From noreply at bro.org Tue Dec 1 00:00:33 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 1 Dec 2015 00:00:33 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512010800.tB180XVd028567@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Dec 1 07:56:00 2015 From: jira at bro-tracker.atlassian.net (Mark Fernandez (JIRA)) Date: Tue, 1 Dec 2015 09:56:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23100#comment-23100 ] Mark Fernandez commented on BIT-939: ------------------------------------ My comments are based on Bro v2.4.1 source code. > HTTP parser refact & redesign required > -------------------------------------- > > Key: BIT-939 > URL: https://bro-tracker.atlassian.net/browse/BIT-939 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: drmckay > Fix For: 2.5 > > > Hi, > In the HTTP parser implementation you following an old, obsoleted rfc from 1999. There is a newer version: http://tools.ietf.org/html/rfc3986 > Please, review and refact your code (unescapeURI() redesign also needed, to minimalize false positives). > Thanks. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From vlad at grigorescu.org Tue Dec 1 08:15:47 2015 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Tue, 1 Dec 2015 10:15:47 -0600 Subject: [Bro-Dev] Parse LDAP messages from a pcap In-Reply-To: References: Message-ID: Zakaria, There's no LDAP analyzer in Bro. LDAP is not a simple protocol, but if you'd like to try writing an analyzer, you might want to check out the following resources: https://www.bro.org/development/howtos/binpac-sample-analyzer.html https://www.youtube.com/watch?v=1eDIl9y6ZnM Best, --Vlad On Wed, Nov 25, 2015 at 12:44 PM, Zakaria Hili wrote: > Hello, > > I need to parse LDAP messages from a pcap. So what I did is I tried to > search for some Bro's events of LDAP but I failed. So I was wondering if > there's some and that I missed them. If no, how can I then code a dissector > of ldap easily so I could use it in events that I have to implement? > > Thank you for your help and keep up the good work! > ? > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151201/c2b99da1/attachment.html From jira at bro-tracker.atlassian.net Tue Dec 1 13:11:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 1 Dec 2015 15:11:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-939: ----------------------------- Status: Reopened (was: Closed) Resolution: (was: Incomplete) > HTTP parser refact & redesign required > -------------------------------------- > > Key: BIT-939 > URL: https://bro-tracker.atlassian.net/browse/BIT-939 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: drmckay > Fix For: 2.5 > > > Hi, > In the HTTP parser implementation you following an old, obsoleted rfc from 1999. There is a newer version: http://tools.ietf.org/html/rfc3986 > Please, review and refact your code (unescapeURI() redesign also needed, to minimalize false positives). > Thanks. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From jira at bro-tracker.atlassian.net Tue Dec 1 13:12:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 1 Dec 2015 15:12:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23101#comment-23101 ] Robin Sommer commented on BIT-939: ---------------------------------- Yeah, this sounds right. I'll earmark it for 2.5 so that it stays on the radar. > HTTP parser refact & redesign required > -------------------------------------- > > Key: BIT-939 > URL: https://bro-tracker.atlassian.net/browse/BIT-939 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: drmckay > Fix For: 2.5 > > > Hi, > In the HTTP parser implementation you following an old, obsoleted rfc from 1999. There is a newer version: http://tools.ietf.org/html/rfc3986 > Please, review and refact your code (unescapeURI() redesign also needed, to minimalize false positives). > Thanks. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From jira at bro-tracker.atlassian.net Tue Dec 1 13:18:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 1 Dec 2015 15:18:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23102#comment-23102 ] Johanna Amann commented on BIT-1506: ------------------------------------ I pushed an updated version of the installation instructions to topic/johanna/os-x-openssl; they now mention openssl as an additional requirement for OS X versions < 10.11, besides caf and swig. I also removed the outdated information about mac binaries (which we no longer provide, even for the current release) Could someone perhaps take a short look at that and just merge it if it looks ok? > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From noreply at bro.org Wed Dec 2 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 2 Dec 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512020800.tB280QUd019497@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Dec 2 07:09:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 2 Dec 2015 09:09:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1502: --------------------------- Status: Open (was: Merge Request) > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From jira at bro-tracker.atlassian.net Wed Dec 2 07:09:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 2 Dec 2015 09:09:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1502: --------------------------- Resolution: Cannot Reproduce Status: Closed (was: Open) I'm going to close this ticket since it's now working for you and we're unable to reproduce your problem. > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From jira at bro-tracker.atlassian.net Wed Dec 2 07:09:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 2 Dec 2015 09:09:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1502: --------------------------- Status: Merge Request (was: Open) Assignee: (was: Johanna Amann) > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From noreply at bro.org Thu Dec 3 00:00:30 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 3 Dec 2015 00:00:30 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512030800.tB380U24015471@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Fri Dec 4 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 4 Dec 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512040800.tB480OwZ020918@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Dec 4 16:46:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 4 Dec 2015 18:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23104#comment-23104 ] Robin Sommer commented on BIT-1506: ----------------------------------- I this ready? I don't see the branch. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From jira at bro-tracker.atlassian.net Fri Dec 4 16:46:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 4 Dec 2015 18:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23104#comment-23104 ] Robin Sommer edited comment on BIT-1506 at 12/4/15 6:45 PM: ------------------------------------------------------------ Is this ready? I don't see the branch. was (Author: robin): I this ready? I don't see the branch. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From jira at bro-tracker.atlassian.net Fri Dec 4 16:57:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 4 Dec 2015 18:57:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23105#comment-23105 ] Johanna Amann commented on BIT-1506: ------------------------------------ Should be pushed - https://github.com/bro/bro/tree/topic/johanna/os-x-openssl > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001) From noreply at bro.org Sat Dec 5 00:00:44 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 5 Dec 2015 00:00:44 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512050800.tB580ioM003564@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Dec 6 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 6 Dec 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512060800.tB680Qon024626@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Dec 7 00:00:28 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 7 Dec 2015 00:00:28 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512070800.tB780SOp008185@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Tue Dec 8 00:00:38 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 8 Dec 2015 00:00:38 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512080800.tB880cem031863@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Dec 8 10:23:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 8 Dec 2015 12:23:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize ifconfig output in some locales In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1511: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > BroControl unable to recognize ifconfig output in some locales > -------------------------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Assignee: Justin Azoff > Labels: broctl, ifconfig > Fix For: 2.5 > > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Tue Dec 8 11:35:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 8 Dec 2015 13:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23200#comment-23200 ] Justin Azoff commented on BIT-1489: ----------------------------------- This looks pretty good, though it's a bit large. One thing I do notice, that is even more apparent when looking at diffs, is what we need to use namedtuple more. Lines like this: {code} cmds = [(node, postterminate, [node.type, node.cwd(), "crash"]) for node in nodes] {code} are pretty hard to understand right now. We have the whole CmdResult thing now, we should probably add a CmdRequest type namedtuple so that line could look like {code} cmds = [CmdRequest(host=node, cmd=postterminate, args[node.type, node.cwd(), "crash"]) for node in nodes] {code} though probably wrapped better. also I see some other changes: {code} - for (n, status) in res: - if not status: - orig.add(n.name) + for r in res: + # if status is Fail, then add the node name + if not r[1]: + orig.add(r[0].name) {code} if 'res' was a list of namedtuples for ("node", "status", "output") that could be {code} + for r in res: + # if status is Fail, then add the node name + if not r.status: + orig.add(r.node.name) {code} > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Tue Dec 8 12:21:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 8 Dec 2015 14:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23200#comment-23200 ] Justin Azoff edited comment on BIT-1489 at 12/8/15 2:20 PM: ------------------------------------------------------------ This looks pretty good, though it's a bit large. One thing I do notice, that is even more apparent when looking at diffs, is what we need to use namedtuple more. Lines like this: {code} cmds = [(node, postterminate, [node.type, node.cwd(), "crash"]) for node in nodes] {code} are pretty hard to understand right now. We have the whole CmdResult thing now, we should probably add a CmdRequest type namedtuple so that line could look like {code} cmds = [CmdRequest(host=node, cmd=postterminate, args=[node.type, node.cwd(), "crash"]) for node in nodes] {code} though probably wrapped better. also I see some other changes: {code} - for (n, status) in res: - if not status: - orig.add(n.name) + for r in res: + # if status is Fail, then add the node name + if not r[1]: + orig.add(r[0].name) {code} if 'res' was a list of namedtuples for ("node", "status", "output") that could be {code} + for r in res: + # if status is Fail, then add the node name + if not r.status: + orig.add(r.node.name) {code} was (Author: jazoff): This looks pretty good, though it's a bit large. One thing I do notice, that is even more apparent when looking at diffs, is what we need to use namedtuple more. Lines like this: {code} cmds = [(node, postterminate, [node.type, node.cwd(), "crash"]) for node in nodes] {code} are pretty hard to understand right now. We have the whole CmdResult thing now, we should probably add a CmdRequest type namedtuple so that line could look like {code} cmds = [CmdRequest(host=node, cmd=postterminate, args[node.type, node.cwd(), "crash"]) for node in nodes] {code} though probably wrapped better. also I see some other changes: {code} - for (n, status) in res: - if not status: - orig.add(n.name) + for r in res: + # if status is Fail, then add the node name + if not r[1]: + orig.add(r[0].name) {code} if 'res' was a list of namedtuples for ("node", "status", "output") that could be {code} + for r in res: + # if status is Fail, then add the node name + if not r.status: + orig.add(r.node.name) {code} > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From noreply at bro.org Wed Dec 9 00:00:37 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 9 Dec 2015 00:00:37 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512090800.tB980bwR031345@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-12-08 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [3] bro aeppert [4] 2015-12-04 Update windows-version-detection.bro [5] #46 [6] bro albertzaharovits [7] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [8] #1 [9] broctl J-Gras [10] 2015-10-24 Added support for Pcap options [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #48 https://github.com/bro/bro/pull/48 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [6] Pull Request #46 https://github.com/bro/bro/pull/46 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [9] Pull Request #1 https://github.com/bro/broctl/pull/1 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Dec 9 11:15:00 2015 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Wed, 9 Dec 2015 13:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1507) Intel framework does not match mail addresses properly In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23300#comment-23300 ] Jan Grashoefer commented on BIT-1507: ------------------------------------- Having a look at this issue I noticed another problem with SMTP: Bro assumes that e.g. the To-field contains a comma-separated list of mail-addresses. According to [RFC 5322|https://tools.ietf.org/html/rfc5322#section-3.6.3] there is also the possibility to use groups (see below). {code} To: "Test Group":,; {code} Regarding groups I am not sure whether they can be nested. If I am not mistaken, the [grammar|https://tools.ietf.org/html/rfc5322#section-3.4] in the RFC would allow nested groups. But for my understanding this is not desired for the Destination Address Fields: {quote} the field name, which is either "To", "Cc", or "Bcc", followed by a comma-separated list of one or more addresses (either mailbox or group syntax) {quote} That leads to two questions for me: # Would it be sufficient for Bro to extract just the addresses (usually whats inside < and >) without full names (description quoted with " )? # If full names are desired, should Bro support nested group-syntax? I think option 1 (just log the plain addresses) should be sufficient, because if someone is interested in more details, he could have a look at the raw headers himself. What do you think about that? > Intel framework does not match mail addresses properly > ------------------------------------------------------ > > Key: BIT-1507 > URL: https://bro-tracker.atlassian.net/browse/BIT-1507 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: All > Reporter: Jan Grashoefer > Priority: Low > Labels: intel-framework > > Some time ago someone in #bro asked for matching mail addresses using the intel-framework. We realized, that the [seen-script|https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/smtp.bro] seems to contain a bug: Using {code}split_string_n(mail_address, /<.+>/, T, 1){code} to extract a mail address misses the last character and does not respect the possibility of multiple addresses. > I will add a pcap later. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From noreply at bro.org Thu Dec 10 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 10 Dec 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512100800.tBA80OwI020442@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-12-08 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [3] bro aeppert [4] 2015-12-04 Update windows-version-detection.bro [5] #46 [6] bro albertzaharovits [7] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [8] #1 [9] broctl J-Gras [10] 2015-10-24 Added support for Pcap options [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #48 https://github.com/bro/bro/pull/48 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [6] Pull Request #46 https://github.com/bro/bro/pull/46 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [9] Pull Request #1 https://github.com/bro/broctl/pull/1 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Thu Dec 10 14:10:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 10 Dec 2015 16:10:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23301#comment-23301 ] Daniel Thayer commented on BIT-1489: ------------------------------------ In the second example, I've now simplified the code. For the first example, that one would need code changes in numerous places, and it isn't actually related to any changes in this branch, so I'd prefer to work on that in a different branch. > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Thu Dec 10 14:19:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 10 Dec 2015 16:19:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23302#comment-23302 ] Justin Azoff commented on BIT-1489: ----------------------------------- Sounds good. I'll give the code another read through tomorrow and get it merged. as for the possibility of another branch, I think we should look into any place where things like [0] or [1] appear, and where we have for loops that unpack tuples. 'for a,b,c in lst' is better than using [0], [1], [2], but then it makes it hard to add or remove a field without changing multiple things. > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From noreply at bro.org Fri Dec 11 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 11 Dec 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512110800.tBB80QXQ024702@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-12-10 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [3] bro aeppert [4] 2015-12-04 Update windows-version-detection.bro [5] #46 [6] bro albertzaharovits [7] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [8] #1 [9] broctl J-Gras [10] 2015-10-24 Added support for Pcap options [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #48 https://github.com/bro/bro/pull/48 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [6] Pull Request #46 https://github.com/bro/bro/pull/46 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [9] Pull Request #1 https://github.com/bro/broctl/pull/1 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Dec 11 07:28:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Fri, 11 Dec 2015 09:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23303#comment-23303 ] Justin Azoff commented on BIT-1489: ----------------------------------- I had one more thought.. where broctl now does: {code} +Unable to archive one or more logs in directory: +${tmp} +Any error messages are in the post-terminate.out file in that directory. {code} Is there any reason why it can't just cat the post-terminate.out file and include it in the email? > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 11 08:50:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 11 Dec 2015 10:50:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23304#comment-23304 ] Daniel Thayer commented on BIT-1489: ------------------------------------ The post-terminate.out file is being generated from the script that sends the email, so if we cat the file at that point, we might not see the entire file contents due to buffering. Besides, if someone receives that email, they're going to need to look in that directory anyway (to see which logs weren't archived, and then to manually archive them). The long-term solution is to change the way we archive logs (for that, I expect we will leverage broctld). > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 11 08:55:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Fri, 11 Dec 2015 10:55:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23305#comment-23305 ] Justin Azoff commented on BIT-1489: ----------------------------------- Ah, nevermind then :-) > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 11 09:16:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Fri, 11 Dec 2015 11:16:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1489) topic/dnthayer/ticket1396 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1489: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/ticket1396 > ------------------------- > > Key: BIT-1489 > URL: https://bro-tracker.atlassian.net/browse/BIT-1489 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Branch topic/dnthayer/ticket1396 in the broctl repo was originally intended > to address BIT-1396 (logs disappearing on broctl restart). Most of the commits > in this branch are aimed at making it easier to diagnose such problems > in the future. The most user-visible changes are: > 1) post-terminate will now send an email if it fails to archive any logs, > 2) post-terminate will now re-try to archive logs that previously failed to be archived, > 3) improvements to some error messages, > 4) better sanity checking of config values, > 5) significant improvements to the broctl README -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 11 10:54:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 11 Dec 2015 12:54:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1490: ---------------------------------- Assignee: Justin Azoff > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 11 10:54:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 11 Dec 2015 12:54:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23307#comment-23307 ] Daniel Thayer commented on BIT-1490: ------------------------------------ I've now added a sanity check to prevent users from setting an expire interval that is less than the rotation interval. > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 11 10:54:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 11 Dec 2015 12:54:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1490: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Daniel Thayer) > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 11 11:55:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 11 Dec 2015 13:55:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1506: ------------------------------- Status: Merge Request (was: Open) > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From noreply at bro.org Sat Dec 12 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 12 Dec 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512120800.tBC80Qmh020570@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------------- BIT-1506 [1] Bro Vlad Grigorescu - 2015-12-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [3] bro aeppert [4] 2015-12-04 Update windows-version-detection.bro [5] #46 [6] bro albertzaharovits [7] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [8] #1 [9] broctl J-Gras [10] 2015-10-24 Added support for Pcap options [11] [1] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #48 https://github.com/bro/bro/pull/48 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [6] Pull Request #46 https://github.com/bro/bro/pull/46 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [9] Pull Request #1 https://github.com/bro/broctl/pull/1 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Dec 13 00:00:30 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 13 Dec 2015 00:00:30 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512130800.tBD80U4a020469@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------------- BIT-1506 [1] Bro Vlad Grigorescu - 2015-12-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [3] bro aeppert [4] 2015-12-04 Update windows-version-detection.bro [5] #46 [6] bro albertzaharovits [7] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [8] #1 [9] broctl J-Gras [10] 2015-10-24 Added support for Pcap options [11] [1] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #48 https://github.com/bro/bro/pull/48 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [6] Pull Request #46 https://github.com/bro/bro/pull/46 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [9] Pull Request #1 https://github.com/bro/broctl/pull/1 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Dec 14 00:00:38 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 14 Dec 2015 00:00:38 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512140800.tBE80c66010691@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------------- BIT-1506 [1] Bro Vlad Grigorescu - 2015-12-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [3] bro aeppert [4] 2015-12-04 Update windows-version-detection.bro [5] #46 [6] bro albertzaharovits [7] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [8] #1 [9] broctl J-Gras [10] 2015-10-24 Added support for Pcap options [11] [1] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #48 https://github.com/bro/bro/pull/48 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [6] Pull Request #46 https://github.com/bro/bro/pull/46 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [9] Pull Request #1 https://github.com/bro/broctl/pull/1 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From vlad at grigorescu.org Mon Dec 14 07:51:40 2015 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Mon, 14 Dec 2015 09:51:40 -0600 Subject: [Bro-Dev] Better Handling of User Agents in Software Framework Message-ID: I'm not thrilled with those user agents are being handled right now, and I'm curious to get some thoughts. Take, for example the Safari user-agent string of: > Safari/11601.3.9 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64) Right now, this gets parsed as: > name=Safari, > version=[ > major=11601, > minor=3, > minor2=9, > minor3=, > addl=CFNetwork/760 > ], > unparsed_version=Safari/11601.3.9 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64) RFC 7231 says: > "The User-Agent field-value consists of one or more product identifiers, each followed by zero or more comments (Section 3.2 of [RFC7230]), which together identify the user agent software and its significant subproducts." What I would like to see is this user-agent generate three separate entries in software.log: > Safari 11601.3.9 > CFNetwork 760.2.6 > Darwin 15.2.0 (x86_64) I think this is a better representation of the software that's actually running on the machine (they're running this version of Safari, this version of the CFNetwork library, and this version of the Darwin kernel). Taking this to the server-side, given: > Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8j-fips mod_auth_kerb/5.4 PHP/5.4.13 I'd like to see: > Apache/2.2.25 (Unix) > mod_ssl/2.2.25 > OpenSSL/0.9.8j-fips > mod_auth_kerb/5.4 > PHP/5.4.13 All of those are pieces of software running on that system, and maintaining it as a user-agent is a construct from HTTP, which I don't feel belongs in the software.log. Another warning sign that this is an area that could use some work is the comment above Software::parse: > # Don't even try to understand this now, just make sure the tests are working. Curious to hear thoughts on this. --Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151214/0f20f25f/attachment.html From zakahili at gmail.com Mon Dec 14 08:54:06 2015 From: zakahili at gmail.com (Zakaria Hili) Date: Mon, 14 Dec 2015 17:54:06 +0100 Subject: [Bro-Dev] OSPF protocol analyzer Message-ID: Hello everyone, I was wondering if is it possible to make an analyzer of OSPF with Binpac. The problem that I face is that OSPF is a layer 4 (there's no tcp or udp below it). Can anyone give me a solution to my problem? Regards Zakaria ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151214/6ef6576c/attachment.html From seth at icir.org Mon Dec 14 13:24:48 2015 From: seth at icir.org (Seth Hall) Date: Mon, 14 Dec 2015 16:24:48 -0500 Subject: [Bro-Dev] Better Handling of User Agents in Software Framework In-Reply-To: References: Message-ID: > On Dec 14, 2015, at 10:51 AM, Vlad Grigorescu wrote: > > I'm not thrilled with those user agents are being handled right now, and I'm curious to get some thoughts. Take, for example the Safari user-agent string of: I think your proposal sounds reasonable. I?d go ahead and implement it and see what you think about overload situations since I can easily see the amount of software being tracked quickly get out of hand with that. After it?s implemented, get it running on several networks that are willing to run it and see if it causes problems for them. :) This could be a good time to also implement some better handling around software tracking to avoid obvious DoS issues by doing traffic that causes lots of state being tracked. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From robin at icir.org Mon Dec 14 15:23:41 2015 From: robin at icir.org (Robin Sommer) Date: Mon, 14 Dec 2015 15:23:41 -0800 Subject: [Bro-Dev] Broker code question Message-ID: <20151214232341.GD80763@icir.org> Broker generates these two events in Bro: event BrokerComm::outgoing_connection_established(peer_address: string, peer_port: port, peer_name: string) event BrokerComm::incoming_connection_established(peer_name: string) I was just trying to see if I could add the address and port arguments to the incoming event as well, so that one knows where the connection is coming from. For the outgoing version, the Broker codes stores the information in "outgoing_connection_status", so I tried to add it to the corresponding "incoming_connection_status" as well. But I can't seem to find a good way to get to the peering information (which has the address and port) at the times when that status is created. Any ideas? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jira at bro-tracker.atlassian.net Mon Dec 14 16:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 14 Dec 2015 18:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls In-Reply-To: References: Message-ID: Johanna Amann created BIT-1513: ---------------------------------- Summary: Please merge topic/johanna/irc-starttls Key: BIT-1513 URL: https://bro-tracker.atlassian.net/browse/BIT-1513 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Please merge topic/johanna/irc-starttls. This adds StartTLS support to the IRC protocol analyzer. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Mon Dec 14 16:05:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 14 Dec 2015 18:05:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1513: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/irc-starttls > --------------------------------------- > > Key: BIT-1513 > URL: https://bro-tracker.atlassian.net/browse/BIT-1513 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > > Please merge topic/johanna/irc-starttls. This adds StartTLS support to the IRC protocol analyzer. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From noreply at bro.org Tue Dec 15 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 15 Dec 2015 00:00:29 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512150800.tBF80Tam010532@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------------- BIT-1513 [1] Bro Johanna Amann - 2015-12-14 - Normal Please merge topic/johanna/irc-starttls BIT-1506 [2] Bro Vlad Grigorescu - 2015-12-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal BIT-1490 [3] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1513 https://bro-tracker.atlassian.net/browse/BIT-1513 [2] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [3] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From vlad at grigorescu.org Tue Dec 15 07:18:27 2015 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Tue, 15 Dec 2015 09:18:27 -0600 Subject: [Bro-Dev] Better Handling of User Agents in Software Framework In-Reply-To: References: Message-ID: The other question I was wondering about is: should this be a BIF? Software::parse is a rather lengthy function, with a lot of string manipulation, which gets called rather frequently. I suspect there'd be some performance improvements for implementing this directly as a BIF. On Mon, Dec 14, 2015 at 3:24 PM, Seth Hall wrote: > > > On Dec 14, 2015, at 10:51 AM, Vlad Grigorescu > wrote: > > > > I'm not thrilled with those user agents are being handled right now, and > I'm curious to get some thoughts. Take, for example the Safari user-agent > string of: > > I think your proposal sounds reasonable. I?d go ahead and implement it > and see what you think about overload situations since I can easily see the > amount of software being tracked quickly get out of hand with that. After > it?s implemented, get it running on several networks that are willing to > run it and see if it causes problems for them. :) > > This could be a good time to also implement some better handling around > software tracking to avoid obvious DoS issues by doing traffic that causes > lots of state being tracked. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151215/51194007/attachment.html From seth at icir.org Tue Dec 15 07:23:43 2015 From: seth at icir.org (Seth Hall) Date: Tue, 15 Dec 2015 10:23:43 -0500 Subject: [Bro-Dev] Better Handling of User Agents in Software Framework In-Reply-To: References: Message-ID: <5B9BFCF3-2429-42EB-879E-E436324F7BCE@icir.org> > On Dec 15, 2015, at 10:18 AM, Vlad Grigorescu wrote: > > The other question I was wondering about is: should this be a BIF? Software::parse is a rather lengthy function, with a lot of string manipulation, which gets called rather frequently. I suspect there'd be some performance improvements for implementing this directly as a BIF. Ah, possibly. It probably would make sense to measure that first somehow. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From robin at icir.org Tue Dec 15 08:23:25 2015 From: robin at icir.org (Robin Sommer) Date: Tue, 15 Dec 2015 08:23:25 -0800 Subject: [Bro-Dev] Better Handling of User Agents in Software Framework In-Reply-To: <5B9BFCF3-2429-42EB-879E-E436324F7BCE@icir.org> References: <5B9BFCF3-2429-42EB-879E-E436324F7BCE@icir.org> Message-ID: <20151215162325.GP80763@icir.org> On Tue, Dec 15, 2015 at 10:23 -0500, you wrote: > It probably would make sense to measure that first somehow. Agree. Would be good to keep it in script-land unless it indeed has a substantial impact (and if so, maybe there are some optimizations to short-cut common cases or so). Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From seth at icir.org Tue Dec 15 08:39:42 2015 From: seth at icir.org (Seth Hall) Date: Tue, 15 Dec 2015 11:39:42 -0500 Subject: [Bro-Dev] Better Handling of User Agents in Software Framework In-Reply-To: <20151215162325.GP80763@icir.org> References: <5B9BFCF3-2429-42EB-879E-E436324F7BCE@icir.org> <20151215162325.GP80763@icir.org> Message-ID: <91400349-06A8-496F-AB9C-947BBCE9027F@icir.org> > On Dec 15, 2015, at 11:23 AM, Robin Sommer wrote: > > Agree. Would be good to keep it in script-land unless it indeed has a > substantial impact (and if so, maybe there are some optimizations to > short-cut common cases or so). Yep, something along these lines was/is implemented in the core, but that just made it difficult to understand and make changes to. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From robin at icir.org Tue Dec 15 09:23:31 2015 From: robin at icir.org (Robin Sommer) Date: Tue, 15 Dec 2015 09:23:31 -0800 Subject: [Bro-Dev] OSPF protocol analyzer In-Reply-To: References: Message-ID: <20151215172331.GC80763@icir.org> On Mon, Dec 14, 2015 at 17:54 +0100, you wrote: > I was wondering if is it possible to make an analyzer of OSPF with Binpac. Anything that's not on top of TCP/UDP remains problematic to support in Bro currently, unfortunately. It's less a limitation of BinPAC; the problem is that Bro's lower layers (before BinPAC even comes into the picture) still pretty much hardcode the transport-layer protocols. Changing that has been on the TODO list for a while, but nobody's tackled it yet. If one just wanted to hack something in to get data to a proof-of-concept OSPF analyzer, that probably wouldn't be too hard. But the real solution would require some internal refactoring first. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From vern at icir.org Tue Dec 15 20:14:22 2015 From: vern at icir.org (Vern Paxson) Date: Tue, 15 Dec 2015 20:14:22 -0800 Subject: [Bro-Dev] Better Handling of User Agents in Software Framework In-Reply-To: <20151215162325.GP80763@icir.org> (Tue, 15 Dec 2015 08:23:25 PST). Message-ID: <20151216041423.1C8D22C403A@rock.ICSI.Berkeley.EDU> > ... (and if so, maybe there are some optimizations to > short-cut common cases or so) (... and/or: a few key BiFs to add that don't bite off the whole task but accelerate some particular processing) From noreply at bro.org Wed Dec 16 00:00:34 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 16 Dec 2015 00:00:34 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512160800.tBG80YIg005401@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------------- BIT-1513 [1] Bro Johanna Amann - 2015-12-14 - Normal Please merge topic/johanna/irc-starttls BIT-1506 [2] Bro Vlad Grigorescu - 2015-12-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal BIT-1490 [3] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1513 https://bro-tracker.atlassian.net/browse/BIT-1513 [2] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [3] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jsiwek at illinois.edu Wed Dec 16 06:09:27 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Wed, 16 Dec 2015 14:09:27 +0000 Subject: [Bro-Dev] Broker code question In-Reply-To: <20151214232341.GD80763@icir.org> References: <20151214232341.GD80763@icir.org> Message-ID: <37B29DD9-394B-400A-8F0C-AC00E492DEBA@illinois.edu> > On Dec 14, 2015, at 5:23 PM, Robin Sommer wrote: > > Broker generates these two events in Bro: > > event BrokerComm::outgoing_connection_established(peer_address: string, > peer_port: port, > peer_name: string) > > event BrokerComm::incoming_connection_established(peer_name: string) > > I was just trying to see if I could add the address and port arguments > to the incoming event as well, so that one knows where the connection > is coming from. Don?t think that info is available in Broker due to CAF abstracting it away. Don?t remember at the moment how that info can be extracted from CAF. Maybe there?s even a simple function to get addr/port of a remote actor, but I also recall lower level networking stuff might be available from within the ?broker? class in CAF. If the later is the recommended way to go, there?d need to be some code factoring in Broker to actually use that ?broker? system of CAF. - Jon From jira at bro-tracker.atlassian.net Wed Dec 16 13:33:00 2015 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Wed, 16 Dec 2015 15:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1514) Test plugins.pktsrc fails In-Reply-To: References: Message-ID: Jan Grashoefer created BIT-1514: ----------------------------------- Summary: Test plugins.pktsrc fails Key: BIT-1514 URL: https://bro-tracker.atlassian.net/browse/BIT-1514 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Environment: Fedora 23 Reporter: Jan Grashoefer The plugins.pktsrc test fails for me. Bro crashes with: {code} *** Error in `bro': corrupted double-linked list: 0x0000000003ac10a0 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x77e15)[0x7f5c5e23ae15] /lib64/libc.so.6(+0x7eed8)[0x7f5c5e241ed8] /lib64/libc.so.6(+0x807a8)[0x7f5c5e2437a8] /lib64/libc.so.6(cfree+0x4c)[0x7f5c5e246cac] bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x32)[0x5d3322] bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] bro(_ZN8BrofilerD1Ev+0x22)[0x5d2162] /lib64/libc.so.6(+0x39658)[0x7f5c5e1fc658] /lib64/libc.so.6(+0x396a5)[0x7f5c5e1fc6a5] /lib64/libc.so.6(__libc_start_main+0xf7)[0x7f5c5e1e3587] bro(_start+0x29)[0x5ac359] ======= Memory map: ======== 00400000-00a35000 r-xp 00000000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro 00c34000-00c36000 r--p 00634000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro 00c36000-00c3a000 rw-p 00636000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro 00c3a000-00c4e000 rw-p 00000000 00:00 0 01c02000-03cb7000 rw-p 00000000 00:00 0 [heap] 7f5c50000000-7f5c50021000 rw-p 00000000 00:00 0 7f5c50021000-7f5c54000000 ---p 00000000 00:00 0 7f5c577ff000-7f5c57800000 ---p 00000000 00:00 0 7f5c57800000-7f5c58000000 rw-p 00000000 00:00 0 7f5c58000000-7f5c58021000 rw-p 00000000 00:00 0 7f5c58021000-7f5c5c000000 ---p 00000000 00:00 0 7f5c5c39c000-7f5c5c39d000 ---p 00000000 00:00 0 7f5c5c39d000-7f5c5cb9d000 rw-p 00000000 00:00 0 7f5c5cb9d000-7f5c5cba0000 r-xp 00000000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so 7f5c5cba0000-7f5c5cda0000 ---p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so 7f5c5cda0000-7f5c5cda1000 r--p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so 7f5c5cda1000-7f5c5cda2000 rw-p 00004000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so 7f5c5cda2000-7f5c5cdad000 r-xp 00000000 fd:00 135163 /usr/lib64/libnss_files-2.22.so 7f5c5cdad000-7f5c5cfac000 ---p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so 7f5c5cfac000-7f5c5cfad000 r--p 0000a000 fd:00 135163 /usr/lib64/libnss_files-2.22.so 7f5c5cfad000-7f5c5cfae000 rw-p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so 7f5c5cfae000-7f5c5cfb4000 rw-p 00000000 00:00 0 7f5c5cfb4000-7f5c5d023000 r-xp 00000000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 7f5c5d023000-7f5c5d222000 ---p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 7f5c5d222000-7f5c5d223000 r--p 0006e000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 7f5c5d223000-7f5c5d224000 rw-p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 7f5c5d224000-7f5c5d243000 r-xp 00000000 fd:00 140062 /usr/lib64/libselinux.so.1 7f5c5d243000-7f5c5d443000 ---p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 7f5c5d443000-7f5c5d444000 r--p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 7f5c5d444000-7f5c5d445000 rw-p 00020000 fd:00 140062 /usr/lib64/libselinux.so.1 7f5c5d445000-7f5c5d447000 rw-p 00000000 00:00 0 7f5c5d447000-7f5c5d44a000 r-xp 00000000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 7f5c5d44a000-7f5c5d649000 ---p 00003000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 7f5c5d649000-7f5c5d64a000 r--p 00002000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 7f5c5d64a000-7f5c5d64b000 rw-p 00000000 00:00 0 7f5c5d64b000-7f5c5d658000 r-xp 00000000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 7f5c5d658000-7f5c5d858000 ---p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 7f5c5d858000-7f5c5d859000 r--p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 7f5c5d859000-7f5c5d85a000 rw-p 0000e000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 7f5c5d85a000-7f5c5d889000 r-xp 00000000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 7f5c5d889000-7f5c5da89000 ---p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 7f5c5da89000-7f5c5da8b000 r--p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 7f5c5da8b000-7f5c5da8c000 rw-p 00031000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 7f5c5da8c000-7f5c5da8f000 r-xp 00000000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 7f5c5da8f000-7f5c5dc8e000 ---p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 7f5c5dc8e000-7f5c5dc8f000 r--p 00002000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 7f5c5dc8f000-7f5c5dc90000 rw-p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 7f5c5dc90000-7f5c5dd65000 r-xp 00000000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 7f5c5dd65000-7f5c5df64000 ---p 000d5000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 7f5c5df64000-7f5c5df73000 r--p 000d4000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 7f5c5df73000-7f5c5df75000 rw-p 000e3000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 7f5c5df75000-7f5c5dfc0000 r-xp 00000000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 7f5c5dfc0000-7f5c5e1c0000 ---p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 7f5c5e1c0000-7f5c5e1c2000 r--p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 7f5c5e1c2000-7f5c5e1c3000 rw-p 0004d000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 7f5c5e1c3000-7f5c5e37a000 r-xp 00000000 fd:00 135137 /usr/lib64/libc-2.22.so 7f5c5e37a000-7f5c5e57a000 ---p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so 7f5c5e57a000-7f5c5e57e000 r--p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so 7f5c5e57e000-7f5c5e580000 rw-p 001bb000 fd:00 135137 /usr/lib64/libc-2.22.so 7f5c5e580000-7f5c5e584000 rw-p 00000000 00:00 0 7f5c5e584000-7f5c5e59a000 r-xp 00000000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 7f5c5e59a000-7f5c5e799000 ---p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 7f5c5e799000-7f5c5e79a000 r--p 00015000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 7f5c5e79a000-7f5c5e79b000 rw-p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 7f5c5e79b000-7f5c5e89c000 r-xp 00000000 fd:00 135151 /usr/lib64/libm-2.22.so 7f5c5e89c000-7f5c5ea9b000 ---p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so 7f5c5ea9b000-7f5c5ea9c000 r--p 00100000 fd:00 135151 /usr/lib64/libm-2.22.so 7f5c5ea9c000-7f5c5ea9d000 rw-p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so 7f5c5ea9d000-7f5c5ec0f000 r-xp 00000000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 7f5c5ec0f000-7f5c5ee0f000 ---p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 7f5c5ee0f000-7f5c5ee19000 r--p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 7f5c5ee19000-7f5c5ee1b000 rw-p 0017c000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 7f5c5ee1b000-7f5c5ee1f000 rw-p 00000000 00:00 0 7f5c5ee1f000-7f5c5eed2000 r-xp 00000000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 7f5c5eed2000-7f5c5f0d1000 ---p 000b3000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 7f5c5f0d1000-7f5c5f0d7000 r--p 000b2000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 7f5c5f0d7000-7f5c5f0d9000 rw-p 000b8000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 7f5c5f0d9000-7f5c5f1d4000 r-xp 00000000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 7f5c5f1d4000-7f5c5f3d4000 ---p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 7f5c5f3d4000-7f5c5f3dc000 r--p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 7f5c5f3dc000-7f5c5f3de000 rw-p 00103000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 7f5c5f3de000-7f5c5f3e1000 r-xp 00000000 fd:00 135144 /usr/lib64/libdl-2.22.so 7f5c5f3e1000-7f5c5f5e0000 ---p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so 7f5c5f5e0000-7f5c5f5e1000 r--p 00002000 fd:00 135144 /usr/lib64/libdl-2.22.so 7f5c5f5e1000-7f5c5f5e2000 rw-p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so 7f5c5f5e2000-7f5c5f5fa000 r-xp 00000000 fd:00 135171 /usr/lib64/libpthread-2.22.so 7f5c5f5fa000-7f5c5f7f9000 ---p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so 7f5c5f7f9000-7f5c5f7fa000 r--p 00017000 fd:00 135171 /usr/lib64/libpthread-2.22.so 7f5c5f7fa000-7f5c5f7fb000 rw-p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so 7f5c5f7fb000-7f5c5f7ff000 rw-p 00000000 00:00 0 7f5c5f7ff000-7f5c5fb6f000 r-xp 00000000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 7f5c5fb6f000-7f5c5fd6e000 ---p 00370000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 7f5c5fd6e000-7f5c5fd7d000 r--p 0036f000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 7f5c5fd7d000-7f5c5fd81000 rw-p 0037e000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 7f5c5fd81000-7f5c5fd82000 rw-p 00000000 00:00 0 7f5c5fd82000-7f5c5fdb1000 r-xp 00000000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 7f5c5fdb1000-7f5c5ffb1000 ---p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 7f5c5ffb1000-7f5c5ffb2000 r--p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 7f5c5ffb2000-7f5c5ffb4000 rw-p 00030000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 7f5c5ffb4000-7f5c5ffc9000 r-xp 00000000 fd:00 140295 /usr/lib64/libz.so.1.2.8 7f5c5ffc9000-7f5c601c8000 ---p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 7f5c601c8000-7f5c601c9000 r--p 00014000 fd:00 140295 /usr/lib64/libz.so.1.2.8 7f5c601c9000-7f5c601ca000 rw-p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 7f5c601ca000-7f5c601e1000 r-xp 00000000 fd:00 135173 /usr/lib64/libresolv-2.22.so 7f5c601e1000-7f5c603e1000 ---p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so 7f5c603e1000-7f5c603e2000 r--p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so 7f5c603e2000-7f5c603e3000 rw-p 00018000 fd:00 135173 /usr/lib64/libresolv-2.22.so 7f5c603e3000-7f5c603e5000 rw-p 00000000 00:00 0 7f5c603e5000-7f5c60606000 r-xp 00000000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d 7f5c60606000-7f5c60806000 ---p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d 7f5c60806000-7f5c60821000 r--p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d 7f5c60821000-7f5c6082e000 rw-p 0023c000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d 7f5c6082e000-7f5c60832000 rw-p 00000000 00:00 0 7f5c60832000-7f5c6089f000 r-xp 00000000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d 7f5c6089f000-7f5c60a9f000 ---p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d 7f5c60a9f000-7f5c60aa4000 r--p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d 7f5c60aa4000-7f5c60aab000 rw-p 00072000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d 7f5c60aab000-7f5c60aeb000 r-xp 00000000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 7f5c60aeb000-7f5c60ceb000 ---p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 7f5c60ceb000-7f5c60ced000 r--p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 7f5c60ced000-7f5c60cee000 rw-p 00042000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 7f5c60cee000-7f5c60d0f000 r-xp 00000000 fd:00 135129 /usr/lib64/ld-2.22.so 7f5c60ee6000-7f5c60ef6000 rw-p 00000000 00:00 0 7f5c60f0c000-7f5c60f0e000 rw-p 00000000 00:00 0 7f5c60f0e000-7f5c60f0f000 r--p 00020000 fd:00 135129 /usr/lib64/ld-2.22.so 7f5c60f0f000-7f5c60f10000 rw-p 00021000 fd:00 135129 /usr/lib64/ld-2.22.so 7f5c60f10000-7f5c60f11000 rw-p 00000000 00:00 0 7ffd67281000-7ffd672a3000 rw-p 00000000 00:00 0 [stack] 7ffd673ce000-7ffd673d0000 r--p 00000000 00:00 0 [vvar] 7ffd673d0000-7ffd673d2000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] {code} The commit ["Use better data structure for storing BPF filters."|https://github.com/bro/bro/commit/6dd32c649b3dcb6ec652366ffaa90966549da008] seems to have introduced the issue. A quick google search indicated that it might be a threading issue. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Wed Dec 16 13:56:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 16 Dec 2015 15:56:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1514) Test plugins.pktsrc fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1514: --------------------------------- Assignee: Robin Sommer > Test plugins.pktsrc fails > ------------------------- > > Key: BIT-1514 > URL: https://bro-tracker.atlassian.net/browse/BIT-1514 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: Fedora 23 > Reporter: Jan Grashoefer > Assignee: Robin Sommer > > The plugins.pktsrc test fails for me. Bro crashes with: > {code} > *** Error in `bro': corrupted double-linked list: 0x0000000003ac10a0 *** > ======= Backtrace: ========= > /lib64/libc.so.6(+0x77e15)[0x7f5c5e23ae15] > /lib64/libc.so.6(+0x7eed8)[0x7f5c5e241ed8] > /lib64/libc.so.6(+0x807a8)[0x7f5c5e2437a8] > /lib64/libc.so.6(cfree+0x4c)[0x7f5c5e246cac] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x32)[0x5d3322] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZN8BrofilerD1Ev+0x22)[0x5d2162] > /lib64/libc.so.6(+0x39658)[0x7f5c5e1fc658] > /lib64/libc.so.6(+0x396a5)[0x7f5c5e1fc6a5] > /lib64/libc.so.6(__libc_start_main+0xf7)[0x7f5c5e1e3587] > bro(_start+0x29)[0x5ac359] > ======= Memory map: ======== > 00400000-00a35000 r-xp 00000000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c34000-00c36000 r--p 00634000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c36000-00c3a000 rw-p 00636000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c3a000-00c4e000 rw-p 00000000 00:00 0 > 01c02000-03cb7000 rw-p 00000000 00:00 0 [heap] > 7f5c50000000-7f5c50021000 rw-p 00000000 00:00 0 > 7f5c50021000-7f5c54000000 ---p 00000000 00:00 0 > 7f5c577ff000-7f5c57800000 ---p 00000000 00:00 0 > 7f5c57800000-7f5c58000000 rw-p 00000000 00:00 0 > 7f5c58000000-7f5c58021000 rw-p 00000000 00:00 0 > 7f5c58021000-7f5c5c000000 ---p 00000000 00:00 0 > 7f5c5c39c000-7f5c5c39d000 ---p 00000000 00:00 0 > 7f5c5c39d000-7f5c5cb9d000 rw-p 00000000 00:00 0 > 7f5c5cb9d000-7f5c5cba0000 r-xp 00000000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cba0000-7f5c5cda0000 ---p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda0000-7f5c5cda1000 r--p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda1000-7f5c5cda2000 rw-p 00004000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda2000-7f5c5cdad000 r-xp 00000000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cdad000-7f5c5cfac000 ---p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfac000-7f5c5cfad000 r--p 0000a000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfad000-7f5c5cfae000 rw-p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfae000-7f5c5cfb4000 rw-p 00000000 00:00 0 > 7f5c5cfb4000-7f5c5d023000 r-xp 00000000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d023000-7f5c5d222000 ---p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d222000-7f5c5d223000 r--p 0006e000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d223000-7f5c5d224000 rw-p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d224000-7f5c5d243000 r-xp 00000000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d243000-7f5c5d443000 ---p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d443000-7f5c5d444000 r--p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d444000-7f5c5d445000 rw-p 00020000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d445000-7f5c5d447000 rw-p 00000000 00:00 0 > 7f5c5d447000-7f5c5d44a000 r-xp 00000000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d44a000-7f5c5d649000 ---p 00003000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d649000-7f5c5d64a000 r--p 00002000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d64a000-7f5c5d64b000 rw-p 00000000 00:00 0 > 7f5c5d64b000-7f5c5d658000 r-xp 00000000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d658000-7f5c5d858000 ---p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d858000-7f5c5d859000 r--p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d859000-7f5c5d85a000 rw-p 0000e000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d85a000-7f5c5d889000 r-xp 00000000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5d889000-7f5c5da89000 ---p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da89000-7f5c5da8b000 r--p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8b000-7f5c5da8c000 rw-p 00031000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8c000-7f5c5da8f000 r-xp 00000000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5da8f000-7f5c5dc8e000 ---p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8e000-7f5c5dc8f000 r--p 00002000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8f000-7f5c5dc90000 rw-p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc90000-7f5c5dd65000 r-xp 00000000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5dd65000-7f5c5df64000 ---p 000d5000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df64000-7f5c5df73000 r--p 000d4000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df73000-7f5c5df75000 rw-p 000e3000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df75000-7f5c5dfc0000 r-xp 00000000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5dfc0000-7f5c5e1c0000 ---p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c0000-7f5c5e1c2000 r--p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c2000-7f5c5e1c3000 rw-p 0004d000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c3000-7f5c5e37a000 r-xp 00000000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e37a000-7f5c5e57a000 ---p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57a000-7f5c5e57e000 r--p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57e000-7f5c5e580000 rw-p 001bb000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e580000-7f5c5e584000 rw-p 00000000 00:00 0 > 7f5c5e584000-7f5c5e59a000 r-xp 00000000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e59a000-7f5c5e799000 ---p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e799000-7f5c5e79a000 r--p 00015000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79a000-7f5c5e79b000 rw-p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79b000-7f5c5e89c000 r-xp 00000000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5e89c000-7f5c5ea9b000 ---p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9b000-7f5c5ea9c000 r--p 00100000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9c000-7f5c5ea9d000 rw-p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9d000-7f5c5ec0f000 r-xp 00000000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ec0f000-7f5c5ee0f000 ---p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee0f000-7f5c5ee19000 r--p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee19000-7f5c5ee1b000 rw-p 0017c000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee1b000-7f5c5ee1f000 rw-p 00000000 00:00 0 > 7f5c5ee1f000-7f5c5eed2000 r-xp 00000000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5eed2000-7f5c5f0d1000 ---p 000b3000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d1000-7f5c5f0d7000 r--p 000b2000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d7000-7f5c5f0d9000 rw-p 000b8000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d9000-7f5c5f1d4000 r-xp 00000000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f1d4000-7f5c5f3d4000 ---p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3d4000-7f5c5f3dc000 r--p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3dc000-7f5c5f3de000 rw-p 00103000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3de000-7f5c5f3e1000 r-xp 00000000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f3e1000-7f5c5f5e0000 ---p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e0000-7f5c5f5e1000 r--p 00002000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e1000-7f5c5f5e2000 rw-p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e2000-7f5c5f5fa000 r-xp 00000000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f5fa000-7f5c5f7f9000 ---p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7f9000-7f5c5f7fa000 r--p 00017000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fa000-7f5c5f7fb000 rw-p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fb000-7f5c5f7ff000 rw-p 00000000 00:00 0 > 7f5c5f7ff000-7f5c5fb6f000 r-xp 00000000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fb6f000-7f5c5fd6e000 ---p 00370000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd6e000-7f5c5fd7d000 r--p 0036f000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd7d000-7f5c5fd81000 rw-p 0037e000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd81000-7f5c5fd82000 rw-p 00000000 00:00 0 > 7f5c5fd82000-7f5c5fdb1000 r-xp 00000000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5fdb1000-7f5c5ffb1000 ---p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb1000-7f5c5ffb2000 r--p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb2000-7f5c5ffb4000 rw-p 00030000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb4000-7f5c5ffc9000 r-xp 00000000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c5ffc9000-7f5c601c8000 ---p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c8000-7f5c601c9000 r--p 00014000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c9000-7f5c601ca000 rw-p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601ca000-7f5c601e1000 r-xp 00000000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c601e1000-7f5c603e1000 ---p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e1000-7f5c603e2000 r--p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e2000-7f5c603e3000 rw-p 00018000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e3000-7f5c603e5000 rw-p 00000000 00:00 0 > 7f5c603e5000-7f5c60606000 r-xp 00000000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60606000-7f5c60806000 ---p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60806000-7f5c60821000 r--p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60821000-7f5c6082e000 rw-p 0023c000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c6082e000-7f5c60832000 rw-p 00000000 00:00 0 > 7f5c60832000-7f5c6089f000 r-xp 00000000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c6089f000-7f5c60a9f000 ---p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60a9f000-7f5c60aa4000 r--p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aa4000-7f5c60aab000 rw-p 00072000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aab000-7f5c60aeb000 r-xp 00000000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60aeb000-7f5c60ceb000 ---p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ceb000-7f5c60ced000 r--p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ced000-7f5c60cee000 rw-p 00042000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60cee000-7f5c60d0f000 r-xp 00000000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60ee6000-7f5c60ef6000 rw-p 00000000 00:00 0 > 7f5c60f0c000-7f5c60f0e000 rw-p 00000000 00:00 0 > 7f5c60f0e000-7f5c60f0f000 r--p 00020000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f0f000-7f5c60f10000 rw-p 00021000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f10000-7f5c60f11000 rw-p 00000000 00:00 0 > 7ffd67281000-7ffd672a3000 rw-p 00000000 00:00 0 [stack] > 7ffd673ce000-7ffd673d0000 r--p 00000000 00:00 0 [vvar] > 7ffd673d0000-7ffd673d2000 r-xp 00000000 00:00 0 [vdso] > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] > {code} > The commit ["Use better data structure for storing BPF filters."|https://github.com/bro/bro/commit/6dd32c649b3dcb6ec652366ffaa90966549da008] seems to have introduced the issue. A quick google search indicated that it might be a threading issue. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From noreply at bro.org Thu Dec 17 00:00:38 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 17 Dec 2015 00:00:38 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512170800.tBH80ceg019282@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------------- BIT-1513 [1] Bro Johanna Amann - 2015-12-14 - Normal Please merge topic/johanna/irc-starttls BIT-1506 [2] Bro Vlad Grigorescu - 2015-12-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal BIT-1490 [3] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1513 https://bro-tracker.atlassian.net/browse/BIT-1513 [2] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [3] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Fri Dec 18 00:00:27 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 18 Dec 2015 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512180800.tBI80RR8006644@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------------- BIT-1513 [1] Bro Johanna Amann - 2015-12-14 - Normal Please merge topic/johanna/irc-starttls BIT-1506 [2] Bro Vlad Grigorescu - 2015-12-11 2.5 Normal Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal BIT-1490 [3] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #48 [4] bro aeppert [5] 2015-12-04 Update windows-version-detection.bro [6] #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1513 https://bro-tracker.atlassian.net/browse/BIT-1513 [2] BIT-1506 https://bro-tracker.atlassian.net/browse/BIT-1506 [3] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [4] Pull Request #48 https://github.com/bro/bro/pull/48 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #48 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-1 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Dec 18 11:15:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 13:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1513: --------------------------------- Assignee: Robin Sommer > Please merge topic/johanna/irc-starttls > --------------------------------------- > > Key: BIT-1513 > URL: https://bro-tracker.atlassian.net/browse/BIT-1513 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > > Please merge topic/johanna/irc-starttls. This adds StartTLS support to the IRC protocol analyzer. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 11:21:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 13:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23400#comment-23400 ] Robin Sommer commented on BIT-1513: ----------------------------------- I'm surprised that IRC wasn't using ContentLine already. I suppose it's not a problem to switch it over to using that for its normal analysis? > Please merge topic/johanna/irc-starttls > --------------------------------------- > > Key: BIT-1513 > URL: https://bro-tracker.atlassian.net/browse/BIT-1513 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > > Please merge topic/johanna/irc-starttls. This adds StartTLS support to the IRC protocol analyzer. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 11:29:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 13:29:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1506: --------------------------------- Assignee: Robin Sommer > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 11:32:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 13:32:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23401#comment-23401 ] Robin Sommer commented on BIT-1363: ----------------------------------- This has already been removed for a while, closing. > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Assignee: Robin Sommer > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 11:32:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 13:32:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1363: ------------------------------ Resolution: Merged Status: Closed (was: Reopened) > Clustered AF_PACKET support > --------------------------- > > Key: BIT-1363 > URL: https://bro-tracker.atlassian.net/browse/BIT-1363 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Michal Purzynski > Assignee: Robin Sommer > Attachments: pcap.c > > > Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. > Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 14:16:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 18 Dec 2015 16:16:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23402#comment-23402 ] Johanna Amann commented on BIT-1513: ------------------------------------ It actually was already using ContentLine. The only difference is that now, contentline is explicitly initialized, instead of directly in the call to addsupportanalyzer, where it was before. We need to assign it to a member variable to be able to delete the support analyzer later, when we attach the TLS analyzer. > Please merge topic/johanna/irc-starttls > --------------------------------------- > > Key: BIT-1513 > URL: https://bro-tracker.atlassian.net/browse/BIT-1513 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > > Please merge topic/johanna/irc-starttls. This adds StartTLS support to the IRC protocol analyzer. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 14:40:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 16:40:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23403#comment-23403 ] Robin Sommer commented on BIT-1513: ----------------------------------- Ah, of course. Misread the diff, now it makes sense. :) Already merged it, will push in a bit. > Please merge topic/johanna/irc-starttls > --------------------------------------- > > Key: BIT-1513 > URL: https://bro-tracker.atlassian.net/browse/BIT-1513 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > > Please merge topic/johanna/irc-starttls. This adds StartTLS support to the IRC protocol analyzer. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 17:50:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 19:50:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1506: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Fri Dec 18 17:50:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 18 Dec 2015 19:50:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1513) Please merge topic/johanna/irc-starttls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1513: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/johanna/irc-starttls > --------------------------------------- > > Key: BIT-1513 > URL: https://bro-tracker.atlassian.net/browse/BIT-1513 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > > Please merge topic/johanna/irc-starttls. This adds StartTLS support to the IRC protocol analyzer. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From penghe2015 at outlook.com Fri Dec 18 18:39:44 2015 From: penghe2015 at outlook.com (He Peng) Date: Sat, 19 Dec 2015 10:39:44 +0800 Subject: [Bro-Dev] How can I build a static plugin? Message-ID: Hi, I am developing a bro plugin which can retrieve packets from a dpdk vswitch. Since DPDK builds static libs, the plugin should better become a static lib. The tutorials in the bro website give only examples about building a dynamic lib. However, I do find some cmake files about how to build a static lib. Is there any tutorial on this? Thanks. -- Best Regards Peng From noreply at bro.org Sat Dec 19 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 19 Dec 2015 00:00:29 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512190800.tBJ80TCl018678@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [2] bro albertzaharovits [3] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [4] #1 [5] broctl J-Gras [6] 2015-10-24 Added support for Pcap options [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #46 https://github.com/bro/bro/pull/46 [3] albertzaharovits https://github.com/albertzaharovits [4] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [5] Pull Request #1 https://github.com/bro/broctl/pull/1 [6] J-Gras https://github.com/J-Gras [7] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Dec 20 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 20 Dec 2015 00:00:23 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512200800.tBK80Ndx011624@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [2] bro albertzaharovits [3] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [4] #1 [5] broctl J-Gras [6] 2015-10-24 Added support for Pcap options [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #46 https://github.com/bro/bro/pull/46 [3] albertzaharovits https://github.com/albertzaharovits [4] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [5] Pull Request #1 https://github.com/bro/broctl/pull/1 [6] J-Gras https://github.com/J-Gras [7] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Dec 21 00:00:30 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 21 Dec 2015 00:00:30 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512210800.tBL80U41002478@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [2] bro albertzaharovits [3] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [4] #1 [5] broctl J-Gras [6] 2015-10-24 Added support for Pcap options [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #46 https://github.com/bro/bro/pull/46 [3] albertzaharovits https://github.com/albertzaharovits [4] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [5] Pull Request #1 https://github.com/bro/broctl/pull/1 [6] J-Gras https://github.com/J-Gras [7] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Mon Dec 21 07:17:00 2015 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Mon, 21 Dec 2015 09:17:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: Jeannette Dopheide created BIT-1515: --------------------------------------- Summary: Interface setup plug-in Key: BIT-1515 URL: https://bro-tracker.atlassian.net/browse/BIT-1515 Project: Bro Issue Tracker Issue Type: Task Components: Bro Reporter: Jeannette Dopheide Assignee: Justin Azoff Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From robin at icir.org Mon Dec 21 09:08:47 2015 From: robin at icir.org (Robin Sommer) Date: Mon, 21 Dec 2015 09:08:47 -0800 Subject: [Bro-Dev] How can I build a static plugin? In-Reply-To: References: Message-ID: <20151221170847.GI72404@icir.org> On Sat, Dec 19, 2015 at 10:39 +0800, you wrote: > Since DPDK builds static libs, the plugin should better become a > static lib. You can't build the plugin itself as a static library, as then Bro couldn't load it dynamically at runtime. You should however be able to link DPDK statically into your (dynamic) plugin, if that's what you need? If so, I would think that CMake actually does the right there already if all it finds for a dependency is a static library. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Tue Dec 22 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 22 Dec 2015 00:00:25 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512220800.tBM80PHE017868@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [2] bro albertzaharovits [3] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [4] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #46 https://github.com/bro/bro/pull/46 [3] albertzaharovits https://github.com/albertzaharovits [4] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From noreply at bro.org Wed Dec 23 00:00:27 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 23 Dec 2015 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512230800.tBN80RWU013337@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [2] bro albertzaharovits [3] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [4] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #46 https://github.com/bro/bro/pull/46 [3] albertzaharovits https://github.com/albertzaharovits [4] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From noreply at bro.org Thu Dec 24 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 24 Dec 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512240800.tBO80OJW010912@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From noreply at bro.org Fri Dec 25 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 25 Dec 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512250800.tBP80Q3T004997@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From noreply at bro.org Sat Dec 26 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 26 Dec 2015 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512260800.tBQ80MCx023499@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From noreply at bro.org Sun Dec 27 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 27 Dec 2015 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512270800.tBR80MRI012610@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From noreply at bro.org Mon Dec 28 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 28 Dec 2015 00:00:25 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512280800.tBS80PBB001509@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From noreply at bro.org Tue Dec 29 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 29 Dec 2015 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512290800.tBT80MPQ030246@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master From sabiretude at gmail.com Tue Dec 29 04:33:48 2015 From: sabiretude at gmail.com (reda sabir) Date: Tue, 29 Dec 2015 13:33:48 +0100 Subject: [Bro-Dev] Error: Analyzer:: defined more than once. Message-ID: Hello everyone, I tried recently to add an analyzer of RLogin protocol by using BinPac. The problem that I encount is after doing the make and make install, I have this message every I launch bro : fatal error in /usr/local/bro/share/bro/base/init-bare.bro, line 1: Component 'Analyzer::RLOGIN' defined more than once. You can find in the email the src that I use in "src/analyzer/protocol/rlogin/" Thank you for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151229/3bc5570b/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: rlogin.zip Type: application/zip Size: 3748 bytes Desc: not available Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151229/3bc5570b/attachment.zip From jira at bro-tracker.atlassian.net Tue Dec 29 09:23:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 29 Dec 2015 11:23:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1516) openbsd build issues In-Reply-To: References: Message-ID: Justin Azoff created BIT-1516: --------------------------------- Summary: openbsd build issues Key: BIT-1516 URL: https://bro-tracker.atlassian.net/browse/BIT-1516 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: OpenBSD Reporter: Justin Azoff Priority: Low Someone on IRC asked about bro on openbsd issues. I took a look and here is what I have found so far. There are 3 issues: bro needs the libbind port installed to build, but cmake has trouble finding it Changing FindBIND.cmake lets configure works: {code} - HINTS ${BIND_ROOT_DIR}/lib + HINTS ${BIND_ROOT_DIR}/lib/libbind {code} This probably needs to be {code} HINTS ${BIND_ROOT_DIR}/lib ${BIND_ROOT_DIR}/lib/libbind {code} or such to not break other platforms The second is that {code}pcap_offline_filter{code} does not exist in the version of pcap it has (though I did my testing on openbsd 5.5 so the latest (5.8) may be different) Finally, openbsd does not have {code}wordexp{code} so src/broxygen/Manager.cc does not build. I ifdef'd it out most of {code}Manager::Manager{code} and bro built ok after that. I'm not sure what it is doing there anyway.. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Tue Dec 29 10:42:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 29 Dec 2015 12:42:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1516) openbsd build issues In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23503#comment-23503 ] Justin Azoff commented on BIT-1516: ----------------------------------- Trying to get the test suite to run: {code} sudo ln -s /usr/local/bin/python2.7 /usr/local/bin/python {code} to get it to find python.. The testing makefile fails with: {code} mktemp: insufficient number of Xs in template `brocov.tmp.XXX' {code} apparently you need 6 X's. same for aux/btest/sphinx/btest-rst-cmd even though it seems to run fine, it outputs {code} bro:/usr/lib/libc.so.73.1: /usr/local/lib/libbind/libbind.so.4.0 : WARNING: symbol(_res) size mismatch, relink your program {code} every time you run it, which is making btest think every test failed.. I added {code} grep -v 'relink your program' {code} to btest-diff in 2 places as a hack to work around that... and it is still showing up in some places.. Plugin testing looks to be broken: {code} plugins.api-version-mismatch ... failed % 'bash /home/vagrant/bro-2.4.1/testing/btest/.tmp/plugins.api-version-mismatch/api-version-mismatch.sh' failed unexpectedly (exit code 1) % cat .stderr find: -not: unknown option cat: src/Plugin.cc: No such file or directory {code} End result: 32 of 802 tests failed, 61 skipped > openbsd build issues > -------------------- > > Key: BIT-1516 > URL: https://bro-tracker.atlassian.net/browse/BIT-1516 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: OpenBSD > Reporter: Justin Azoff > Priority: Low > Labels: openbsd > Attachments: openbsd_diag.log.gz > > > Someone on IRC asked about bro on openbsd issues. I took a look and here is what I have found so far. There are 3 issues: > bro needs the libbind port installed to build, but cmake has trouble finding it > Changing FindBIND.cmake lets configure works: > {code} > - HINTS ${BIND_ROOT_DIR}/lib > + HINTS ${BIND_ROOT_DIR}/lib/libbind > {code} > This probably needs to be > {code} > HINTS ${BIND_ROOT_DIR}/lib ${BIND_ROOT_DIR}/lib/libbind > {code} > or such to not break other platforms > The second is that {code}pcap_offline_filter{code} does not exist in the version of pcap it has (though I did my testing on openbsd 5.5 so the latest (5.8) may be different) > Finally, openbsd does not have {code}wordexp{code} so src/broxygen/Manager.cc does not build. I ifdef'd it out most of {code}Manager::Manager{code} and bro built ok after that. I'm not sure what it is doing there anyway.. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Tue Dec 29 10:42:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 29 Dec 2015 12:42:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1516) openbsd build issues In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1516?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1516: ------------------------------ Attachment: openbsd_diag.log.gz > openbsd build issues > -------------------- > > Key: BIT-1516 > URL: https://bro-tracker.atlassian.net/browse/BIT-1516 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: OpenBSD > Reporter: Justin Azoff > Priority: Low > Labels: openbsd > Attachments: openbsd_diag.log.gz > > > Someone on IRC asked about bro on openbsd issues. I took a look and here is what I have found so far. There are 3 issues: > bro needs the libbind port installed to build, but cmake has trouble finding it > Changing FindBIND.cmake lets configure works: > {code} > - HINTS ${BIND_ROOT_DIR}/lib > + HINTS ${BIND_ROOT_DIR}/lib/libbind > {code} > This probably needs to be > {code} > HINTS ${BIND_ROOT_DIR}/lib ${BIND_ROOT_DIR}/lib/libbind > {code} > or such to not break other platforms > The second is that {code}pcap_offline_filter{code} does not exist in the version of pcap it has (though I did my testing on openbsd 5.5 so the latest (5.8) may be different) > Finally, openbsd does not have {code}wordexp{code} so src/broxygen/Manager.cc does not build. I ifdef'd it out most of {code}Manager::Manager{code} and bro built ok after that. I'm not sure what it is doing there anyway.. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From jira at bro-tracker.atlassian.net Tue Dec 29 10:45:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 29 Dec 2015 12:45:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1516) openbsd build issues In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23504#comment-23504 ] Justin Azoff commented on BIT-1516: ----------------------------------- {code} [ 2%] bifs.enable_raw_output ... failed [ 7%] bifs.piped_exec ... failed [ 25%] core.pcap.dumper ... failed [ 39%] doc.sphinx.include-doc_frameworks_sumstats-countconns_bro ... failed [ 49%] istate.pybroccoli ... failed [ 56%] language.raw_output_attr ... failed [ 63%] plugins.api-version-mismatch ... failed [ 63%] plugins.bifs-and-scripts ... failed [ 63%] plugins.bifs-and-scripts-install ... failed [ 63%] plugins.file ... failed [ 63%] plugins.hooks ... failed [ 63%] plugins.init-plugin ... failed [ 63%] plugins.pktdumper ... failed [ 64%] plugins.pktsrc ... failed [ 64%] plugins.protocol ... failed [ 64%] plugins.reader ... failed [ 64%] plugins.writer ... failed [ 64%] scripts.base.files.extract.limit ... failed [ 65%] scripts.base.frameworks.analyzer.schedule-analyzer ... failed [ 65%] scripts.base.frameworks.control.shutdown ... failed [ 66%] scripts.base.frameworks.file-analysis.http.get ... failed [ 67%] scripts.base.frameworks.file-analysis.http.multipart ... failed [ 67%] scripts.base.frameworks.file-analysis.http.pipeline ... failed [ 67%] scripts.base.frameworks.file-analysis.http.post ... failed [ 67%] scripts.base.frameworks.file-analysis.irc ... failed [ 70%] scripts.base.frameworks.input.raw.executestdin ... failed [ 77%] scripts.base.frameworks.logging.remote-types ... failed [ 77%] scripts.base.frameworks.logging.rotate ... failed [ 78%] scripts.base.frameworks.logging.rotate-custom ... failed [ 78%] scripts.base.frameworks.logging.sqlite.wikipedia ... failed [ 85%] scripts.base.protocols.http.content-range-gap ... failed [ 95%] scripts.policy.frameworks.intel.seen.certs ... failed {code} > openbsd build issues > -------------------- > > Key: BIT-1516 > URL: https://bro-tracker.atlassian.net/browse/BIT-1516 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: OpenBSD > Reporter: Justin Azoff > Priority: Low > Labels: openbsd > Attachments: openbsd_diag.log.gz > > > Someone on IRC asked about bro on openbsd issues. I took a look and here is what I have found so far. There are 3 issues: > bro needs the libbind port installed to build, but cmake has trouble finding it > Changing FindBIND.cmake lets configure works: > {code} > - HINTS ${BIND_ROOT_DIR}/lib > + HINTS ${BIND_ROOT_DIR}/lib/libbind > {code} > This probably needs to be > {code} > HINTS ${BIND_ROOT_DIR}/lib ${BIND_ROOT_DIR}/lib/libbind > {code} > or such to not break other platforms > The second is that {code}pcap_offline_filter{code} does not exist in the version of pcap it has (though I did my testing on openbsd 5.5 so the latest (5.8) may be different) > Finally, openbsd does not have {code}wordexp{code} so src/broxygen/Manager.cc does not build. I ifdef'd it out most of {code}Manager::Manager{code} and bro built ok after that. I'm not sure what it is doing there anyway.. -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-030#71001) From vern at icir.org Tue Dec 29 13:43:13 2015 From: vern at icir.org (Vern Paxson) Date: Tue, 29 Dec 2015 13:43:13 -0800 Subject: [Bro-Dev] Error: Analyzer:: defined more than once. In-Reply-To: (Tue, 29 Dec 2015 13:33:48 +0100). Message-ID: <20151229214313.55CD32C4023@rock.ICSI.Berkeley.EDU> > I tried recently to add an analyzer of RLogin protocol by using BinPac. Bro already has an Rlogin analyzer in src/analyzer/protocol/login/ , so presumably you're conflicting with that one ... ? Vern From sabiretude at gmail.com Tue Dec 29 14:54:55 2015 From: sabiretude at gmail.com (reda sabir) Date: Tue, 29 Dec 2015 23:54:55 +0100 Subject: [Bro-Dev] Error: Analyzer:: defined more than once. In-Reply-To: <20151229214313.55CD32C4023@rock.ICSI.Berkeley.EDU> References: <20151229214313.55CD32C4023@rock.ICSI.Berkeley.EDU> Message-ID: Thank you very much Vern, I didn't notice that because I didn't find an event for Rlogin. Thank you again Le 29 d?c. 2015 21:43, "Vern Paxson" a ?crit : > > I tried recently to add an analyzer of RLogin protocol by using BinPac. > > Bro already has an Rlogin analyzer in src/analyzer/protocol/login/ , so > presumably you're conflicting with that one ... ? > > Vern > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151229/e42a22fe/attachment.html From noreply at bro.org Wed Dec 30 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 30 Dec 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512300800.tBU80Ohr023716@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From noreply at bro.org Thu Dec 31 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 31 Dec 2015 00:00:23 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201512310800.tBV80NQh017600@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master