) at /Users/bernhard/bro/bro/src/Func.cc:336 #14 0x0000000100153573 in EventHandler::Call (this=0x101c28be0, vl=0x102828220, no_remote=false) at /Users/bernhard/bro/bro/src/EventHandler.cc:72 #15 0x00000001000cbf69 in Event::Dispatch (this=0x1028282a0, no_remote=false) at Event.h:46 #16 0x0000000100152a61 in EventMgr::Dispatch (this=0x100516260) at /Users/bernhard/bro/bro/src/Event.cc:105 #17 0x0000000100152b05 in EventMgr::Drain (this=0x100516260) at /Users/bernhard/bro/bro/src/Event.cc:117 #18 0x00000001000c9f78 in main (argc=3, argv=0x7fff5fbffb58) at /Users/bernhard/bro/bro/src/main.cc:1058 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 16 15:39:03 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 16 Jan 2013 23:39:03 -0000 Subject: [Bro-Dev] #930: Segfault when logging strange record In-Reply-To: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> References: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> Message-ID: <063.11c9223df533c026f17c5ccc05863e70@tracker.bro-ids.org> #930: Segfault when logging strange record ----------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by amannb): Forgot to mention - it only crashes when bro is run in bare mode. When running bro normally it returns an error {{{ ERROR: index type doesn't match table (anonymous-function{ if (Notice::ACTION_DROP in Notice::n$actions) } and list of string) (/Users/bernhard/sw/share/bro/base/frameworks/notice/./actions/drop.bro, lines 25-32 and ./t.bro, line 18) }}} So - it probably is quite low on the importance scale. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 16 15:41:47 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 16 Jan 2013 23:41:47 -0000 Subject: [Bro-Dev] #930: Segfault when logging strange record In-Reply-To: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> References: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> Message-ID: <063.154a8b3c6d46225b4b2c77e29df9fcfb@tracker.bro-ids.org> #930: Segfault when logging strange record ----------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by amannb): ...and second comment - {{{ event bro_init() { local test: string; local ss: set[string]; ss = set(test); } }}} also is sufficient to crash bro in bare mode. -- Ticket URL: Bro Tracker Bro Issue Tracker From vern at icir.org Wed Jan 16 17:09:17 2013 From: vern at icir.org (Vern Paxson) Date: Wed, 16 Jan 2013 17:09:17 -0800 Subject: [Bro-Dev] [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130115183238.GB46634@icir.org> (Tue, 15 Jan 2013 10:32:38 PST). Message-ID: <20130117010918.0809D2C4009@rock.ICSI.Berkeley.EDU> > Seth and I have been mulling over this, and I'd be curious what others > think about this. If we'd remove the &synchronized stuff, we could > throw out a lot of C++-level code and complexity. Hmmmm. I've always liked that &sychronized gives us a general capability rather than presupposing the nature of cross-Bro state coordination. I take it your view is that we now have enough experiences with clusters to conclude that we aren't making full use of the generality, so we should consider the maintenance/complexity gains we could achieve by removing it. Is that the right way to summarize it? What about for non-cluster distributed deployments? As I understand it, LBL's "Deep Bro" vision is to coordinate Bros that are analyzing different traffic streams (and with higher intercommunication latencies between those Bros). One thing I'm wondering is whether that use-case might still benefit from more general semantics. > We could even go a step further then and send events over that channel > as well. And that in turn might let us eventually remove all the > current communication code and replace with something nicer, maybe > indeed an external library as we've been discussing earlier already. Here do you mean essentially do explicit synchronization rather than implicit? Or do you mean changing the paradigm for how implicit synchronization works? Vern From bro at tracker.bro-ids.org Wed Jan 16 17:50:50 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 17 Jan 2013 01:50:50 -0000 Subject: [Bro-Dev] #931: Ascii writer does not escape empty sets / vectors Message-ID: <048.22ca783e8c0f253bb0b3c6fb3b7c068d@tracker.bro-ids.org> #931: Ascii writer does not escape empty sets / vectors ---------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ The script {{{ redef LogAscii::empty_field = "EMPTY"; module SSH; export { redef enum Log::ID += { LOG }; type Log: record { ss: set[string]; } &log; } event bro_init() { Log::create_stream(SSH::LOG, [$columns=Log]); Log::write(SSH::LOG, [ $ss=set("EMPTY") ]); } }}} Outputs the line {{{ EMPTY }}} to a log-file. This makes it impossible to distinguish a line containing EMPTY from a line containing an empty set. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 16 17:55:10 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 17 Jan 2013 01:55:10 -0000 Subject: [Bro-Dev] #932: Assigning an uninitialized variable to a vector stops execution of bro script Message-ID: <048.afedcaf6f14d0b150f983e91905cbdf3@tracker.bro-ids.org> #932: Assigning an uninitialized variable to a vector stops execution of bro script ---------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ Executing the script {{{ event bro_init() { local st: string; local s: vector of string; s[0] = st; print "Continuing"; } }}} Stops bro with an internal error, when run in non-bare mode. In bare mode, the error message {{{ error in ./t.bro, line 6: value used but not set (st) }}} is shown and after that script execution continues. This should probably also work in non-bare-mode to prevent scripting errors from shutting down a bro-instance. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Jan 17 00:00:06 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 17 Jan 2013 00:00:06 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301170800.r0H806LU032257@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | f7679a3 | Bernhard Amann | 2013-01-15 | add opaque type-ignoring for the accept_unsupported_types input framework option. [5] broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [6] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] fastpath: http://tracker.bro-ids.org/bro/changeset/f7679a3d50538a48b5f7cb46fad287eb1e420527/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From robin at icir.org Thu Jan 17 08:54:04 2013 From: robin at icir.org (Robin Sommer) Date: Thu, 17 Jan 2013 08:54:04 -0800 Subject: [Bro-Dev] [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130117010918.0809D2C4009@rock.ICSI.Berkeley.EDU> References: <20130115183238.GB46634@icir.org> <20130117010918.0809D2C4009@rock.ICSI.Berkeley.EDU> Message-ID: <20130117165403.GN68818@icir.org> On Wed, Jan 16, 2013 at 17:09 -0800, you wrote: > I take it your view is that we now have enough experiences with clusters > to conclude that we aren't making full use of the generality, so we should > consider the maintenance/complexity gains we could achieve by removing it. While it's a general mechanism, it comes with its own limitations, in particular there's no control with whom to synchronize; it's everybody or nobody. That could be solved in principle but only at the expense of further complexity. But the real answer is: we aren't making use of &synchronized much already: > grep -R '\&synchronized' scripts/ scripts/policy/protocols/conn/known-hosts.bro: global known_hosts: set[addr] &create_expire=1day &synchronized &redef; scripts/policy/protocols/conn/known-services.bro: global known_services: set[addr, port] &create_expire=1day &synchronized; scripts/policy/protocols/ssl/known-certs.bro: global certs: set[addr, string] &create_expire=1day &synchronized &redef; scripts/policy/protocols/ssl/validate-certs.bro: &read_expire=5mins &synchronized &redef; scripts/policy/protocols/ssh/detect-bruteforcing.bro: &read_expire=guessing_timeout+1hr &synchronized &redef; scripts/base/frameworks/software/main.bro: &synchronized (Note that all but one are in the optional "policy" set). In other words, we are already implementing cluster synchronization with events, not &synchronized. There's a conceptual change with 2.0 that makes &synchronized less useful. Originally the attribute was meant for the user: by simply attaching &synchronized to a table, things get taken care of. The new 2.0 frameworks however work at a higher level, with their own APIs already hiding clusterization transparently internally. With that, the focus is shifting from what helps the user to what helps the frameworks. That along with the just "best effort" semantics of &synchronized and its internal complexity leaves me wondering if the better long-term strategy is something else. > What about for non-cluster distributed deployments? As I understand it, > LBL's "Deep Bro" vision is to coordinate Bros that are analyzing different > traffic streams That's exactly where the current &synchronized becomes hard to use because you can't select what state to exchange between which parts of the deep-bro setup; the one-set-of-state-for-all doesn't really apply anymore there. > One thing I'm wondering is whether that use-case might still benefit > from more general semantics. I'm thinking to take out some of the generality that &synchronized provides, but in return add some new flexibility/capabilites that we currently don't have (better semantics, sharing of subsets of state, persistence that's closely tied in). Here's some further thoughts (mine; don't know if this aligns with what Seth wants ...) I like the idea of having a transparent key-value store that's both distributed and persistent. Scripts get an API to insert/delete value indexed by strings and Bro guarentees that it will show up everywhere (we might even be able to do some strict form of global consistency here; not sure). The master node keeps a persistent copy on disk that survives restarts. Other frameworks can then use this new API to distribute/store state. Actually it wouldn't be a single key-value store but scripts should be able to create new, separate ones on demand. And they can specify with which nodes to sync each with; or maybe other nodes could subscribe to individual stores by their name. Maybe lets call the stores "views". For example, in a tiered deep-cluster, a set of nodes monitoring a subnet could use their own view that's not propagated to those for other subnets (and we could extend that mechanism to events to share them more selectively as well). > Here do you mean essentially do explicit synchronization rather than > implicit? Yes, in terms of mechanism. However for most users it would still be transparent as long as they use the standard frameworks. And if they don't, they'd at least get a very intuitive/familiar key-value data model. Just brainstorming, Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Thu Jan 17 10:46:01 2013 From: seth at icir.org (Seth Hall) Date: Thu, 17 Jan 2013 13:46:01 -0500 Subject: [Bro-Dev] [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130117165403.GN68818@icir.org> References: <20130115183238.GB46634@icir.org> <20130117010918.0809D2C4009@rock.ICSI.Berkeley.EDU> <20130117165403.GN68818@icir.org> Message-ID: On Jan 17, 2013, at 11:54 AM, Robin Sommer wrote: > I like the idea of having a transparent key-value store that's both > distributed and persistent. Oh, this might work and have the additional benefit of being very simple and easy to implement and remember how it works. We'd basically be severely restricting what people can do so that we can do more stuff automatically. > Actually it wouldn't be a single key-value store but scripts should be > able to create new, separate ones on demand. And they can specify with > which nodes to sync each with; or maybe other nodes could subscribe to > individual stores by their name. Maybe lets call the stores "views". I like this and it could be the first step toward the data distribution and persistence framework (data framework?) we were talking about. So far I had been having a hard time figuring out what this would look like but I was probably trying to make it too complicated too. If I think within the boundaries you are laying out in the proposal, I can imagine creating everything I want in the scripting land. I like it so far, I'll have to do a bit more thinking and maybe some example scripting to find edge cases where it might not work or be particularly burdensome. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Thu Jan 17 20:27:16 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 18 Jan 2013 04:27:16 -0000 Subject: [Bro-Dev] #933: Test ticket Message-ID: <047.6e9da74d7597fa316416d4ca5d3fdf7d@tracker.bro-ids.org> #933: Test ticket ---------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Jan 17 21:14:37 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 18 Jan 2013 05:14:37 -0000 Subject: [Bro-Dev] #933: Test ticket In-Reply-To: <047.6e9da74d7597fa316416d4ca5d3fdf7d@tracker.bro-ids.org> References: <047.6e9da74d7597fa316416d4ca5d3fdf7d@tracker.bro-ids.org> Message-ID: <062.cdf84c47f0235489bcdfefaee15c475a@tracker.bro-ids.org> #933: Test ticket ----------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by robin): * status: new => closed Comment: On Fri, Jan 18, 2013 at 04:27 -0000, you wrote: > #933: Test ticket > ---------------------+------------------------ > Reporter: robin | Owner: > Type: Problem | Status: new > Priority: Normal | Milestone: Bro2.2 > Component: Bro | Version: git/master > Keywords: | > ---------------------+------------------------ > > -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- Ticket URL: Bro Tracker Bro Issue Tracker From vern at icir.org Thu Jan 17 23:28:36 2013 From: vern at icir.org (Vern Paxson) Date: Thu, 17 Jan 2013 23:28:36 -0800 Subject: [Bro-Dev] [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130117165403.GN68818@icir.org> (Thu, 17 Jan 2013 08:54:04 PST). Message-ID: <20130118072836.53A4B2C4003@rock.ICSI.Berkeley.EDU> > While it's a general mechanism, it comes with its own limitations ... Ah, I see. Thanks for sketching this. What you & Seth frame seems then like a reasonable approach to me. Vern From noreply at bro-ids.org Fri Jan 18 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 18 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301180800.r0I8026V017369@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | f7679a3 | Bernhard Amann | 2013-01-15 | add opaque type-ignoring for the accept_unsupported_types input framework option. [5] broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [6] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] fastpath: http://tracker.bro-ids.org/bro/changeset/f7679a3d50538a48b5f7cb46fad287eb1e420527/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From bro at tracker.bro-ids.org Fri Jan 18 05:08:13 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 18 Jan 2013 13:08:13 -0000 Subject: [Bro-Dev] #934: GPRS Tunneling Protocol (GTP) Analyzer Message-ID: <053.e35358da3dd6bfe2ce077946ca6f01bd@tracker.bro-ids.org> #934: GPRS Tunneling Protocol (GTP) Analyzer -------------------------+----------------------------------------- Reporter: liamrandall | Type: Feature Request Status: new | Priority: Normal Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: GTP GPRS Tunneling Protocol -------------------------+----------------------------------------- Requesting support for GTP Analyzers. http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol Public samples: http://cloudshark.org/captures/374cf36574b6 http://www.pcapr.net/view/bwilkerson/2010/7/5/10/gtp3.pcap.html Test environement are available upon request. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Jan 18 08:19:04 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 18 Jan 2013 16:19:04 -0000 Subject: [Bro-Dev] #934: GPRS Tunneling Protocol (GTP) Analyzer In-Reply-To: <053.e35358da3dd6bfe2ce077946ca6f01bd@tracker.bro-ids.org> References: <053.e35358da3dd6bfe2ce077946ca6f01bd@tracker.bro-ids.org> Message-ID: <068.767b555e18ce60231c637417e97ee689@tracker.bro-ids.org> #934: GPRS Tunneling Protocol (GTP) Analyzer ------------------------------+----------------------------------------- Reporter: liamrandall | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: GTP GPRS Tunneling Protocol ------------------------------+----------------------------------------- Comment (by jsiwek): Replying to [ticket:934 liamrandall]: > Requesting support for GTP Analyzers. There's a GTPv1-U "analyzer" now in the git/master repository (#690 has the history of that). I say "analyzer" because it really only functions as a tunnel decapsulator right now. It also doesn't yet support GTP extension headers (I didn't have any such pcaps to test against). Can you try it out and let us know what's missing and/or not working? i.e. is there more analysis that should be done? or are the extension headers very important? or do GTP', GTP-C, or GTPv2 need specific handling? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Jan 18 08:32:45 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 18 Jan 2013 16:32:45 -0000 Subject: [Bro-Dev] #932: Assigning an uninitialized variable to a vector stops execution of bro script In-Reply-To: <048.afedcaf6f14d0b150f983e91905cbdf3@tracker.bro-ids.org> References: <048.afedcaf6f14d0b150f983e91905cbdf3@tracker.bro-ids.org> Message-ID: <063.ee34d03fe45f59a538ce7cea3f140528@tracker.bro-ids.org> #932: Assigning an uninitialized variable to a vector stops execution of bro script ----------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by jsiwek): * type: Problem => Merge Request Comment: This was an interesting bug. The difference between bare-mode and non- bare-mode had to do with an unexpected interaction between `bro_init` handlers... commit [0a69b87f03b18f6c5b4e6952912b5390c9e698b1/bro]: {{{ Fix uninitialized locals in event/hook handlers from having a value. Since values for local variables are referenced by offset within a Frame (not by identifier name), and event/hook handler bodies share a common Frame, the value offsets for local variables in different handlers may overlap. This meant locals in a handler without an initialization may actually end up referring to the value of a previous handler's local that has the same Frame offset. When executing the body, that can possibly result in a type-conflict error or give give unexpected results instead of a "use of uninitialized value" error. This patch makes it so uninitialized locals do always refer to a null value before executing the body of a event/hook handler, so that using them without assigning a value within the body will connsistently give a "use of uninitialized value" error. }}} That's in `topic/jsiwek/ticket-932`. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Jan 18 11:01:42 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 18 Jan 2013 19:01:42 -0000 Subject: [Bro-Dev] #930: Segfault when logging strange record In-Reply-To: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> References: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> Message-ID: <063.a4417038a3fb04ff797db7574e3287e5@tracker.bro-ids.org> #930: Segfault when logging strange record ----------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by jsiwek): * type: Problem => Merge Request Comment: This was mostly just an issue of reporter errors not being printed to stderr due to the segfault between when a reporter event is dispatched and when it actually executes. See [fdd11428c142868b2856978322f42204db6e1d40/bro] and [624980b98d7741f9af0cfb417336d149bb21e704/bro]. Patch in `topic/jsiwek/ticket-930`. (And the weirdness of the error in the first comment is a separate thing, addressed in #932.) -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat Jan 19 00:00:04 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 19 Jan 2013 00:00:04 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301190800.r0J804hT025374@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] Bro | 930 [5] | amannb | | Normal | Segfault when logging strange record Bro | 932 [6] | amannb | | Normal | Assigning an uninitialized variable to a vector stops execution of bro script > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [7] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] #930: http://tracker.bro-ids.org/bro/ticket/930 [6] #932: http://tracker.bro-ids.org/bro/ticket/932 [7] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From bro at tracker.bro-ids.org Sat Jan 19 13:24:42 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 19 Jan 2013 21:24:42 -0000 Subject: [Bro-Dev] #934: GPRS Tunneling Protocol (GTP) Analyzer In-Reply-To: <053.e35358da3dd6bfe2ce077946ca6f01bd@tracker.bro-ids.org> References: <053.e35358da3dd6bfe2ce077946ca6f01bd@tracker.bro-ids.org> Message-ID: <068.065bd9a44cb6e0dbcde121a894c2cedb@tracker.bro-ids.org> #934: GPRS Tunneling Protocol (GTP) Analyzer ------------------------------+----------------------------------------- Reporter: liamrandall | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: GTP GPRS Tunneling Protocol ------------------------------+----------------------------------------- Comment (by liamrandall): GTP-C and GTP-U should probably both be handled and logged. For example, GTP-C (control plane) might want to log PDP setup, modifications and tear- downs. On GTP-U it does not seem to be decoding the tunneled traffic properly; I'm not seeing analyzers fire for embedded ip4/6, http, etc. PCAPR has a large variety of samples of the GTP-C setup/tear down, GTP-U traffic, and hand-offs. I?ve attached some of the representative samples. Specifications: http://www.quintillion.co.jp/3GPP/Specs/29060-4b0.pdf -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sun Jan 20 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 20 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301200800.r0K803Hn005359@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] Bro | 930 [5] | amannb | | Normal | Segfault when logging strange record Bro | 932 [6] | amannb | | Normal | Assigning an uninitialized variable to a vector stops execution of bro script > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [7] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] #930: http://tracker.bro-ids.org/bro/ticket/930 [6] #932: http://tracker.bro-ids.org/bro/ticket/932 [7] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From bro at tracker.bro-ids.org Sun Jan 20 12:16:42 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 20 Jan 2013 20:16:42 -0000 Subject: [Bro-Dev] #935: Enhance logging framework with a delay mechanism Message-ID: <050.6cfff68c7c77ec0180294b572ee6681c@tracker.bro-ids.org> #935: Enhance logging framework with a delay mechanism ----------------------+------------------------ Reporter: matthias | Owner: seth Type: Task | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ----------------------+------------------------ The logging framework currently does not support a delay mechanism until a desired asynchronous operations finishes. While there exist complicated ad-hoc workarounds in the case of sending email notices and the notary code, it would be nice to shield this complexity from the user. To implement this feature, we could consider a special delay *filter* which buffers records until they are acked. A user may want to customize the buffering behavior by either specifying that record order matters or that each acked record can be logged immediately. This would then determine the buffering/flushing policy. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Mon Jan 21 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 21 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301210800.r0L802bD016395@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] Bro | 930 [5] | amannb | | Normal | Segfault when logging strange record Bro | 932 [6] | amannb | | Normal | Assigning an uninitialized variable to a vector stops execution of bro script > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [7] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] #930: http://tracker.bro-ids.org/bro/ticket/930 [6] #932: http://tracker.bro-ids.org/bro/ticket/932 [7] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From noreply at bro-ids.org Tue Jan 22 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 22 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301220800.r0M802lV015461@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] Bro | 930 [5] | amannb | | Normal | Segfault when logging strange record Bro | 932 [6] | amannb | | Normal | Assigning an uninitialized variable to a vector stops execution of bro script > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [7] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] #930: http://tracker.bro-ids.org/bro/ticket/930 [6] #932: http://tracker.bro-ids.org/bro/ticket/932 [7] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From noreply at bro-ids.org Wed Jan 23 00:00:04 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 23 Jan 2013 00:00:04 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301230800.r0N8041m007503@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 754 [1] | seth | robin | Normal | Complete implementation of switch statement Bro | 928 [2] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 929 [3] | amannb | | Normal | Merge request for topic/bernhard/input-logging-commmon-functions [4] Bro | 930 [5] | amannb | | Normal | Segfault when logging strange record Bro | 932 [6] | amannb | | Normal | Assigning an uninitialized variable to a vector stops execution of bro script > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [7] [1] #754: http://tracker.bro-ids.org/bro/ticket/754 [2] #928: http://tracker.bro-ids.org/bro/ticket/928 [3] #929: http://tracker.bro-ids.org/bro/ticket/929 [4] input-logging-commmon-functions: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/input-logging-commmon-functions [5] #930: http://tracker.bro-ids.org/bro/ticket/930 [6] #932: http://tracker.bro-ids.org/bro/ticket/932 [7] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From vladg at cmu.edu Wed Jan 23 09:31:23 2013 From: vladg at cmu.edu (Vlad Grigorescu) Date: Wed, 23 Jan 2013 17:31:23 +0000 Subject: [Bro-Dev] Some Barnyard2 Bro Plugin Fixes Message-ID: <1202BE242E080642B0CD0AD0A03E85528F0A80@PGH-MSGMB-03.andrew.ad.cmu.edu> I've been trying to get the Bro-Barnyard2 integration working, and have been seeing a lot of segfaults. It looks like Snort/Suricata's internals are generating alerts with strange protocol numbers, and Bro will still segfault due to some issues with port handling in Broccoli (see: ). I've fixed the immediate issue on the Barnyard2 side of things, by only sending events with a protocol of TCP/UDP/ICMP. It seems to be working well for me. My changes are in: .I'd appreciate it if someone could take a quick look before I submit a pull request. Specifically, I'm worried about having introduced some memleaks by bailing out of the function early when bro_record_add_val fails. Of course, it'd also be awesome to get that underlying issue fixed. I've done some poking around but have had no luck so far. Thanks, --Vlad From bro at tracker.bro-ids.org Wed Jan 23 18:07:21 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 24 Jan 2013 02:07:21 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.5f7241a1dff435642f4b0900f71a2695@tracker.bro-ids.org> #754: Complete implementation of switch statement ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: language ----------------------------+------------------------ Changes (by robin): * status: reopened => closed * resolution: => fixed Comment: In [changeset:dcd675280e9d0b56db29b9e8d34f65b0120fa482/bro]: {{{ #!CommitTicketReference repository="bro" revision="dcd675280e9d0b56db29b9e8d34f65b0120fa482" Merge remote-tracking branch 'origin/topic/jsiwek/no-switch-fallthrough' * origin/topic/jsiwek/no-switch-fallthrough: Add "fallthrough" keyword, require a flow statement to end case blocks. Disable automatic case fallthrough in switch stmts. Addresses #754. I've added a test for the error case where no break/fallthrough/return is given. Closes #754. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 23 18:07:21 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 24 Jan 2013 02:07:21 -0000 Subject: [Bro-Dev] #932: Assigning an uninitialized variable to a vector stops execution of bro script In-Reply-To: <048.afedcaf6f14d0b150f983e91905cbdf3@tracker.bro-ids.org> References: <048.afedcaf6f14d0b150f983e91905cbdf3@tracker.bro-ids.org> Message-ID: <063.5d45e706c4c06492f4d4bd079d0dafaf@tracker.bro-ids.org> #932: Assigning an uninitialized variable to a vector stops execution of bro script ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:c780bfdb484fab2fcb9c7600ed670c66f52b03da/bro]: {{{ #!CommitTicketReference repository="bro" revision="c780bfdb484fab2fcb9c7600ed670c66f52b03da" Merge remote-tracking branch 'origin/topic/jsiwek/ticket-932' * origin/topic/jsiwek/ticket-932: Fix uninitialized locals in event/hook handlers from having a value. Closes #932. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 23 18:07:21 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 24 Jan 2013 02:07:21 -0000 Subject: [Bro-Dev] #929: Merge request for topic/bernhard/input-logging-commmon-functions In-Reply-To: <048.2509664a524fbc34a21ed8a972fc9c94@tracker.bro-ids.org> References: <048.2509664a524fbc34a21ed8a972fc9c94@tracker.bro-ids.org> Message-ID: <063.a116fd32420abd372f1cada24532cbc5@tracker.bro-ids.org> #929: Merge request for topic/bernhard/input-logging-commmon-functions ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:762c034ec2b324486995a38920141372501dba9b/bro]: {{{ #!CommitTicketReference repository="bro" revision="762c034ec2b324486995a38920141372501dba9b" Merge remote-tracking branch 'origin/topic/bernhard/input-logging-commmon- functions' * origin/topic/bernhard/input-logging-commmon-functions: add the last of Robins suggestions (separate info-struct for constructors). port memory leak fix from master harmonize function naming move AsciiInputOutput over to threading and thinking about it, ascii-io doesn't need the separator change constructors and factor stuff out the input framework too. factor out ascii input/output. std::string accessors to escape_sequence functionality intermediate commit - it has been over a month since I touched this... I cleaned up the AsciiInputOutput class somewhat, including renaming it to AsciiFormatter, renaming some of its methods, and turning the static methods into members for consistency. Closes #929. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 23 18:07:21 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 24 Jan 2013 02:07:21 -0000 Subject: [Bro-Dev] #930: Segfault when logging strange record In-Reply-To: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> References: <048.992c8f7fbbc27c4ac1dc9041ae2839d4@tracker.bro-ids.org> Message-ID: <063.369d21ca8cde084699d096b1cc49f43f@tracker.bro-ids.org> #930: Segfault when logging strange record ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:854891930dc976bfdd816323a9bd64cf8c7b7838/bro]: {{{ #!CommitTicketReference repository="bro" revision="854891930dc976bfdd816323a9bd64cf8c7b7838" Merge remote-tracking branch 'origin/topic/jsiwek/ticket-930' * origin/topic/jsiwek/ticket-930: Add a null value check in CompositeHash::ComputeHash. Change reporter messages to more reliably print to stderr. Closes #930. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Wed Jan 23 18:08:29 2013 From: robin at icir.org (Robin Sommer) Date: Wed, 23 Jan 2013 18:08:29 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/broctl] fastpath: Fix various bugs and remove some unused code (7108ea6) In-Reply-To: <201301162317.r0GNHedO026161@bro-ids.icir.org> References: <201301162317.r0GNHedO026161@bro-ids.icir.org> Message-ID: <20130124020829.GA90401@icir.org> There are two problems with this patch: - you're removing some parts from the plugin api that I think should stay. Just that it's not used currently doesn't mean it can't; that's what plugins are for. If it breaks the test plugin the bug is in there. And if somethign doesn't get called (cmd_restart_*) we should add the calls. - completedefault() is actually used, it's part of the Cmd API, see http://docs.python.org/2/library/cmd.html. Better to fix the method than to remove. So I've turned these changes into a branch for now (topic/dnthayer/cleanup) and reverted the commit on fastpath. Robin On Wed, Jan 16, 2013 at 15:17 -0800, Daniel Thayer wrote: > commit 7108ea62d2b91fcbffd66a6136cf94b9a05900b3 > Author: Daniel Thayer > Date: Wed Jan 16 17:11:50 2013 -0600 > > Fix various bugs and remove some unused code > > Removed an unused extra parameter from the cmd_scripts_pre and > cmd_scripts_post methods (this was causing the TestPlugin.py to > crash broctl when running the "scripts" command). > > Removed an undefined "cleanup" command parameter "--keep-tmp" that the > "restart --clean" command was trying to use. > > The "status" command was not calling cmd_status_post (it was calling > cmd_status_pre twice). > > Removed the unused cmd_restart_pre and cmd_restart_post methods. > > Removed the unused function "completedefault" (it was using an > incorrect list of command names). > > > >--------------------------------------------------------------- > > 7108ea62d2b91fcbffd66a6136cf94b9a05900b3 > BroControl/plugin.py | 80 ++------------------------------------ > BroControl/plugins/TestPlugin.py | 8 ++-- > bin/broctl.in | 19 +-------- > 3 files changed, 11 insertions(+), 96 deletions(-) > > diff --git a/BroControl/plugin.py b/BroControl/plugin.py > index ebbad72..b21ad62 100644 > --- a/BroControl/plugin.py > +++ b/BroControl/plugin.py > @@ -727,78 +727,6 @@ class Plugin(object): > pass > > @doc.api("override") > - def cmd_restart_pre(self, nodes, clean): > - """Called just before the ``restart`` command is run. It receives the > - list of nodes, and returns the list of nodes that should proceed with > - the command. *clean* is boolean indicating whether the ``--clean`` > - argument has been given. > - > - This method can be overridden by derived classes. The default > - implementation does nothing. > - """ > - pass > - > - @doc.api("override") > - def cmd_restart_post(self, results): > - """Called just after the ``restart`` command has finished. It receives > - the list of 2-tuples ``(node, bool)`` indicating the nodes the command > - was executed for, along with their success status. The remaining > - arguments are as with the ``pre`` method. > - > - This method can be overridden by derived classes. The default > - implementation does nothing. > - """ > - pass > - > - @doc.api("override") > - def cmd_restart_pre(self, nodes, clean): > - """Called just before the ``restart`` command is run. It receives the > - list of nodes, and returns the list of nodes that should proceed with > - the command. *clean* is boolean indicating whether the ``--clean`` > - argument has been given. > - > - This method can be overridden by derived classes. The default > - implementation does nothing. > - """ > - pass > - > - @doc.api("override") > - def cmd_restart_post(self, results): > - """Called just after the ``restart`` command has finished. It receives > - the list of 2-tuples ``(node, bool)`` indicating the nodes the command > - was executed for, along with their success status. The remaining > - arguments are as with the ``pre`` method. > - > - This method can be overridden by derived classes. The default > - implementation does nothing. > - """ > - pass > - > - @doc.api("override") > - def cmd_restart_pre(self, nodes, clean): > - """Called just before the ``restart`` command is run. It receives the > - list of nodes, and returns the list of nodes that should proceed with > - the command. *clean* is boolean indicating whether the ``--clean`` > - argument has been given. > - > - This method can be overridden by derived classes. The default > - implementation does nothing. > - """ > - pass > - > - @doc.api("override") > - def cmd_restart_post(self, results): > - """Called just after the ``restart`` command has finished. It receives > - the list of 2-tuples ``(node, bool)`` indicating the nodes the command > - was executed for, along with their success status. The remaining > - arguments are as with the ``pre`` method. > - > - This method can be overridden by derived classes. The default > - implementation does nothing. > - """ > - pass > - > - @doc.api("override") > def cmd_cleanup_pre(self, nodes, all): > """Called just before the ``cleanup`` command is run. It receives the > list of nodes, and returns the list of nodes that should proceed with > @@ -843,11 +771,11 @@ class Plugin(object): > pass > > @doc.api("override") > - def cmd_scripts_pre(self, nodes, full_path, check): > + def cmd_scripts_pre(self, nodes, check): > """Called just before the ``scripts`` command is run. It receives the > list of nodes, and returns the list of nodes that should proceed with > - the command. ``full_path`` and ``check`` are boolean indicating > - whether the ``-p`` and ``-c`` options were given, respectively. > + the command. *check* is boolean indicating whether the ``-c`` > + option was given. > > This method can be overridden by derived classes. The default > implementation does nothing. > @@ -855,7 +783,7 @@ class Plugin(object): > pass > > @doc.api("override") > - def cmd_scripts_post(self, nodes, full_path, check): > + def cmd_scripts_post(self, nodes, check): > """Called just after the ``scripts`` command has finished. Arguments > are as with the ``pre`` method. > > diff --git a/BroControl/plugins/TestPlugin.py b/BroControl/plugins/TestPlugin.py > index eae146e..74a4bd9 100644 > --- a/BroControl/plugins/TestPlugin.py > +++ b/BroControl/plugins/TestPlugin.py > @@ -190,11 +190,11 @@ class TestPlugin(BroControl.plugin.Plugin): > def cmd_capstats_post(self, nodes, interval): > self.message("TestPlugin: Test post 'capstats': %s (%d)" % (self._nodes(nodes), interval)) > > - def cmd_scripts_pre(self, nodes, full_path, check): > - self.message("TestPlugin: Test pre 'scripts': %s (%s/%s)" % (self._nodes(nodes), full_path, check)) > + def cmd_scripts_pre(self, nodes, check): > + self.message("TestPlugin: Test pre 'scripts': %s (%s)" % (self._nodes(nodes), check)) > > - def cmd_scripts_post(self, nodes, full_path, check): > - self.message("TestPlugin: Test post 'scripts': %s (%s/%s)" % (self._nodes(nodes), full_path, check)) > + def cmd_scripts_post(self, nodes, check): > + self.message("TestPlugin: Test post 'scripts': %s (%s)" % (self._nodes(nodes), check)) > > def cmd_print_pre(self, nodes, id): > self.message("TestPlugin: Test pre 'print': %s (%s)" % (self._nodes(nodes), id)) > diff --git a/bin/broctl.in b/bin/broctl.in > index fc8b163..d35e574 100755 > --- a/bin/broctl.in > +++ b/bin/broctl.in > @@ -251,8 +251,8 @@ class BroCtlCmdLoop(cmd.Cmd): > # Can't delete the tmp here because log archival might still be > # going on there in the background. > util.output("cleaning up ...") > - self.do_cleanup("--keep-tmp " + args) > - self.postcmd(False, "--keep-tmp " + args) > + self.do_cleanup(args) > + self.postcmd(False, args) > > if self.failed(): > return > @@ -285,7 +285,7 @@ class BroCtlCmdLoop(cmd.Cmd): > if success: > nodes = plugin.Registry.cmdPreWithNodes("status", nodes) > control.status(nodes) > - plugin.Registry.cmdPreWithNodes("status", nodes) > + plugin.Registry.cmdPostWithNodes("status", nodes) > > return False > > @@ -748,19 +748,6 @@ class BroCtlCmdLoop(cmd.Cmd): > success = control.processTrace(trace, options, scripts) > plugin.Registry.cmdPost("process", trace, options, scripts, success) > > - def completedefault(self, text, line, begidx, endidx): > - # Commands taken a "" argument. > - nodes_cmds = ["check", "cleanup", "df", "diag", "restart", "start", "status", "stop", "top", "update", "attachgdb", "peerstatus", "list-scripts"], > - > - args = line.split() > - > - if not args or not args[0] in nodes_cmds: > - return [] > - > - nodes = ["manager", "workers", "proxies", "all"] + [n.name for n in Config.nodes()] > - > - return [n for n in nodes if n.startswith(text)] > - > # Prints the command's docstring in a form suitable for direct inclusion > # into the documentation. > def printReference(self): > > _______________________________________________ > bro-commits mailing list > bro-commits at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Wed Jan 23 19:23:04 2013 From: robin at icir.org (Robin Sommer) Date: Wed, 23 Jan 2013 19:23:04 -0800 Subject: [Bro-Dev] [Bro] effects of &synchronized and &mergeable In-Reply-To: <20130118072836.53A4B2C4003@rock.ICSI.Berkeley.EDU> References: <20130117165403.GN68818@icir.org> <20130118072836.53A4B2C4003@rock.ICSI.Berkeley.EDU> Message-ID: <20130124032304.GA1986@icir.org> I've put some thoughts together here: http://www.bro-ids.org/development/projects/comm-ng.html Still quite rough. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Thu Jan 24 00:00:04 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 24 Jan 2013 00:00:04 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301240800.r0O80463022597@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | dbae5db | Robin Sommer | 2013-01-23 | Revert "Fix various bugs and remove some unused code" [2] broctl | 7108ea6 | Daniel Thayer | 2013-01-16 | Fix various bugs and remove some unused code [3] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] fastpath: http://tracker.bro-ids.org/bro/changeset/dbae5db819a9b03f528a336ea1b10d7a6c284dc0/broctl [3] fastpath: http://tracker.bro-ids.org/bro/changeset/7108ea62d2b91fcbffd66a6136cf94b9a05900b3/broctl From bro at tracker.bro-ids.org Thu Jan 24 08:09:12 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 24 Jan 2013 16:09:12 -0000 Subject: [Bro-Dev] #936: topic/jsiwek/record-coerce-orphans Message-ID: <048.c02f9fd5a72c938e4e2aa601c6651319@tracker.bro-ids.org> #936: topic/jsiwek/record-coerce-orphans ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This branch makes it an error for a record field to be orphaned on coercion. E.g: {{{ type myrec: record { a: string; b: count; c: interval &optional; }; local rec: myrec = [$a="test", $b=42, $wtf=1sec]; }}} I think it's helpful because a typo of a field name (e.g. "identifer" versus "identifier") can be hard to spot, but result in unexpected runtime behavior (e.g. I spent time looking for a non-existent regression in notice de-duplication, when actually I just made a typo). Though, I don't know if there was a reason originally for allowing fields to be orphaned? At least all tests can be made to pass with the change. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Jan 24 08:15:35 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 24 Jan 2013 16:15:35 -0000 Subject: [Bro-Dev] #936: topic/jsiwek/record-coerce-orphans In-Reply-To: <048.c02f9fd5a72c938e4e2aa601c6651319@tracker.bro-ids.org> References: <048.c02f9fd5a72c938e4e2aa601c6651319@tracker.bro-ids.org> Message-ID: <063.5317c04fa7312f7a0da15ee077efe893@tracker.bro-ids.org> #936: topic/jsiwek/record-coerce-orphans ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): On Thu, Jan 24, 2013 at 16:09 -0000, you wrote: > Though, I don't know if there was a reason originally for allowing fields > to be orphaned? At least all tests can be made to pass with the change. Makes sense, I can't see a reason where that would be ok. -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Jan 24 08:23:56 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 24 Jan 2013 16:23:56 -0000 Subject: [Bro-Dev] #937: topic/seth/sendpackets: A test program for sending packets through Broccoli. Message-ID: <046.f92285419706b2cf191af3753376acc9@tracker.bro-ids.org> #937: topic/seth/sendpackets: A test program for sending packets through Broccoli. ---------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Broccoli | Version: git/master Keywords: | ---------------------------+------------------------ This was pulled from the timemachine repository. It fits better here. -- Ticket URL: Bro Tracker Bro Issue Tracker From dnthayer at illinois.edu Thu Jan 24 09:10:27 2013 From: dnthayer at illinois.edu (Daniel Thayer) Date: Thu, 24 Jan 2013 11:10:27 -0600 Subject: [Bro-Dev] [Bro-Commits] [git/broctl] fastpath: Fix various bugs and remove some unused code (7108ea6) In-Reply-To: <20130124020829.GA90401@icir.org> References: <201301162317.r0GNHedO026161@bro-ids.icir.org> <20130124020829.GA90401@icir.org> Message-ID: <51016B03.5070007@illinois.edu> On 01/23/2013 08:08 PM, Robin Sommer wrote: > There are two problems with this patch: > > - you're removing some parts from the plugin api that I think > should stay. Just that it's not used currently doesn't mean it > can't; that's what plugins are for. If it breaks the test plugin > the bug is in there. And if somethign doesn't get called > (cmd_restart_*) we should add the calls. > I removed some code because: - The cmd_restart_* are not actually called anywhere, and the documentation says, "Finally, note that the restart command doesn?t have its own method as it?s just a combination of other commands and thus their callbacks are run." - The part that was crashing the TestPlugin.py was due to an extra cmd-line parameter "-p" to the "scripts" command that was removed a long time ago. From robin at icir.org Thu Jan 24 10:02:36 2013 From: robin at icir.org (Robin Sommer) Date: Thu, 24 Jan 2013 10:02:36 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/broctl] fastpath: Fix various bugs and remove some unused code (7108ea6) In-Reply-To: <51016B03.5070007@illinois.edu> References: <201301162317.r0GNHedO026161@bro-ids.icir.org> <20130124020829.GA90401@icir.org> <51016B03.5070007@illinois.edu> Message-ID: <20130124180236.GI13787@icir.org> On Thu, Jan 24, 2013 at 11:10 -0600, you wrote: > - The cmd_restart_* are not actually called anywhere, and the > documentation says, "Finally, note that the restart command > doesn?t have its own method as it?s just a combination of > other commands and thus their callbacks are run." Oh, that sounds like that unfortunate documentation. :) I don't see anything wrong with providing the restart function, it might be handy for some cases. Please see if you can add the calls (maybe I'm missing something and there's a reason for the docs saying that; if so, please let me know if you run into trouble) > - The part that was crashing the TestPlugin.py was due to an > extra cmd-line parameter "-p" to the "scripts" command > that was removed a long time ago. Ok, I missed that we have removed that option, so that's ok then. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Fri Jan 25 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 25 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301250800.r0P803HT027648@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 936 [2] | jsiwek | | Normal | topic/jsiwek/record-coerce-orphans [3] Broccoli | 937 [4] | seth | robin | Normal | topic/seth/sendpackets: A test program for sending packets through Broccoli. [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | b72fbaf | Jon Siwek | 2013-01-24 | Fix memory leak in some reporter messaging cases. [6] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] #936: http://tracker.bro-ids.org/bro/ticket/936 [3] record-coerce-orphans: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/record-coerce-orphans [4] #937: http://tracker.bro-ids.org/bro/ticket/937 [5] sendpackets:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbroccoli&old=master&new_path=%2Fbroccoli&new=topic/seth/sendpackets: [6] fastpath: http://tracker.bro-ids.org/bro/changeset/b72fbaf99fd8d40fe0bf38c81bf5f5921c762141/bro From bro at tracker.bro-ids.org Fri Jan 25 14:02:43 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 25 Jan 2013 22:02:43 -0000 Subject: [Bro-Dev] #936: topic/jsiwek/record-coerce-orphans In-Reply-To: <048.c02f9fd5a72c938e4e2aa601c6651319@tracker.bro-ids.org> References: <048.c02f9fd5a72c938e4e2aa601c6651319@tracker.bro-ids.org> Message-ID: <063.0964cf1e608e4727d02b7df64a47888b@tracker.bro-ids.org> #936: topic/jsiwek/record-coerce-orphans ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:f6c8995fd23c293d7d4871ea97545252ad95bce4/bro]: {{{ #!CommitTicketReference repository="bro" revision="f6c8995fd23c293d7d4871ea97545252ad95bce4" Merge remote-tracking branch 'origin/topic/jsiwek/record-coerce-orphans' * origin/topic/jsiwek/record-coerce-orphans: Add an error for record coercions that would orphan a field. Closes #936. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Jan 25 21:52:36 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 26 Jan 2013 05:52:36 -0000 Subject: [Bro-Dev] #938: topic/seth/software-version-updates Updates to vulnerable software checking. Message-ID: <046.e7556293f69d14e7ab48cd43a37a6917@tracker.bro-ids.org> #938: topic/seth/software-version-updates Updates to vulnerable software checking. ---------------------------+------------------------ Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This branch extends and fixes the software framework and associated script to detect out of date software. - Add a third sublevel numeric value to versions and adjusts tests. - Compare $addl field numerically if it contains numeric. - Update vulnerable version detection to support version ranges for software that has multiple stable branches. - Added a feature to distribute vulnerable software versions over DNS and make it updatable at runtime. - Removed the vulnerable software configuration from local.bro because it is now broken. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat Jan 26 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 26 Jan 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301260800.r0Q8023I010458@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 938 [2] | seth | | Normal | topic/seth/software-version-updates Updates to vulnerable software checking. [3] Broccoli | 937 [4] | seth | robin | Normal | topic/seth/sendpackets: A test program for sending packets through Broccoli. [5] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] #938: http://tracker.bro-ids.org/bro/ticket/938 [3] software-version-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates [4] #937: http://tracker.bro-ids.org/bro/ticket/937 [5] sendpackets:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbroccoli&old=master&new_path=%2Fbroccoli&new=topic/seth/sendpackets: From noreply at bro-ids.org Sun Jan 27 00:00:01 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 27 Jan 2013 00:00:01 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301270800.r0R801Eh021407@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 938 [2] | seth | | Normal | topic/seth/software-version-updates Updates to vulnerable software checking. [3] Broccoli | 937 [4] | seth | robin | Normal | topic/seth/sendpackets: A test program for sending packets through Broccoli. [5] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] #938: http://tracker.bro-ids.org/bro/ticket/938 [3] software-version-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates [4] #937: http://tracker.bro-ids.org/bro/ticket/937 [5] sendpackets:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbroccoli&old=master&new_path=%2Fbroccoli&new=topic/seth/sendpackets: From noreply at bro-ids.org Mon Jan 28 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 28 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301280800.r0S803Wl010948@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 938 [2] | seth | | Normal | topic/seth/software-version-updates Updates to vulnerable software checking. [3] Broccoli | 937 [4] | seth | robin | Normal | topic/seth/sendpackets: A test program for sending packets through Broccoli. [5] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] #938: http://tracker.bro-ids.org/bro/ticket/938 [3] software-version-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates [4] #937: http://tracker.bro-ids.org/bro/ticket/937 [5] sendpackets:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbroccoli&old=master&new_path=%2Fbroccoli&new=topic/seth/sendpackets: From bro at tracker.bro-ids.org Mon Jan 28 00:45:15 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 28 Jan 2013 08:45:15 -0000 Subject: [Bro-Dev] #939: HTTP parser refact & redesign required Message-ID: <049.8451eff06e8ca978ba704578474cc219@tracker.bro-ids.org> #939: HTTP parser refact & redesign required ------------------------+--------------------- Reporter: drmckay | Type: Problem Status: new | Priority: Normal Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- Hi, In the HTTP parser implementation you following an old, obsoleted rfc from 1999. There is a newer version: http://tools.ietf.org/html/rfc3986 Please, review and refact your code (unescapeURI() redesign also needed, to minimalize false positives). Thanks. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 28 00:51:03 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 28 Jan 2013 08:51:03 -0000 Subject: [Bro-Dev] #940: manager crash if can't send mail Message-ID: <049.41944fc77b6b3bed6966002b5cbbf86f@tracker.bro-ids.org> #940: manager crash if can't send mail ------------------------+--------------------- Reporter: drmckay | Type: Problem Status: new | Priority: Normal Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- warning: cannot send mail manager not running (was crashed) If sendmail stopped in runtime the manager crashing silently. Better error handling required. :) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 28 04:43:15 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 28 Jan 2013 12:43:15 -0000 Subject: [Bro-Dev] #940: manager crash if can't send mail In-Reply-To: <049.41944fc77b6b3bed6966002b5cbbf86f@tracker.bro-ids.org> References: <049.41944fc77b6b3bed6966002b5cbbf86f@tracker.bro-ids.org> Message-ID: <064.a99dabfee7accfa00826d1f56a5ac5cd@tracker.bro-ids.org> #940: manager crash if can't send mail ----------------------+------------------------------- Reporter: drmckay | Owner: Type: Problem | Status: needs information Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------------- Changes (by seth): * status: new => needs information Comment: You're going to have to give more detail. Those two messages are unrelated, the crash (or unexpected termination) was almost certainly not due to the sendmail command not being configured on your box. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Jan 28 09:36:27 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 28 Jan 2013 17:36:27 -0000 Subject: [Bro-Dev] #478: Move BinPAC docs over to new server In-Reply-To: <047.826126acda25dd38cf616630391698f4@tracker.bro-ids.org> References: <047.826126acda25dd38cf616630391698f4@tracker.bro-ids.org> Message-ID: <062.4c4564988ecb03aae6407c6fa1f915c1@tracker.bro-ids.org> #478: Move BinPAC docs over to new server -----------------------------+---------------------- Reporter: robin | Owner: dnthayer Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Website / Wiki | Version: Resolution: | Keywords: -----------------------------+---------------------- Changes (by seth): * owner: seth => dnthayer * status: new => assigned Comment: I had heard that the documentation had been moved over, but it appears that's not completely true. Daniel, I think you moved some of the documentation over.. could you move these docs over as well? http://www- old.bro-ids.org/wiki/index.php/BinPAC_Userguide -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Tue Jan 29 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 29 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301290800.r0T803tA000414@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 938 [2] | seth | | Normal | topic/seth/software-version-updates Updates to vulnerable software checking. [3] Broccoli | 937 [4] | seth | robin | Normal | topic/seth/sendpackets: A test program for sending packets through Broccoli. [5] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] #938: http://tracker.bro-ids.org/bro/ticket/938 [3] software-version-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates [4] #937: http://tracker.bro-ids.org/bro/ticket/937 [5] sendpackets:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbroccoli&old=master&new_path=%2Fbroccoli&new=topic/seth/sendpackets: From noreply at bro-ids.org Wed Jan 30 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 30 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301300800.r0U803SJ025273@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Bro | 938 [2] | seth | | Normal | topic/seth/software-version-updates Updates to vulnerable software checking. [3] Broccoli | 937 [4] | seth | robin | Normal | topic/seth/sendpackets: A test program for sending packets through Broccoli. [5] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] #938: http://tracker.bro-ids.org/bro/ticket/938 [3] software-version-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates [4] #937: http://tracker.bro-ids.org/bro/ticket/937 [5] sendpackets:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbroccoli&old=master&new_path=%2Fbroccoli&new=topic/seth/sendpackets: From bro at tracker.bro-ids.org Wed Jan 30 14:40:00 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 30 Jan 2013 22:40:00 -0000 Subject: [Bro-Dev] #934: GPRS Tunneling Protocol (GTP) Analyzer In-Reply-To: <053.e35358da3dd6bfe2ce077946ca6f01bd@tracker.bro-ids.org> References: <053.e35358da3dd6bfe2ce077946ca6f01bd@tracker.bro-ids.org> Message-ID: <068.ec98691fc4ced956749a1bbde9b3d4e1@tracker.bro-ids.org> #934: GPRS Tunneling Protocol (GTP) Analyzer ------------------------------+----------------------------------------- Reporter: liamrandall | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: GTP GPRS Tunneling Protocol ------------------------------+----------------------------------------- Comment (by jsiwek): Replying to [comment:2 liamrandall]: > GTP-C and GTP-U should probably both be handled and logged. For example, GTP-C (control plane) might want to log PDP setup, modifications and tear-downs. I'll try to at least add the analyzer/parsing for GTP-C to get some events generated for PDP create/update/delete. > On GTP-U it does not seem to be decoding the tunneled traffic properly; I'm not seeing analyzers fire for embedded ip4/6, http, etc. Can you point me to a specific pcap that doesn't work for you? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Jan 30 15:40:31 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 30 Jan 2013 23:40:31 -0000 Subject: [Bro-Dev] #938: robin (was: topic/seth/software-version-updates Updates to vulnerable software checking.) In-Reply-To: <047.618e6bbadcf6aef8dacc8730c2c4b08a@tracker.bro-ids.org> References: <047.618e6bbadcf6aef8dacc8730c2c4b08a@tracker.bro-ids.org> Message-ID: <062.b02f4135345abe1735e571b51930bc08@tracker.bro-ids.org> #938: robin ----------------------+------------------------ Reporter: robin | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: robin ----------------------+------------------------ Changes (by robin): * status: new => assigned * reporter: seth => robin * cc: robin (added) * owner: => seth * keywords: => robin * type: Merge Request => Problem Comment: Did you run the tests? I see a number of them failing in all three sets (btest and the two external) -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Jan 31 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 31 Jan 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201301310800.r0V803F7016255@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 928 [1] | matthias | seth | Normal | Incorporate ICSI certificate notary into SSL logging Broccoli | 937 [2] | seth | robin | Normal | topic/seth/sendpackets: A test program for sending packets through Broccoli. [3] [1] #928: http://tracker.bro-ids.org/bro/ticket/928 [2] #937: http://tracker.bro-ids.org/bro/ticket/937 [3] sendpackets:: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbroccoli&old=master&new_path=%2Fbroccoli&new=topic/seth/sendpackets: