From jira at bro-tracker.atlassian.net Tue Feb 3 06:43:00 2015 From: jira at bro-tracker.atlassian.net (Richie B. (JIRA)) Date: Tue, 3 Feb 2015 08:43:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1308) Add /opt/bro/bin to $PATH in RPM In-Reply-To: References: Message-ID: Richie B. created BIT-1308: ------------------------------ Summary: Add /opt/bro/bin to $PATH in RPM Key: BIT-1308 URL: https://bro-tracker.atlassian.net/browse/BIT-1308 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.3 Environment: CentOS 6 Reporter: Richie B. In the Bro documentation, the first step after installing the Bro RPM is to add /opt/bro/bin to your $PATH. This can easily be done automatically by adding a file /etc/profile.d/bro.sh in the Bro RPM that contains: pathmunge /opt/bro/bin -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Tue Feb 3 14:27:00 2015 From: jira at bro-tracker.atlassian.net (jdonnelly (JIRA)) Date: Tue, 3 Feb 2015 16:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1309) src/Conn.h : export orig_flow_label In-Reply-To: References: Message-ID: jdonnelly created BIT-1309: ------------------------------ Summary: src/Conn.h : export orig_flow_label Key: BIT-1309 URL: https://bro-tracker.atlassian.net/browse/BIT-1309 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: jdonnelly Attachments: conn.patch Return Conn()->GetOrigFlowLabel() -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From robin at icir.org Tue Feb 3 15:23:42 2015 From: robin at icir.org (Robin Sommer) Date: Tue, 3 Feb 2015 15:23:42 -0800 Subject: [Bro-Dev] osquery integration Message-ID: <20150203232342.GL35937@icir.org> Out of a discussion with Seth and Vlad this morning, I put togehter a project description for integrating Bro with osquery as a host-based sensor, using Broker for communication. https://www.bro.org/development/projects/osquery.html It's just a first stab, feedback welcome. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From robin at icir.org Tue Feb 3 15:26:27 2015 From: robin at icir.org (Robin Sommer) Date: Tue, 3 Feb 2015 15:26:27 -0800 Subject: [Bro-Dev] broctld deployment model Message-ID: <20150203232627.GN35937@icir.org> Seth, Vlad, and I were discussing future deployment models for broctld this morning, and I thought I'd capture some thoughts here for further discussion and feedback: - we were thinking that eventually broctld should probably be running on *every* host with Bro prcocesses, including workers. That way things get more consistent: each broctld will be in charge of the Bro processes on "its" host. When an upstream broctld wants to trigger some action somewhere else, rather than logging in and executing commands directly, it would instead talk to the corresponding broctld. That unifies communication between systems (in particular in the deep cluster setting) and will also make maintaince tasks, like monitoring and restarting Bro processes, much simpler and more responsive. - with that, we can then consider switching to a more standard model for installing daemons on hosts: rather than having a central node push everything out (incuding programs and binaries), people would install broctld locally on each host via the package system (or whatever), including init.d scripts etc. - we could also consider moving away from SSH as the primary communication mechanism if there's better alternatives. All not really new, but I thought I'd write it down. Feedback welcome. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Wed Feb 4 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 4 Feb 2015 00:00:20 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502040800.t1480KWD027514@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------- #21 [1] bro msmiley [2] 2015-02-03 undefined var in debug code [3] [1] Pull Request #21 https://github.com/bro/bro/pull/21 [2] msmiley https://github.com/msmiley [3] Merge Pull Request #21 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From seth at icir.org Wed Feb 4 06:57:41 2015 From: seth at icir.org (Seth Hall) Date: Wed, 4 Feb 2015 09:57:41 -0500 Subject: [Bro-Dev] osquery integration In-Reply-To: <20150203232342.GL35937@icir.org> References: <20150203232342.GL35937@icir.org> Message-ID: <6D8B9348-48EC-45BD-BB8E-BABDEE5B57FA@icir.org> > On Feb 3, 2015, at 6:23 PM, Robin Sommer wrote: > > Out of a discussion with Seth and Vlad this morning, I put togehter a > project description for integrating Bro with osquery as a host-based > sensor, using Broker for communication. > > https://www.bro.org/development/projects/osquery.html That?s a really nice summary. Thanks! Also, I spent a bit of time digging through the osquery source yesterday and it looks like it?s possible with the api they expose to submit new queries into osqueryd dynamically so that we could just start up osqueryd and Bro would send over all of the queries that we would like the host to run. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jsiwek at illinois.edu Wed Feb 4 08:37:31 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Wed, 4 Feb 2015 16:37:31 +0000 Subject: [Bro-Dev] osquery integration In-Reply-To: <20150203232342.GL35937@icir.org> References: <20150203232342.GL35937@icir.org> Message-ID: > + - On the osquery side, we need to assemble the event for sending > + to Broker. Generally, the columns returned by the ``SELECT`` > + will turn into the event's arguments. In addition, we add an > + always-present ``h: Host`` argument. The event arguments' types > + need to be mapped from what osquery returns to Broker types > + (which, in turn, correspond to Bro types); see next bullet. > + > + - It seems there are two possible ways of doing the type conversion: > + > + 1. Hardcoding: The osqery plugin retrieves the query response, > + iterates through its columns and builds up a Broker event > + to then send out. > + > + .. note:: > + > + I'm not quite sure what interface(s) osquery provides > + for extracting results. On the web page, I see JSON; not > + sure if there's something more direct. > + > + 2. Leveraging JSON: We can also extend Broker with a JSON > + interface, so that the osqery plugin can forward a JSON > + response directly. For this, we would: > + > + - Extend Broker's API with a function that builds an > + event from JSON; with some predefined mapping of how > + JSON values turn into Broker values. > + > + - Then call that function from the osquery plugin. > + > + Option (2) would actually be a nice interface for Broker to > + have anyways, as it opens it up to ingesting input from a > + variety of other JSON sources as well (we could write a an > + ingestion daemon that opens up a socket to which web > + applications can post JSON; but that's a different topic :). I?m not sure what the difference between (1) and (2) is? Either one seems to do a JSON -> Broker-data conversion, the difference is just in whether that conversion code lives in the application that uses Broker or in the Broker library itself. I don?t think Broker itself is in any better position to actually do the conversion. Not opposed to putting such a example/template in Broker, just saying it may not be required to get the job done. A third idea: it seems like here it would be doing a JSON -> Broker-data -> Bro-value conversion, instead can Broker messages/events just be specified in terms of a JSON string parameter, then leave JSON -> Bro-value conversion up to Bro? Teaching Bro a good way to interface directly w/ JSON might also be beneficial in other areas. - Jon From robin at icir.org Wed Feb 4 09:02:20 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 4 Feb 2015 09:02:20 -0800 Subject: [Bro-Dev] osquery integration In-Reply-To: References: <20150203232342.GL35937@icir.org> Message-ID: <20150204170220.GA35937@icir.org> On Wed, Feb 04, 2015 at 16:37 +0000, you wrote: > I?m not sure what the difference between (1) and (2) is? Either one > seems to do a JSON -> Broker-data conversion, the difference is just > in whether that conversion code lives in the application that uses > Broker or in the Broker library itself. Correct if JSON is the only way to get data out of osquery. That's a part I don't know, there might a more direct programmatic interface in osqyery that doesn't go through JSON. But let's say we need or want to go through JSON. Then indeed, the question is where the code lives. Broker isn't in better spot to do the conversion, but if it were in there, it could be reused by other data sources than osquery; vs., if it's part of the osquery plugin, nobody else would benefit from it. It could also be part of the osquery side initially, and we'd move it over later if demand turns out to be there. > A third idea: it seems like here it would be doing a JSON -> > Broker-data -> Bro-value conversion, instead can Broker > messages/events just be specified in terms of a JSON string parameter, > then leave JSON -> Bro-value conversion up to Bro? Yeah, JSON input is on Seth's Bro wishlist. :) But I don't like this model here because it feels like it's using Broker just a transport mechanism for raw data. I think the better general approach is to fit external data into Broker's data model, because then any Broker node can work with the data, not just those that happen to know how to interpret the blob coming in. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jsiwek at illinois.edu Wed Feb 4 09:48:06 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Wed, 4 Feb 2015 17:48:06 +0000 Subject: [Bro-Dev] osquery integration In-Reply-To: <20150204170220.GA35937@icir.org> References: <20150203232342.GL35937@icir.org> <20150204170220.GA35937@icir.org> Message-ID: <1AA1004C-FE8A-4738-BF5B-36DA428A800B@illinois.edu> > On Feb 4, 2015, at 11:02 AM, Robin Sommer wrote: > It could also be part of the osquery side initially, and we'd move it > over later if demand turns out to be there. That?s more what I was thinking. Either way doesn?t seem like a huge deal to me: don?t expect the code involved to be that tricky. >> A third idea: it seems like here it would be doing a JSON -> >> Broker-data -> Bro-value conversion, instead can Broker >> messages/events just be specified in terms of a JSON string parameter, >> then leave JSON -> Bro-value conversion up to Bro? > > Yeah, JSON input is on Seth's Bro wishlist. :) But I don't like this > model here because it feels like it's using Broker just a transport > mechanism for raw data. I think the better general approach is to fit > external data into Broker's data model, because then any Broker node > can work with the data, not just those that happen to know how to > interpret the blob coming in. Yeah, if there?s many disparate applications acting as nodes here, then may be better to use Broker?s data as common format to ensure everyone has the tools necessary to interpret the messages. - Jon From robin at icir.org Wed Feb 4 10:33:46 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 4 Feb 2015 10:33:46 -0800 Subject: [Bro-Dev] osquery integration In-Reply-To: <1AA1004C-FE8A-4738-BF5B-36DA428A800B@illinois.edu> References: <20150203232342.GL35937@icir.org> <20150204170220.GA35937@icir.org> <1AA1004C-FE8A-4738-BF5B-36DA428A800B@illinois.edu> Message-ID: <20150204183346.GA26522@icir.org> On Wed, Feb 04, 2015 at 17:48 +0000, you wrote: > deal to me: don?t expect the code involved to be that tricky. Yep, indeed. > Yeah, if there?s many disparate applications acting as nodes here, > then may be better to use Broker?s data as common format to ensure > everyone has the tools necessary to interpret the messages. (I won't claim that that's necessarily the case here, but I think it's good to establish a precedent that this is the right way to do it.) Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From seth at icir.org Wed Feb 4 10:34:11 2015 From: seth at icir.org (Seth Hall) Date: Wed, 4 Feb 2015 13:34:11 -0500 Subject: [Bro-Dev] osquery integration In-Reply-To: References: <20150203232342.GL35937@icir.org> Message-ID: > On Feb 4, 2015, at 11:37 AM, Siwek, Jon wrote: > > Teaching Bro a good way to interface directly w/ JSON might also be beneficial in other areas. Huh, that?s actually a good point. Not quite sure how that would look yet though. Also, I when I was digging around in osquery, their default view of data internally seems to be in a plist-type format. They have a routine that converts it to json for output. So we certainly aren?t bound to json with this in any way. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From noreply at bro.org Thu Feb 5 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 5 Feb 2015 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502050800.t1580Mcu031423@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------- #21 [1] bro msmiley [2] 2015-02-03 undefined var in debug code [3] [1] Pull Request #21 https://github.com/bro/bro/pull/21 [2] msmiley https://github.com/msmiley [3] Merge Pull Request #21 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Thu Feb 5 06:25:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 08:25:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1310) Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix In-Reply-To: References: Message-ID: Seth Hall created BIT-1310: ------------------------------ Summary: Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix Key: BIT-1310 URL: https://bro-tracker.atlassian.net/browse/BIT-1310 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Seth Hall Small files that are under the size of the bof buffer size aren't being forwarded to stream analyzers. The fix just forces the bof_buffer to be "full" and then injects a zero byte payload into the stream analyzer to force it to flush the bof_buffer through the normal code path. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 06:25:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 08:25:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1310) Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1310: --------------------------- Status: Merge Request (was: Open) > Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix > ---------------------------------------------------------------------------------------------- > > Key: BIT-1310 > URL: https://bro-tracker.atlassian.net/browse/BIT-1310 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > > Small files that are under the size of the bof buffer size aren't being forwarded to stream analyzers. > The fix just forces the bof_buffer to be "full" and then injects a zero byte payload into the stream analyzer to force it to flush the bof_buffer through the normal code path. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 08:07:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 5 Feb 2015 10:07:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1310) Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1310: --------------------------- Fix Version/s: 2.4 > Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix > ---------------------------------------------------------------------------------------------- > > Key: BIT-1310 > URL: https://bro-tracker.atlassian.net/browse/BIT-1310 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.4 > > > Small files that are under the size of the bof buffer size aren't being forwarded to stream analyzers. > The fix just forces the bof_buffer to be "full" and then injects a zero byte payload into the stream analyzer to force it to flush the bof_buffer through the normal code path. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 08:13:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 5 Feb 2015 10:13:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1310) Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1310: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Bug with small files and begin of file buffer - fix in topic/seth/small-files-bof-handling-fix > ---------------------------------------------------------------------------------------------- > > Key: BIT-1310 > URL: https://bro-tracker.atlassian.net/browse/BIT-1310 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.4 > > > Small files that are under the size of the bof buffer size aren't being forwarded to stream analyzers. > The fix just forces the bof_buffer to be "full" and then injects a zero byte payload into the stream analyzer to force it to flush the bof_buffer through the normal code path. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 09:45:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 11:45:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1011: --------------------------- Status: Merge Request (was: Open) > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Seth Hall > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 09:46:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 11:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-975) Signature for modbus In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-975: -------------------------- Status: Merge Request (was: Open) > Signature for modbus > -------------------- > > Key: BIT-975 > URL: https://bro-tracker.atlassian.net/browse/BIT-975 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Priority: Low > Fix For: 2.4 > > > Before the 2.2 release try to create a reasonable signature to identify modbus with DPD. This may require careful attention to protocolviolation and protocolconfirmation calls in the modbus analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 09:46:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 11:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19519#comment-19519 ] Seth Hall commented on BIT-1011: -------------------------------- This ticket is solved in branch topic/seth/socks-authentication > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Seth Hall > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 09:46:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 11:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-975) Signature for modbus In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-975: -------------------------- Status: Open (was: Merge Request) > Signature for modbus > -------------------- > > Key: BIT-975 > URL: https://bro-tracker.atlassian.net/browse/BIT-975 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Priority: Low > Fix For: 2.4 > > > Before the 2.2 release try to create a reasonable signature to identify modbus with DPD. This may require careful attention to protocolviolation and protocolconfirmation calls in the modbus analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 09:47:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 11:47:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-975) Signature for modbus In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-975: -------------------------- Resolution: Rejected Status: Closed (was: Open) I'm just going to close this. There's no good reason to have this ticket open. > Signature for modbus > -------------------- > > Key: BIT-975 > URL: https://bro-tracker.atlassian.net/browse/BIT-975 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Priority: Low > Fix For: 2.4 > > > Before the 2.2 release try to create a reasonable signature to identify modbus with DPD. This may require careful attention to protocolviolation and protocolconfirmation calls in the modbus analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 09:52:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 11:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19521#comment-19521 ] Seth Hall commented on BIT-1306: -------------------------------- Have you reported this to Myricom? > bro process would get stuck/freeze with myricom drivers > ------------------------------------------------------- > > Key: BIT-1306 > URL: https://bro-tracker.atlassian.net/browse/BIT-1306 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: OS: FreeBSD 9.3-RELEASE-p5 OS > bro version 2.3-328 > git log -1 --format="%H" > 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f > Reporter: Aashish Sharma > Labels: bro-git, myricom > > When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. > System has to be ultimately rebooted to remove stuck bro process. > On running myri_start_stop I see: > # /usr/local/opt/snf/sbin/myri_start_stop stop > Removing myri_snf.ko > kldunload: can't unload file: Device busy > It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes > More details: > The bro process is stuck in RNE state > R Marks a runnable process. > N The process has reduced CPU scheduling priority (see setpriority(2)). > E The process is trying to exit. > Here is an example: > ### stuck process: > [bro at 01 ~]$ ps auxwww | fgrep 1616 > bro 1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto > ####when checking for process in proc: > [bro at c ~]$ ls -l /proc/1616 > ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 09:54:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 11:54:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1304) trace-summary should be updated to support newer versions of Python In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19522#comment-19522 ] Seth Hall commented on BIT-1304: -------------------------------- Do you already know the list of problems that need addressed? (probably not worth documenting?) > trace-summary should be updated to support newer versions of Python > ------------------------------------------------------------------- > > Key: BIT-1304 > URL: https://bro-tracker.atlassian.net/browse/BIT-1304 > Project: Bro Issue Tracker > Issue Type: Problem > Components: trace-summary > Reporter: Daniel Thayer > Fix For: 2.4 > > > Some of the code in trace-summary is not valid syntax on > Python version >= 3. It should be updated to work on > any Python version >= 2.6. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 11:03:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 5 Feb 2015 13:03:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1304) trace-summary should be updated to support newer versions of Python In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19523#comment-19523 ] Daniel Thayer commented on BIT-1304: ------------------------------------ All the work is done in branch topic/dnthayer/ticket1304. The one remaining task is to get pysubnettree (which lives in a different git repo) compatible with Python 3. Currently, trace-summary requires pysubnettree. > trace-summary should be updated to support newer versions of Python > ------------------------------------------------------------------- > > Key: BIT-1304 > URL: https://bro-tracker.atlassian.net/browse/BIT-1304 > Project: Bro Issue Tracker > Issue Type: Problem > Components: trace-summary > Reporter: Daniel Thayer > Fix For: 2.4 > > > Some of the code in trace-summary is not valid syntax on > Python version >= 3. It should be updated to work on > any Python version >= 2.6. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Thu Feb 5 11:20:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 5 Feb 2015 13:20:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1304) trace-summary should be updated to support newer versions of Python In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1304: --------------------------- Awesome thanks! > trace-summary should be updated to support newer versions of Python > ------------------------------------------------------------------- > > Key: BIT-1304 > URL: https://bro-tracker.atlassian.net/browse/BIT-1304 > Project: Bro Issue Tracker > Issue Type: Problem > Components: trace-summary > Reporter: Daniel Thayer > Fix For: 2.4 > > > Some of the code in trace-summary is not valid syntax on > Python version >= 3. It should be updated to work on > any Python version >= 2.6. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From noreply at bro.org Fri Feb 6 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 6 Feb 2015 00:00:20 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502060800.t1680KfQ022303@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------------------------- BIT-1011 [1] Bro nicolas Seth Hall 2015-02-05 2.4 Low username/password authentication for SOCKS5 [1] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 From jira at bro-tracker.atlassian.net Fri Feb 6 10:27:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 6 Feb 2015 12:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1311) GRE tunnels should be reported as Tunnel::GRE in tunnels.log In-Reply-To: References: Message-ID: Seth Hall created BIT-1311: ------------------------------ Summary: GRE tunnels should be reported as Tunnel::GRE in tunnels.log Key: BIT-1311 URL: https://bro-tracker.atlassian.net/browse/BIT-1311 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Seth Hall They are reported as Tunnel::IP right now and that doesn't feel right. -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From jira at bro-tracker.atlassian.net Fri Feb 6 11:15:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 6 Feb 2015 13:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1312) Plugin path loaded from bro-path-dev.sh In-Reply-To: References: Message-ID: Seth Hall created BIT-1312: ------------------------------ Summary: Plugin path loaded from bro-path-dev.sh Key: BIT-1312 URL: https://bro-tracker.atlassian.net/browse/BIT-1312 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Seth Hall Assignee: Robin Sommer Currently the bro-path-dev.sh script is adding your installation directory to the BRO_PLUGIN_PATH which is causing crashes that are really confusing -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From kmcmahon at mitre.org Fri Feb 6 11:54:39 2015 From: kmcmahon at mitre.org (McMahon, Kevin J) Date: Fri, 6 Feb 2015 19:54:39 +0000 Subject: [Bro-Dev] HTTP/2 Message-ID: <00D3CD29F7C24A44B4D23450BB8E55B310701C23@IMCMBX03.MITRE.ORG> Has anyone done any work on upgrading Bro to support HTTP/2? If so I'm very interested in what might have been done and/or what is being done? From jira at bro-tracker.atlassian.net Fri Feb 6 12:38:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 6 Feb 2015 14:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1238) High false-positive for application/x-tar signature In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19525#comment-19525 ] Daniel Thayer commented on BIT-1238: ------------------------------------ Do you have a set of test files that you could make public as part of the Bro test suite? If so, I could help with creating some test scripts and getting everything into our git repo. > High false-positive for application/x-tar signature > --------------------------------------------------- > > Key: BIT-1238 > URL: https://bro-tracker.atlassian.net/browse/BIT-1238 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Brian O'Berry > Assignee: Seth Hall > Labels: file, mime, signature > Fix For: git/master, 2.4 > > Attachments: test.tar.gz > > > The following signature in base/frameworks/files/magic/general.sig frequently triggers on text files in our environment, and includes a strength value higher than GNU and POSIX tar signatures in libmagic.sig. > {code} > signature file-tar { > file-magic /([[:print:]\x00]){100}(([[:digit:]\x00\x20]){8}){3}/ > file-mime "application/x-tar", 150 > } > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From vlad at grigorescu.org Fri Feb 6 12:53:30 2015 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Fri, 6 Feb 2015 14:53:30 -0600 Subject: [Bro-Dev] HTTP/2 In-Reply-To: <00D3CD29F7C24A44B4D23450BB8E55B310701C23@IMCMBX03.MITRE.ORG> References: <00D3CD29F7C24A44B4D23450BB8E55B310701C23@IMCMBX03.MITRE.ORG> Message-ID: I don't believe anyone's done any work on this. From what I can tell, most implementations (at least IE, Firefox, and Chrome) are only supporting HTTP/2.0 over TLS. If that trend continues, the only changes to Bro might just be ensuring that the SSL analyzer would work with it. --Vlad On Fri, Feb 6, 2015 at 1:54 PM, McMahon, Kevin J wrote: > Has anyone done any work on upgrading Bro to support HTTP/2? If so I'm > very interested in what might have been done and/or what is being done? > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150206/90cf0a56/attachment.html From anthony.kasza at gmail.com Fri Feb 6 14:00:00 2015 From: anthony.kasza at gmail.com (anthony kasza) Date: Fri, 6 Feb 2015 14:00:00 -0800 Subject: [Bro-Dev] HTTP/2 In-Reply-To: References: <00D3CD29F7C24A44B4D23450BB8E55B310701C23@IMCMBX03.MITRE.ORG> Message-ID: I was under the impression the spec was still being drafted. -AK On Feb 6, 2015 12:54 PM, "Vlad Grigorescu" wrote: > I don't believe anyone's done any work on this. From what I can tell, most > implementations (at least IE, Firefox, and Chrome) are only supporting > HTTP/2.0 over TLS. If that trend continues, the only changes to Bro might > just be ensuring that the SSL analyzer would work with it. > > --Vlad > > On Fri, Feb 6, 2015 at 1:54 PM, McMahon, Kevin J > wrote: > >> Has anyone done any work on upgrading Bro to support HTTP/2? If so I'm >> very interested in what might have been done and/or what is being done? >> >> _______________________________________________ >> bro-dev mailing list >> bro-dev at bro.org >> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev >> > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150206/1e2ddff5/attachment.html From seth at icir.org Fri Feb 6 20:42:32 2015 From: seth at icir.org (Seth Hall) Date: Fri, 6 Feb 2015 23:42:32 -0500 Subject: [Bro-Dev] HTTP/2 In-Reply-To: References: <00D3CD29F7C24A44B4D23450BB8E55B310701C23@IMCMBX03.MITRE.ORG> Message-ID: <9B29995B-BB7E-44FE-8C4A-D12E7A23DDE7@icir.org> > On Feb 6, 2015, at 5:00 PM, anthony kasza wrote: > > I was under the impression the spec was still being drafted. It?s basically done. https://http2.github.io/ Implementations and real world use are starting to show up all over the place. If you?d like to dig around and find evidence of http/2 being used unencrypted, that could be a huge motivator for someone to take it on. Thanks to google, this space is even more muddied than just HTTP/2. They have a new protocol named QUIC that is yet another pain to support, and this protocol is also already in use when Chrome connects to a number of Google properties. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From noreply at bro.org Sat Feb 7 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 7 Feb 2015 00:00:32 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502070800.t1780W7g023595@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------------------------- BIT-1011 [1] Bro nicolas Seth Hall 2015-02-05 2.4 Low username/password authentication for SOCKS5 [1] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 From noreply at bro.org Sun Feb 8 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 8 Feb 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502080800.t1880OMT031313@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------------------------- BIT-1011 [1] Bro nicolas Seth Hall 2015-02-05 2.4 Low username/password authentication for SOCKS5 [1] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 From jira at bro-tracker.atlassian.net Sun Feb 8 10:04:00 2015 From: jira at bro-tracker.atlassian.net (jdonnelly (JIRA)) Date: Sun, 8 Feb 2015 12:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B In-Reply-To: References: Message-ID: jdonnelly created BIT-1313: ------------------------------ Summary: Add help and all options to -B Key: BIT-1313 URL: https://bro-tracker.atlassian.net/browse/BIT-1313 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Reporter: jdonnelly Attachments: log.diff Expand -B to include all,help, and list all the various debug trace points : #/usr/local/bro/bin/bro -B poo fatal error: unknown debug stream poo, try -B help. # /usr/local/bro/bin/bro -B help Options may be separated by "," all help serial rules comm state chunkedio compressor string notifiers main-loop dpd tm logging input threading file_analysis plugins broxygen pktio -- This message was sent by Atlassian JIRA (v6.4-OD-13-026#64011) From noreply at bro.org Mon Feb 9 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 9 Feb 2015 00:00:25 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502090800.t1980PF1016688@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------------------------- BIT-1011 [1] Bro nicolas Seth Hall 2015-02-05 2.4 Low username/password authentication for SOCKS5 [1] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 From jira at bro-tracker.atlassian.net Mon Feb 9 04:51:00 2015 From: jira at bro-tracker.atlassian.net (=?UTF-8?Q?David_Andr=C3=A9_=28JIRA=29?=) Date: Mon, 9 Feb 2015 06:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1314) Detect "quantum insert" type of attacks In-Reply-To: References: Message-ID: David Andr? created BIT-1314: -------------------------------- Summary: Detect "quantum insert" type of attacks Key: BIT-1314 URL: https://bro-tracker.atlassian.net/browse/BIT-1314 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: David Andr? Add detection for "quantum insert" type of attacks. Since the leaked information is classified, I will try to explain in unclassified form what it is about. The idea is that you have a passive adversary that sniff your TCP sequence numbers and inject its malicious payload faster than the real server. One of the leaked documents mentions as an alerting mechanism to detect duplicate TCP sequence numbers from same source, where at least 10% of the beginning of the content of the two packets differs. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Mon Feb 9 07:30:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 9 Feb 2015 09:30:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1314) Detect "quantum insert" type of attacks In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19600#comment-19600 ] Jon Siwek commented on BIT-1314: -------------------------------- Handling the "rexmit_inconsistency" event and comparing the mismatched content might be a way to do what you want. https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html?highlight=rexmit_inconsistency#id-rexmit_inconsistency > Detect "quantum insert" type of attacks > --------------------------------------- > > Key: BIT-1314 > URL: https://bro-tracker.atlassian.net/browse/BIT-1314 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: David Andr? > > Add detection for "quantum insert" type of attacks. Since the leaked information is classified, I will try to explain in unclassified form what it is about. > The idea is that you have a passive adversary that sniff your TCP sequence numbers and inject its malicious payload faster than the real server. > One of the leaked documents mentions as an alerting mechanism to detect duplicate TCP sequence numbers from same source, where at least 10% of the beginning of the content of the two packets differs. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From noreply at bro.org Tue Feb 10 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 10 Feb 2015 00:00:20 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502100800.t1A80KWt028881@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------------------------- BIT-1011 [1] Bro nicolas Seth Hall 2015-02-05 2.4 Low username/password authentication for SOCKS5 Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------- 4ffd37b [2] bro-aux Johanna Amann 2015-02-09 fix compile warning on FreeBSD 5f0a27c [3] bro Johanna Amann 2015-02-09 Submodule update - newest sqlite version [1] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 [2] 4ffd37b https://github.com/bro/bro-aux/commit/4ffd37b4155645b47879170098886bec6bc27086 [3] 5f0a27c https://github.com/bro/bro/commit/5f0a27ca31443ee3c308e49ff5b6e6b1c2fec963 From kmcmahon at mitre.org Tue Feb 10 13:38:56 2015 From: kmcmahon at mitre.org (McMahon, Kevin J) Date: Tue, 10 Feb 2015 21:38:56 +0000 Subject: [Bro-Dev] HTTP/2 In-Reply-To: <9B29995B-BB7E-44FE-8C4A-D12E7A23DDE7@icir.org> References: <00D3CD29F7C24A44B4D23450BB8E55B310701C23@IMCMBX03.MITRE.ORG> <9B29995B-BB7E-44FE-8C4A-D12E7A23DDE7@icir.org> Message-ID: <00D3CD29F7C24A44B4D23450BB8E55B3107023C1@IMCMBX03.MITRE.ORG> All, Ok, thanks for the feedback. I've got some colleagues looking for samples. I may be enticed to take this on depending on what we find. Kevin -----Original Message----- From: bro-dev-bounces at bro.org [mailto:bro-dev-bounces at bro.org] On Behalf Of Seth Hall Sent: Friday, February 06, 2015 11:43 PM To: anthony kasza Cc: Subject: Re: [Bro-Dev] HTTP/2 > On Feb 6, 2015, at 5:00 PM, anthony kasza wrote: > > I was under the impression the spec was still being drafted. It?s basically done. https://http2.github.io/ Implementations and real world use are starting to show up all over the place. If you?d like to dig around and find evidence of http/2 being used unencrypted, that could be a huge motivator for someone to take it on. Thanks to google, this space is even more muddied than just HTTP/2. They have a new protocol named QUIC that is yet another pain to support, and this protocol is also already in use when Chrome connects to a number of Google properties. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ _______________________________________________ bro-dev mailing list bro-dev at bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From jira at bro-tracker.atlassian.net Tue Feb 10 19:26:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Feb 2015 21:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1313: --------------------------------- Assignee: Robin Sommer > Add help and all options to -B > ------------------------------- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jdonnelly > Assignee: Robin Sommer > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Tue Feb 10 19:26:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Feb 2015 21:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1313: ------------------------------ Status: Merge Request (was: Open) > Add help and all options to -B > ------------------------------- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jdonnelly > Assignee: Robin Sommer > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From noreply at bro.org Wed Feb 11 00:00:40 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 11 Feb 2015 00:00:40 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502110800.t1B80eBu003383@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------- BIT-1313 [1] Bro jdonnelly Robin Sommer 2015-02-10 - Normal Add help and all options to -B BIT-1011 [2] Bro nicolas Seth Hall 2015-02-05 2.4 Low username/password authentication for SOCKS5 Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------- 4ffd37b [3] bro-aux Johanna Amann 2015-02-09 fix compile warning on FreeBSD 5f0a27c [4] bro Johanna Amann 2015-02-09 Submodule update - newest sqlite version Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [5] bro msmiley [6] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [7] [1] BIT-1313 https://bro-tracker.atlassian.net/browse/BIT-1313 [2] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 [3] 4ffd37b https://github.com/bro/bro-aux/commit/4ffd37b4155645b47879170098886bec6bc27086 [4] 5f0a27c https://github.com/bro/bro/commit/5f0a27ca31443ee3c308e49ff5b6e6b1c2fec963 [5] Pull Request #22 https://github.com/bro/bro/pull/22 [6] msmiley https://github.com/msmiley [7] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Wed Feb 11 18:10:00 2015 From: jira at bro-tracker.atlassian.net (jdonnelly (JIRA)) Date: Wed, 11 Feb 2015 20:10:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] jdonnelly updated BIT-1313: --------------------------- Status: Open (was: Merge Request) > Add help and all options to -B > ------------------------------- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jdonnelly > Assignee: Robin Sommer > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From noreply at bro.org Thu Feb 12 00:00:31 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 12 Feb 2015 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502120800.t1C80VCm010465@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------------------------- BIT-1011 [1] Bro nicolas Seth Hall 2015-02-05 2.4 Low username/password authentication for SOCKS5 Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------- 4ffd37b [2] bro-aux Johanna Amann 2015-02-09 fix compile warning on FreeBSD 5f0a27c [3] bro Johanna Amann 2015-02-09 Submodule update - newest sqlite version Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [4] bro msmiley [5] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [6] [1] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 [2] 4ffd37b https://github.com/bro/bro-aux/commit/4ffd37b4155645b47879170098886bec6bc27086 [3] 5f0a27c https://github.com/bro/bro/commit/5f0a27ca31443ee3c308e49ff5b6e6b1c2fec963 [4] Pull Request #22 https://github.com/bro/bro/pull/22 [5] msmiley https://github.com/msmiley [6] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Thu Feb 12 10:29:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Feb 2015 12:29:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1011: ------------------------------ Assignee: Jon Siwek (was: Seth Hall) > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Jon Siwek > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Thu Feb 12 12:22:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Feb 2015 14:22:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19601#comment-19601 ] Jon Siwek commented on BIT-1011: -------------------------------- I don't think sticking the version = 1 case in to the top-level SOCKS_Version message is quite right: that version number is actually a part of the specific SOCKS5 authentication method's sub-negotiation, right? So I think at least the top-level message can differentiate between a "some main SOCKS protocol" and "SOCKS5 authentication sub-negotiation" message and then for parsing the user/pass request, we only understand it if the VER field is 1. > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Jon Siwek > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From johanna at icir.org Thu Feb 12 12:53:51 2015 From: johanna at icir.org (Johanna Amann) Date: Thu, 12 Feb 2015 12:53:51 -0800 Subject: [Bro-Dev] Bro nightly packages for .dev and .rpm based distributions Message-ID: <20150212205351.GA35928@Beezling.local> Hello, we are considering to provide packages for a number of different .deb and .rpm based distributions starting with Bro 2.4, using the OpenSuse build service. As a first step, I have created a repository that contains nightly Bro builds for CentOs, Debian, Fedora, Suse Linux, Scientific Linux, Univention as well as Ubuntu. At the moment, Bro is installed into /opt/bro and broctl needs root permissions to run. Users in the Bro group (which is automatically created on installation) should be able to modify configuration files like local.bro, or the broctl configuration, and read the log files that Bro writes. The package is called bro-nightly which is a metapackage which pulls in the sub-packages bro-core-nightly, containing only bro without broctl or libbroccoli broctl-nightly, containing broctl libbroccoli-nightly, containing libbroccoli and libbroccoli-devel-nightly, containing the header files for libbroccoli The obs interface showing the status and sources is available at https://build.opensuse.org/package/show/home:0xxon:bro/bro-nightly and downloads are available at http://software.opensuse.org/download.html?project=home%3A0xxon%3Abro&package=bro-nightly (locations will change in the future). If you add the repositories to your distribution, new nightly builds should automatically be installed each time bro is updated. Additionally, Bro 2.3.2 packages are available at https://build.opensuse.org/package/show/home:0xxon:bro/bro. At the moment, this is in an early stage and I would be happy to receive any kind of feedback or problems that you encounter when using these packages. Please note that the packages have not gone through a lot of testing and that you should not use them in a production environment :) Johanna From jira at bro-tracker.atlassian.net Thu Feb 12 12:56:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Feb 2015 14:56:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19602#comment-19602 ] Jon Siwek commented on BIT-1011: -------------------------------- That would also mean the new events may need to be specific to to the authN method. e.g. "socks_login_userpass" -> "socks_login_userpass_request" and "socks_login_reply" -> "socks_login_userpass_reply" > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Jon Siwek > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Thu Feb 12 15:12:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Feb 2015 17:12:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19603#comment-19603 ] Jon Siwek commented on BIT-1011: -------------------------------- I made changes in topic/jsiwek/socks-authentication related to above comments. Seth, do they look alright? > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Jon Siwek > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Thu Feb 12 15:13:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Feb 2015 17:13:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1011: ------------------------------ Assignee: Seth Hall (was: Jon Siwek) > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Seth Hall > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Thu Feb 12 16:08:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 12 Feb 2015 18:08:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-556) Extended CA certificate information In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-556: ------------------------------ Resolution: Won't Fix Status: Closed (was: Open) I'm just closing this. It does not make sense to get any more information out of that file -- if we want ev validation, we can open a ticket for that. > Extended CA certificate information > ----------------------------------- > > Key: BIT-556 > URL: https://bro-tracker.atlassian.net/browse/BIT-556 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: bro-aux > Reporter: Seth Hall > > At some point I'd like to include more information in the auto-generated script that currently only has Mozilla's CA certs. > At the very least I'd like to include extended validation OIDs for the various approved EV certificate vendors and OCSP URLs. > The extra data can be found in the XML file located here: > https://www.mozilla.org/projects/security/certs/included/ -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From seth at icir.org Thu Feb 12 17:24:40 2015 From: seth at icir.org (Seth Hall) Date: Thu, 12 Feb 2015 20:24:40 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/socks-authentication: Refactor SOCKS5 user/pass authentication support. (961fd06) In-Reply-To: <201502122309.t1CN94oU009335@bro-ids.icir.org> References: <201502122309.t1CN94oU009335@bro-ids.icir.org> Message-ID: <9B697032-0056-4B1D-96E3-66B21F499A2F@icir.org> > On Feb 12, 2015, at 6:06 PM, Jonathan Siwek wrote: > > -event socks_login_reply%(c: connection, code: count%); > +event socks_login_userpass_reply%(c: connection, code: count%); Did you find evidence that SOCKS uses a different reply message for different login types? When I was reading I thought that the same login reply message structure was used in response to any login type. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From noreply at bro.org Fri Feb 13 00:00:31 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 13 Feb 2015 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502130800.t1D80Vf9008700@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------------------------- BIT-1011 [1] Bro nicolas Seth Hall 2015-02-12 2.4 Low username/password authentication for SOCKS5 Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [2] bro msmiley [3] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [4] [1] BIT-1011 https://bro-tracker.atlassian.net/browse/BIT-1011 [2] Pull Request #22 https://github.com/bro/bro/pull/22 [3] msmiley https://github.com/msmiley [4] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jsiwek at illinois.edu Fri Feb 13 02:42:00 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Fri, 13 Feb 2015 10:42:00 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/socks-authentication: Refactor SOCKS5 user/pass authentication support. (961fd06) In-Reply-To: <9B697032-0056-4B1D-96E3-66B21F499A2F@icir.org> References: <201502122309.t1CN94oU009335@bro-ids.icir.org> <9B697032-0056-4B1D-96E3-66B21F499A2F@icir.org> Message-ID: <2072AB6D-3199-4C52-A1F6-FA44982AACE9@illinois.edu> > On Feb 12, 2015, at 7:24 PM, Seth Hall wrote: > > >> On Feb 12, 2015, at 6:06 PM, Jonathan Siwek wrote: >> >> -event socks_login_reply%(c: connection, code: count%); >> +event socks_login_userpass_reply%(c: connection, code: count%); > > Did you find evidence that SOCKS uses a different reply message for different login types? When I was reading I thought that the same login reply message structure was used in response to any login type. The definition of SOCKS5 in RFC 1928 doesn?t seem to say anything about what different authentication methods should do. So RFC 1929 for username/password has a reply w/ [version octet, status octet] and RFC 1961 for GSSAPI has [version octet, message type octet, length octet, variable length opaque token]. Current parser won?t do well with GSSAPI negotiation, but not sure how useful it would be since it?s likely all further SOCKS requests/replies are going to be framed differently (e.g. encrypted). - Jon From seth at icir.org Fri Feb 13 06:17:04 2015 From: seth at icir.org (Seth Hall) Date: Fri, 13 Feb 2015 09:17:04 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/socks-authentication: Refactor SOCKS5 user/pass authentication support. (961fd06) In-Reply-To: <2072AB6D-3199-4C52-A1F6-FA44982AACE9@illinois.edu> References: <201502122309.t1CN94oU009335@bro-ids.icir.org> <9B697032-0056-4B1D-96E3-66B21F499A2F@icir.org> <2072AB6D-3199-4C52-A1F6-FA44982AACE9@illinois.edu> Message-ID: <59114AE2-DB87-4E87-A62E-EED627AD77B1@icir.org> > On Feb 13, 2015, at 5:42 AM, Siwek, Jon wrote: > > The definition of SOCKS5 in RFC 1928 doesn?t seem to say anything about what different authentication methods should do. So RFC 1929 for username/password has a reply w/ [version octet, status octet] and RFC 1961 for GSSAPI has [version octet, message type octet, length octet, variable length opaque token]. Ah, ok. I didn?t follow the RFC down far enough apparently. Thanks. It looks good to me. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Fri Feb 13 07:18:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Feb 2015 09:18:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1011) username/password authentication for SOCKS5 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1011?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1011: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > username/password authentication for SOCKS5 > ------------------------------------------- > > Key: BIT-1011 > URL: https://bro-tracker.atlassian.net/browse/BIT-1011 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Seth Hall > Priority: Low > Fix For: 2.4 > > Attachments: 0001-SOCKS-authentication-patch.patch, output.pcap > > > Patch the bug explained below : > It appears using the username authentication with SOCKS 5. > After the client and the server have chosen the username authentication, > the client has to send the following packet : > Client request (RFC 1929) : > +----+------+----------+------+----------+ > |VER | ULEN | UNAME | PLEN | PASSWD | > +----+------+----------+------+----------+ > | 1 | 1 | 1 to 255 | 1 | 1 to 255 | > +----+------+----------+------+----------+ > Here the first byte must be 0x1, it specifies the version of the > authentication mechanisme, not the SOCKS version (0x5) like in all > others packets. > However in the socks-protocol.pac the type SOCKS_Version never parses > data if the first byte is 0x1, and it goes to an error. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Fri Feb 13 09:46:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Feb 2015 11:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: Jon Siwek created BIT-1315: ------------------------------ Summary: Teach Bro how to 'while' Key: BIT-1315 URL: https://bro-tracker.atlassian.net/browse/BIT-1315 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Jon Siwek Priority: Low Fix For: 2.4 topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Fri Feb 13 09:46:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Feb 2015 11:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1315: --------------------------- Status: Merge Request (was: Open) > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Fri Feb 13 10:26:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Feb 2015 12:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19605#comment-19605 ] Seth Hall commented on BIT-1315: -------------------------------- Do you think we should think about this a bit more and see if we can figure out an elegant way to present an evented looping construct to users? It's currently possible to do evented loops, but it's certainly inelegant. It would be really nice to be able to do loops in Bro that last the entire duration of the Bro process but that would definitely necessitate a different approach. > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Fri Feb 13 11:28:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Feb 2015 13:28:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19606#comment-19606 ] Jon Siwek commented on BIT-1315: -------------------------------- Distributing work over time via a recurring event isn't the same thing, though. I don't mind if this gets postponed or even just rejected. I mostly made the patch for my own interest (didn't take long) and just to see the reaction -- I'm not actually sure I've seen any arguments that make me think it's completely a bad idea. What I don't like is that it feels as if this aspect of the language comes from the assumption that the programmer doesn't know what they're doing. And that doesn't make it fun when it comes time to work around it and or try to explain the absence to someone. To summarize my reasoning: I think there are cases where something like a "while loop" is an efficient way to get things done and I would at least like to be able to decide for myself whether it's reasonable or too dangerous to use for a particular task. For a specific example I ran in to when making the API in to Broker's data stores: https://github.com/bro/bro/blob/topic/jsiwek/broker/testing/btest/comm/data.bro For that I guess I'm in a position where I can modify Bro's core to make "for" loops aware of the new opaque type, but special-casing doesn't feel great -- essentially what I've made is Bro bindings for the Broker library and the least stuff I have to modify in the core language the better because it sort of proves the possibility of making Bro bindings for other libraries as isolated plugins. > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Fri Feb 13 13:31:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Feb 2015 15:31:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1315: --------------------------- Agreed. I?ve had the same debate with myself plenty of times. Yeah. It would remove some pretty hacky looking code in scripts too. I guess I could see adding it. I?ll be updating a few scripts if it does end up going into master. :) .Seth > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From noreply at bro.org Sat Feb 14 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 14 Feb 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502140800.t1E80OOV008563@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------ BIT-1315 [1] Bro Jon Siwek - 2015-02-13 2.4 Low Teach Bro how to 'while' Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------- ---------- ------------------------------------------------------------ b00bd77 [2] bro Seth Hall 2015-02-13 Add the ability to remove surrounding braces from the JSON f Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [3] bro msmiley [4] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [5] [1] BIT-1315 https://bro-tracker.atlassian.net/browse/BIT-1315 [2] b00bd77 https://github.com/bro/bro/commit/b00bd7702f8962bcf8507adb0abe967c4c02426c [3] Pull Request #22 https://github.com/bro/bro/pull/22 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From noreply at bro.org Sun Feb 15 00:00:31 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 15 Feb 2015 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502150800.t1F80VEP017442@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------ BIT-1315 [1] Bro Jon Siwek - 2015-02-13 2.4 Low Teach Bro how to 'while' Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------- ---------- ------------------------------------------------------------ b00bd77 [2] bro Seth Hall 2015-02-13 Add the ability to remove surrounding braces from the JSON f Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [3] bro msmiley [4] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [5] [1] BIT-1315 https://bro-tracker.atlassian.net/browse/BIT-1315 [2] b00bd77 https://github.com/bro/bro/commit/b00bd7702f8962bcf8507adb0abe967c4c02426c [3] Pull Request #22 https://github.com/bro/bro/pull/22 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Sun Feb 15 11:13:01 2015 From: jira at bro-tracker.atlassian.net (Vern Paxson (JIRA)) Date: Sun, 15 Feb 2015 13:13:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19608#comment-19608 ] Vern Paxson commented on BIT-1315: ---------------------------------- I'm okay with this addition, too. If we want to think about more elegant forms for down the road, I'd suggest studying the use of "generators" in the (now-long-out-of-use) "Icon" programming language. These enable expressing all sorts of iterative computation in concise-but-readable ways. > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Sun Feb 15 20:14:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Sun, 15 Feb 2015 22:14:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1315: --------------------------- Let?s go ahead and merge it then. :) > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From noreply at bro.org Mon Feb 16 00:00:30 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 16 Feb 2015 00:00:30 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502160800.t1G80UGf027587@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------ BIT-1315 [1] Bro Jon Siwek - 2015-02-15 2.4 Low Teach Bro how to 'while' Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------- ---------- ------------------------------------------------------------ b00bd77 [2] bro Seth Hall 2015-02-13 Add the ability to remove surrounding braces from the JSON f Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [3] bro msmiley [4] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [5] [1] BIT-1315 https://bro-tracker.atlassian.net/browse/BIT-1315 [2] b00bd77 https://github.com/bro/bro/commit/b00bd7702f8962bcf8507adb0abe967c4c02426c [3] Pull Request #22 https://github.com/bro/bro/pull/22 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Mon Feb 16 13:00:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 16 Feb 2015 15:00:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1316) New plugin component: threads In-Reply-To: References: Message-ID: Robin Sommer created BIT-1316: --------------------------------- Summary: New plugin component: threads Key: BIT-1316 URL: https://bro-tracker.atlassian.net/browse/BIT-1316 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Robin Sommer It would be nice to add another type of plugin components: threads. A plugin could then define functionality that runs inside its own thread (e.g., talking to the rest of the world via sockets). We can provide it with an API to send evens to Bro; and maybe we can make bifs work transparently so that if a user calls one of the plugin's function in script-land, the arguments will be serialized and send over to the plugin thread. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Mon Feb 16 13:07:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 16 Feb 2015 15:07:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1317) Integrate standard plugin into Bro's build and install process In-Reply-To: References: Message-ID: Robin Sommer created BIT-1317: --------------------------------- Summary: Integrate standard plugin into Bro's build and install process Key: BIT-1317 URL: https://bro-tracker.atlassian.net/browse/BIT-1317 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Robin Sommer Fix For: 2.4 Right now, plugins in aux/plugins/* need to be build and installed manually. That's fine for those currently there (netmap, elastic search, data series), as they are quite specific. However, once we start moving more standard functionality over into plugins (say, GeoIP support), that will get more cumbersome, as now everybody wanting that stuff will need to do the additional step, which is easy to miss. However, it's not clear to me right now what's a good way of integrating the plugins more tightly would be. We could turn a few (or all?) on by default and build them along with Bro if their dependencies are satisfied. But that's tough to implement, as the plugin build process is really completely separate from Bro's. So we would need to pass configure parameters over, run their builds, run their installs, run their tests, and catch any errors along the way. I'm setting this to 2.4 in case we can still come up with a good strategy here. But more likely this is something to punt on right now, as we don't have a pressing use case anyways. There's also the related topic of a broader notion of modules that a future CPAN might manage, and how we combine all that. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From noreply at bro.org Tue Feb 17 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 17 Feb 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502170800.t1H80QfD001752@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ------------------------ BIT-1315 [1] Bro Jon Siwek - 2015-02-15 2.4 Low Teach Bro how to 'while' Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------- ---------- ------------------------------------------------------------ b00bd77 [2] bro Seth Hall 2015-02-13 Add the ability to remove surrounding braces from the JSON f Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [3] bro msmiley [4] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [5] [1] BIT-1315 https://bro-tracker.atlassian.net/browse/BIT-1315 [2] b00bd77 https://github.com/bro/bro/commit/b00bd7702f8962bcf8507adb0abe967c4c02426c [3] Pull Request #22 https://github.com/bro/bro/pull/22 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From robin at icir.org Tue Feb 17 08:19:54 2015 From: robin at icir.org (Robin Sommer) Date: Tue, 17 Feb 2015 08:19:54 -0800 Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: <20150217161954.GK93377@icir.org> For the record: I'm for it, too. :) Will merge. On Sun, Feb 15, 2015 at 22:14 -0600, you wrote: > > [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] > > Seth Hall updated BIT-1315: > --------------------------- > > > Let?s go ahead and merge it then. :) > > > > Teach Bro how to 'while' > > ------------------------ > > > > Key: BIT-1315 > > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > > Project: Bro Issue Tracker > > Issue Type: New Feature > > Components: Bro > > Reporter: Jon Siwek > > Priority: Low > > Fix For: 2.4 > > > > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. > > > > -- > This message was sent by Atlassian JIRA > (v6.4-OD-14-082#64012) > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > From jira at bro-tracker.atlassian.net Tue Feb 17 08:20:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Feb 2015 10:20:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1315: ------------------------------ For the record: I'm for it, too. :) Will merge. > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Tue Feb 17 08:21:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Feb 2015 10:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1315: --------------------------------- Assignee: Robin Sommer > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From johanna at icir.org Tue Feb 17 12:48:57 2015 From: johanna at icir.org (Johanna Amann) Date: Tue, 17 Feb 2015 12:48:57 -0800 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) Message-ID: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> Hi, currently it is not possible to build Bro on RedHat / CentOs 6 or earlier because the cmake version available on those systems is too low. Is there any important reason why we need 2.8? CentOs 6 only has 2.6.4 by default. Johanna From dnthayer at illinois.edu Tue Feb 17 13:30:12 2015 From: dnthayer at illinois.edu (Daniel Thayer) Date: Tue, 17 Feb 2015 15:30:12 -0600 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> Message-ID: <54E3B2E4.9060105@illinois.edu> It looks like RH/CentOS 6.6 has cmake 2.8.12, and RH/CentOS 6.5 and earlier have cmake 2.6.4. On 02/17/2015 02:48 PM, Johanna Amann wrote: > Hi, > > currently it is not possible to build Bro on RedHat / CentOs 6 or earlier > because the cmake version available on those systems is too low. > > Is there any important reason why we need 2.8? CentOs 6 only has 2.6.4 by > default. > > Johanna From jsiwek at illinois.edu Tue Feb 17 13:53:23 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Tue, 17 Feb 2015 21:53:23 +0000 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> Message-ID: <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> > On Feb 17, 2015, at 2:48 PM, Johanna Amann wrote: > > currently it is not possible to build Bro on RedHat / CentOs 6 or earlier > because the cmake version available on those systems is too low. I think 6.6 has CMake 2.8.12.2 now. But yeah, before they were at 2.6.4. > Is there any important reason why we need 2.8? Not especially important, but newer versions of CMake were emitting some CMake policy warnings at bro-aux configure-time that I didn?t see a way to fix without using generator expressions, which became available in CMake 2.8. If you can?t upgrade to 6.6, is it at least an option for you to compile a newer CMake from source? - Jon From johanna at icir.org Tue Feb 17 14:58:14 2015 From: johanna at icir.org (Johanna Amann) Date: Tue, 17 Feb 2015 14:58:14 -0800 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> Message-ID: <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> On Tue, Feb 17, 2015 at 09:53:23PM +0000, Siwek, Jon wrote: > > currently it is not possible to build Bro on RedHat / CentOs 6 or earlier > > because the cmake version available on those systems is too low. > > I think 6.6 has CMake 2.8.12.2 now. > > But yeah, before they were at 2.6.4. Ah, ok. I am trying to build a bro version using the opensuse build service - and they apparently use only the old packages of those distributions when you create your packages. > > Is there any important reason why we need 2.8? > > Not especially important, but newer versions of CMake were emitting some > CMake policy warnings at bro-aux configure-time that I didn?t see a way > to fix without using generator expressions, which became available in > CMake 2.8. > > If you can?t upgrade to 6.6, is it at least an option for you to compile a newer CMake from source? I will try, it actually might be possible to make it a compile-time-only requirement. Just to check - is removing the dependency for 2.8 as easy as changing the minimal cmake version and removing a few lines from one of the cmake scripts? Because in that case I would be tempted to just automatically patch it out when building for those distributions (I have a few distribution specific actions in the build files in any case). Johanna From noreply at bro.org Wed Feb 18 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 18 Feb 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502180800.t1I80OaJ016732@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------ BIT-1315 [1] Bro Jon Siwek Robin Sommer 2015-02-17 2.4 Low Teach Bro how to 'while' Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------- ---------- ------------------------------------------------------------ b00bd77 [2] bro Seth Hall 2015-02-13 Add the ability to remove surrounding braces from the JSON f Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------------------- #22 [3] bro msmiley [4] 2015-02-10 add local_resp (to complement local_orig) to Conn Info [5] [1] BIT-1315 https://bro-tracker.atlassian.net/browse/BIT-1315 [2] b00bd77 https://github.com/bro/bro/commit/b00bd7702f8962bcf8507adb0abe967c4c02426c [3] Pull Request #22 https://github.com/bro/bro/pull/22 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #22 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jsiwek at illinois.edu Wed Feb 18 07:27:20 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Wed, 18 Feb 2015 15:27:20 +0000 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> Message-ID: <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> > On Feb 17, 2015, at 4:58 PM, Johanna Amann wrote: > > Just to check - is removing the dependency for 2.8 as easy as changing the > minimal cmake version and removing a few lines from one of the cmake > scripts? Because in that case I would be tempted to just automatically > patch it out when building for those distributions (I have a few > distribution specific actions in the build files in any case). Yeah, patching it out should be easy for the moment. Here?s the relevant change from the bro repo: https://github.com/bro/bro/commit/d8890ea009fdb94ecffcf826bbfd23577396365e And the one from bro-aux: https://github.com/bro/bro-aux/commit/0b713c027d3efaaca50e5df995c02656175573cd I think that one place in bro-aux is the only place that?s using CMake 2.8 features right now, but let me know if you find otherwise and need any help. - Jon From johanna at icir.org Wed Feb 18 11:17:04 2015 From: johanna at icir.org (Johanna Amann) Date: Wed, 18 Feb 2015 11:17:04 -0800 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> Message-ID: <20150218191002.GA61208@Beezling.local> On Wed, Feb 18, 2015 at 03:27:20PM +0000, Siwek, Jon wrote: > > Yeah, patching it out should be easy for the moment. [...] Thank you, that worked. One more question - currently Bro does not compile on systems that use libpcap < 1.1.1, because PCAP_NETMASK_UNKNOWN is not defined (example compile error: https://build.opensuse.org/package/live_build_log/home:0xxon:bro/bro-nightly/xUbuntu_10.04/i586) Could we perhaps test for the definition of that macro and either define it to something ourselves in that case, or just use another code-path? On a first glance, it does not look especially critical that we use it, but I am not really familiar with that case. Johanna From jsiwek at illinois.edu Wed Feb 18 15:10:14 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Wed, 18 Feb 2015 23:10:14 +0000 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <20150218191002.GA61208@Beezling.local> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> <20150218191002.GA61208@Beezling.local> Message-ID: <47AD611E-2268-4B98-BA67-37C9D0DBF35F@illinois.edu> > On Feb 18, 2015, at 1:17 PM, Johanna Amann wrote: > > Thank you, that worked. One more question - currently Bro does not compile > on systems that use libpcap < 1.1.1, because PCAP_NETMASK_UNKNOWN is not > defined (example compile error: > https://build.opensuse.org/package/live_build_log/home:0xxon:bro/bro-nightly/xUbuntu_10.04/i586) > > Could we perhaps test for the definition of that macro and either define > it to something ourselves in that case, or just use another code-path? On > a first glance, it does not look especially critical that we use it, but I > am not really familiar with that case. I?m not that familiar either, but think it may be fine to provide our own preprocessor definition if it doesn?t exist. Robin, what do you think? Was there any other functionality of recent libpcaps that?s used now? Do we know what minimum version of libpcap should be required and checked at configure time? - Jon From noreply at bro.org Thu Feb 19 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 19 Feb 2015 00:00:29 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502190800.t1J80TWa023409@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------ BIT-1315 [1] Bro Jon Siwek Robin Sommer 2015-02-17 2.4 Low Teach Bro how to 'while' Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------- ---------- ------------------------------------------------------------ b00bd77 [2] bro Seth Hall 2015-02-13 Add the ability to remove surrounding braces from the JSON f Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------- #23 [3] bro msmiley [4] 2015-02-19 add local_resp to Conn Info [5] [1] BIT-1315 https://bro-tracker.atlassian.net/browse/BIT-1315 [2] b00bd77 https://github.com/bro/bro/commit/b00bd7702f8962bcf8507adb0abe967c4c02426c [3] Pull Request #23 https://github.com/bro/bro/pull/23 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #23 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From noreply at bro.org Fri Feb 20 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 20 Feb 2015 00:00:32 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502200800.t1K80Whe018066@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------ BIT-1315 [1] Bro Jon Siwek Robin Sommer 2015-02-17 2.4 Low Teach Bro how to 'while' Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- --------- ---------- ------------------------------------------------------------ b00bd77 [2] bro Seth Hall 2015-02-13 Add the ability to remove surrounding braces from the JSON f Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------- #23 [3] bro msmiley [4] 2015-02-19 add local_resp to Conn Info [5] [1] BIT-1315 https://bro-tracker.atlassian.net/browse/BIT-1315 [2] b00bd77 https://github.com/bro/bro/commit/b00bd7702f8962bcf8507adb0abe967c4c02426c [3] Pull Request #23 https://github.com/bro/bro/pull/23 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #23 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Fri Feb 20 13:05:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 20 Feb 2015 15:05:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1315) Teach Bro how to 'while' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1315: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Teach Bro how to 'while' > ------------------------ > > Key: BIT-1315 > URL: https://bro-tracker.atlassian.net/browse/BIT-1315 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Priority: Low > Fix For: 2.4 > > > topic/jsiwek/while has an implementation of a general purpose 'while' loop. If one wants to hack around the current limitation of only looping over collections, they're going to do it (e.g. recursion), so why not just provide a more convenient way instead? The mess you have to write to work around the limitation may be more error-prone than just providing a simple while loop. > An alternative to adding 'while' to the language might be to allow "for ()" to be an unbounded loop and force the author to put the necessary break/return conditions in the body. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Fri Feb 20 13:22:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 20 Feb 2015 15:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates In-Reply-To: References: Message-ID: Robin Sommer created BIT-1318: --------------------------------- Summary: topic/robin/plugin-updates Key: BIT-1318 URL: https://bro-tracker.atlassian.net/browse/BIT-1318 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Robin Sommer A set of improvements to Bro's support for dynamic plugins. Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. This includes primarily updates to the init-plugin helper script: - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. "make distclean" simply deletes the build directory. - the skeleton builds a binary plugin distribution in build/dist, and "make install" uses that to put the plugin in place. The Makefile targets "bdist" and "sdist" are gone. - CMakeList.txt supports a new macro "bro_plugin_dist_files" to specify additional files to include into the binary plugin distribution. - init-plugin now takes an additional parameter with a directory where to create the plugin. - the "configure" script now sources a local "configure.plugin" for adding custom options without touch the main script. - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. The changes further include: - Bro's "make install" now always creates the plugin installation directory. - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. - Adapting plugin documentation to the changes. - Adapting the three plugins aux/plugins to changes. - Bro's "make install" removes some old scripts that have moved into plugins, but might still exist from a previous installation. - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From jira at bro-tracker.atlassian.net Fri Feb 20 13:22:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 20 Feb 2015 15:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1318: ------------------------------ Status: Merge Request (was: Open) > topic/robin/plugin-updates > -------------------------- > > Key: BIT-1318 > URL: https://bro-tracker.atlassian.net/browse/BIT-1318 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > > A set of improvements to Bro's support for dynamic plugins. > Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. > This includes primarily updates to the init-plugin helper script: > - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. "make distclean" simply deletes the build directory. > - the skeleton builds a binary plugin distribution in build/dist, and "make install" uses that to put the plugin in place. The Makefile targets "bdist" and "sdist" are gone. > - CMakeList.txt supports a new macro "bro_plugin_dist_files" to specify additional files to include into the binary plugin distribution. > - init-plugin now takes an additional parameter with a directory where to create the plugin. > - the "configure" script now sources a local "configure.plugin" for adding custom options without touch the main script. > - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. > > The changes further include: > - Bro's "make install" now always creates the plugin installation directory. > - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. > - Adapting plugin documentation to the changes. > - Adapting the three plugins aux/plugins to changes. > - Bro's "make install" removes some old scripts that have moved into plugins, but might still exist from a previous installation. > - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. > -- This message was sent by Atlassian JIRA (v6.4-OD-14-082#64012) From robin at icir.org Fri Feb 20 13:48:30 2015 From: robin at icir.org (Robin Sommer) Date: Fri, 20 Feb 2015 13:48:30 -0800 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <47AD611E-2268-4B98-BA67-37C9D0DBF35F@illinois.edu> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> <20150218191002.GA61208@Beezling.local> <47AD611E-2268-4B98-BA67-37C9D0DBF35F@illinois.edu> Message-ID: <20150220214830.GK48843@icir.org> On Wed, Feb 18, 2015 at 23:10 +0000, you wrote: > I?m not that familiar either, but think it may be fine to provide our > own preprocessor definition if it doesn?t exist. I'll remove the dependency on the macro, it's used mainly as placeholder value, and we can use our own for that. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From johanna at icir.org Fri Feb 20 15:08:48 2015 From: johanna at icir.org (Johanna Amann) Date: Fri, 20 Feb 2015 15:08:48 -0800 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <20150220214830.GK48843@icir.org> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> <20150218191002.GA61208@Beezling.local> <47AD611E-2268-4B98-BA67-37C9D0DBF35F@illinois.edu> <20150220214830.GK48843@icir.org> Message-ID: <20150220230848.GA26054@wifi86.sys.ICSI.Berkeley.EDU> On Fri, Feb 20, 2015 at 01:48:30PM -0800, Robin Sommer wrote: > > I?m not that familiar either, but think it may be fine to provide our > > own preprocessor definition if it doesn?t exist. > > I'll remove the dependency on the macro, it's used mainly as > placeholder value, and we can use our own for that. Thank you. However it looks like we actually require more parts of the newer libpcap version - now the build fails because of pcap_offline_filter: https://build.opensuse.org/package/live_build_log/home:0xxon:bro/bro-nightly/RedHat_RHEL-5/i586 Johanna From noreply at bro.org Sat Feb 21 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 21 Feb 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502210800.t1L80OGu003059@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------ ---------- ---------- ------------- ---------- ------------------------------ BIT-1318 [1] Bro Robin Sommer - 2015-02-20 - Normal topic/robin/plugin-updates [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------- #23 [3] bro msmiley [4] 2015-02-19 add local_resp to Conn Info [5] [1] BIT-1318 https://bro-tracker.atlassian.net/browse/BIT-1318 [2] plugin-updates https://github.com/bro/bro/tree/topic/robin/plugin-updates [3] Pull Request #23 https://github.com/bro/bro/pull/23 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #23 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From robin at icir.org Sat Feb 21 08:06:56 2015 From: robin at icir.org (Robin Sommer) Date: Sat, 21 Feb 2015 08:06:56 -0800 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <20150220230848.GA26054@wifi86.sys.ICSI.Berkeley.EDU> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> <20150218191002.GA61208@Beezling.local> <47AD611E-2268-4B98-BA67-37C9D0DBF35F@illinois.edu> <20150220214830.GK48843@icir.org> <20150220230848.GA26054@wifi86.sys.ICSI.Berkeley.EDU> Message-ID: <20150221160656.GR48843@icir.org> On Fri, Feb 20, 2015 at 15:08 -0800, you wrote: > newer libpcap version - now the build fails because of > pcap_offline_filter: Oh, I thought that's a function which had been around for a while. That's not easy to get rid of, it provides BPF filtering for packet source plugins that can't do that natively (like netmap). Do you happen to know if there's another way to do that with older pcaps? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Sun Feb 22 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 22 Feb 2015 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502220800.t1M80MeB001940@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------ ---------- ---------- ------------- ---------- ------------------------------ BIT-1318 [1] Bro Robin Sommer - 2015-02-20 - Normal topic/robin/plugin-updates [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------- #23 [3] bro msmiley [4] 2015-02-19 add local_resp to Conn Info [5] [1] BIT-1318 https://bro-tracker.atlassian.net/browse/BIT-1318 [2] plugin-updates https://github.com/bro/bro/tree/topic/robin/plugin-updates [3] Pull Request #23 https://github.com/bro/bro/pull/23 [4] msmiley https://github.com/msmiley [5] Merge Pull Request #23 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Sun Feb 22 21:35:00 2015 From: jira at bro-tracker.atlassian.net (gclark (JIRA)) Date: Sun, 22 Feb 2015 23:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1270) topic/gilbert/plugin-api-tweak In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] gclark updated BIT-1270: ------------------------ Status: Merge Request (was: Open) > topic/gilbert/plugin-api-tweak > ------------------------------ > > Key: BIT-1270 > URL: https://bro-tracker.atlassian.net/browse/BIT-1270 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: gclark > Assignee: gclark > > This branch makes a few changes to the API: > * Wraps values in a simple class (ValWrapper) that include an explicit processed / not processed flag (to avoid confusion with delayed / opaque invocations). > * Adds a Frame argument to HookCallFunction > * Adds support for Frame argument types to HookArgument > * Adds support for ValWrapper argument types to HookArgument > * Tweaks the plugin.hooks tests a bit to include new output (from additional argument) > * Tweaks the plugin.api-version-mismatch to remove explicit home directory path via simple regex -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Sun Feb 22 21:38:00 2015 From: jira at bro-tracker.atlassian.net (gclark (JIRA)) Date: Sun, 22 Feb 2015 23:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1270) topic/gilbert/plugin-api-tweak In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19800#comment-19800 ] gclark commented on BIT-1270: ----------------------------- Merged master into my branch. This includes changes to modify hook return into std::pair<> as described above. I think I've also de-cluttered the changes a bit, but let me know if that's still bad and will fix again. Ticket updated to merge request status again. > topic/gilbert/plugin-api-tweak > ------------------------------ > > Key: BIT-1270 > URL: https://bro-tracker.atlassian.net/browse/BIT-1270 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: gclark > Assignee: gclark > > This branch makes a few changes to the API: > * Wraps values in a simple class (ValWrapper) that include an explicit processed / not processed flag (to avoid confusion with delayed / opaque invocations). > * Adds a Frame argument to HookCallFunction > * Adds support for Frame argument types to HookArgument > * Adds support for ValWrapper argument types to HookArgument > * Tweaks the plugin.hooks tests a bit to include new output (from additional argument) > * Tweaks the plugin.api-version-mismatch to remove explicit home directory path via simple regex -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Sun Feb 22 21:39:00 2015 From: jira at bro-tracker.atlassian.net (gclark (JIRA)) Date: Sun, 22 Feb 2015 23:39:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1270) topic/gilbert/plugin-api-tweak In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19800#comment-19800 ] gclark edited comment on BIT-1270 at 2/22/15 11:38 PM: ------------------------------------------------------- Merged master into my branch. This change set modifies hook return into std::pair<> as described above. I think I've also de-cluttered the changes a bit, but let me know if that's still bad and will fix again. Ticket updated to merge request status again. was (Author: gclark): Merged master into my branch. This includes changes to modify hook return into std::pair<> as described above. I think I've also de-cluttered the changes a bit, but let me know if that's still bad and will fix again. Ticket updated to merge request status again. > topic/gilbert/plugin-api-tweak > ------------------------------ > > Key: BIT-1270 > URL: https://bro-tracker.atlassian.net/browse/BIT-1270 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: gclark > Assignee: gclark > > This branch makes a few changes to the API: > * Wraps values in a simple class (ValWrapper) that include an explicit processed / not processed flag (to avoid confusion with delayed / opaque invocations). > * Adds a Frame argument to HookCallFunction > * Adds support for Frame argument types to HookArgument > * Adds support for ValWrapper argument types to HookArgument > * Tweaks the plugin.hooks tests a bit to include new output (from additional argument) > * Tweaks the plugin.api-version-mismatch to remove explicit home directory path via simple regex -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Mon Feb 23 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 23 Feb 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502230800.t1N80OQ9023331@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------ ---------- ---------- ------------- ---------- ---------------------------------- BIT-1318 [1] Bro Robin Sommer - 2015-02-20 - Normal topic/robin/plugin-updates [2] BIT-1270 [3] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [4] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ------------------------------- #23 [5] bro msmiley [6] 2015-02-19 add local_resp to Conn Info [7] [1] BIT-1318 https://bro-tracker.atlassian.net/browse/BIT-1318 [2] plugin-updates https://github.com/bro/bro/tree/topic/robin/plugin-updates [3] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [4] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [5] Pull Request #23 https://github.com/bro/bro/pull/23 [6] msmiley https://github.com/msmiley [7] Merge Pull Request #23 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git master From jira at bro-tracker.atlassian.net Mon Feb 23 08:46:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 10:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: Jon Siwek created BIT-1319: ------------------------------ Summary: topic/jsiwek/broker Key: BIT-1319 URL: https://bro-tracker.atlassian.net/browse/BIT-1319 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Jon Siwek Fix For: 2.4 The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. Notes/Disclaimers/Caveats: - Bro has a --enable-broker configure flag. - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. - no C bindings yet - no Python bindings yet - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. - the serialization format for persistent data stores is currently unversioned, so backwards compatibility is pretty sketchy for most data types if they're ever changed in the future. Should be easy to add a version tag for each C++ class/struct that needs to be persisted. Do we also need to assume persistent data may be transferred to different hosts (i.e. be mindful of endianness) ? I guess that could even be an option left to user to select if they're certain they'd rather have a bit better performance than portability. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Feb 23 08:46:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 10:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1319: --------------------------- Status: Merge Request (was: Open) > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. > - the serialization format for persistent data stores is currently unversioned, so backwards compatibility is pretty sketchy for most data types if they're ever changed in the future. Should be easy to add a version tag for each C++ class/struct that needs to be persisted. Do we also need to assume persistent data may be transferred to different hosts (i.e. be mindful of endianness) ? I guess that could even be an option left to user to select if they're certain they'd rather have a bit better performance than portability. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Feb 23 08:55:02 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 10:55:02 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1318: ------------------------------ Assignee: Jon Siwek > topic/robin/plugin-updates > -------------------------- > > Key: BIT-1318 > URL: https://bro-tracker.atlassian.net/browse/BIT-1318 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > > A set of improvements to Bro's support for dynamic plugins. > Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. > This includes primarily updates to the init-plugin helper script: > - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. "make distclean" simply deletes the build directory. > - the skeleton builds a binary plugin distribution in build/dist, and "make install" uses that to put the plugin in place. The Makefile targets "bdist" and "sdist" are gone. > - CMakeList.txt supports a new macro "bro_plugin_dist_files" to specify additional files to include into the binary plugin distribution. > - init-plugin now takes an additional parameter with a directory where to create the plugin. > - the "configure" script now sources a local "configure.plugin" for adding custom options without touch the main script. > - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. > > The changes further include: > - Bro's "make install" now always creates the plugin installation directory. > - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. > - Adapting plugin documentation to the changes. > - Adapting the three plugins aux/plugins to changes. > - Bro's "make install" removes some old scripts that have moved into plugins, but might still exist from a previous installation. > - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Feb 23 10:22:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 12:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1318: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/robin/plugin-updates > -------------------------- > > Key: BIT-1318 > URL: https://bro-tracker.atlassian.net/browse/BIT-1318 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > > A set of improvements to Bro's support for dynamic plugins. > Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. > This includes primarily updates to the init-plugin helper script: > - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. "make distclean" simply deletes the build directory. > - the skeleton builds a binary plugin distribution in build/dist, and "make install" uses that to put the plugin in place. The Makefile targets "bdist" and "sdist" are gone. > - CMakeList.txt supports a new macro "bro_plugin_dist_files" to specify additional files to include into the binary plugin distribution. > - init-plugin now takes an additional parameter with a directory where to create the plugin. > - the "configure" script now sources a local "configure.plugin" for adding custom options without touch the main script. > - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. > > The changes further include: > - Bro's "make install" now always creates the plugin installation directory. > - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. > - Adapting plugin documentation to the changes. > - Adapting the three plugins aux/plugins to changes. > - Bro's "make install" removes some old scripts that have moved into plugins, but might still exist from a previous installation. > - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Feb 23 10:23:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 12:23:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1312) Plugin path loaded from bro-path-dev.sh In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1312?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1312: --------------------------- Resolution: Fixed Fix Version/s: 2.4 Status: Closed (was: Open) > Plugin path loaded from bro-path-dev.sh > --------------------------------------- > > Key: BIT-1312 > URL: https://bro-tracker.atlassian.net/browse/BIT-1312 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.4 > > > Currently the bro-path-dev.sh script is adding your installation directory to the BRO_PLUGIN_PATH which is causing crashes that are really confusing -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Feb 23 10:23:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 12:23:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1318: --------------------------- Fix Version/s: 2.4 > topic/robin/plugin-updates > -------------------------- > > Key: BIT-1318 > URL: https://bro-tracker.atlassian.net/browse/BIT-1318 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > Fix For: 2.4 > > > A set of improvements to Bro's support for dynamic plugins. > Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. > This includes primarily updates to the init-plugin helper script: > - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. "make distclean" simply deletes the build directory. > - the skeleton builds a binary plugin distribution in build/dist, and "make install" uses that to put the plugin in place. The Makefile targets "bdist" and "sdist" are gone. > - CMakeList.txt supports a new macro "bro_plugin_dist_files" to specify additional files to include into the binary plugin distribution. > - init-plugin now takes an additional parameter with a directory where to create the plugin. > - the "configure" script now sources a local "configure.plugin" for adding custom options without touch the main script. > - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. > > The changes further include: > - Bro's "make install" now always creates the plugin installation directory. > - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. > - Adapting plugin documentation to the changes. > - Adapting the three plugins aux/plugins to changes. > - Bro's "make install" removes some old scripts that have moved into plugins, but might still exist from a previous installation. > - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Feb 23 10:23:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 12:23:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1302) configuration of dynamic Bro plugin easily desynchronizes with Bro's configuration In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1302?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1302: --------------------------- Resolution: Fixed Fix Version/s: 2.4 Status: Closed (was: Open) > configuration of dynamic Bro plugin easily desynchronizes with Bro's configuration > ---------------------------------------------------------------------------------- > > Key: BIT-1302 > URL: https://bro-tracker.atlassian.net/browse/BIT-1302 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, bro-aux > Reporter: Jon Siwek > Assignee: Robin Sommer > Priority: Low > Fix For: 2.4 > > > Any way for a dynamic plugin to automatically detect Bro's CMakeCache.txt has been changed since the last time it did a "load_cache" so that it can re-run the CMake configuration process? > Maybe a hacky way would be to force the top-level/skeleton Makefile of the plugin to always do a `./configure` or a `touch build/CMakeCache.txt`. > The specific problem I ran in to was > 1) do a plain `./configure` of Bro > 2) configure/build a plugin (e.g. I was using btest/plugins/file-plugin) > 3) change my mind and do a `./configure --enable-debug` of Bro. > 4) (re)building the plugin still uses the original compiler flags inherited from Bro's CMakeCache, but it's really important that it be using the same debug flags. In this case not too bad to realize that ABI of the Val class depends on -DDEBUG, but was still pretty unique/subtle to trace the resulting crashes back to the difference in compile flags between Bro and the plugin. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Feb 23 10:28:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Feb 2015 12:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1318) topic/robin/plugin-updates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19801#comment-19801 ] Jon Siwek commented on BIT-1318: -------------------------------- One note about the merge: I didn't update CHANGES in bro-plugins repo; not sure how you want to track those. > topic/robin/plugin-updates > -------------------------- > > Key: BIT-1318 > URL: https://bro-tracker.atlassian.net/browse/BIT-1318 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > Fix For: 2.4 > > > A set of improvements to Bro's support for dynamic plugins. > Branch topic/robin/plugin-updates in bro, bro-aux, cmake, and bro-plugins. > This includes primarily updates to the init-plugin helper script: > - the script now sets up the skeleton plugin so that the *build/* directory becomes the place where the final plugin lives (rather than the top-level source directory). BRO_PLUGIN_PATH needs to point there now. "make distclean" simply deletes the build directory. > - the skeleton builds a binary plugin distribution in build/dist, and "make install" uses that to put the plugin in place. The Makefile targets "bdist" and "sdist" are gone. > - CMakeList.txt supports a new macro "bro_plugin_dist_files" to specify additional files to include into the binary plugin distribution. > - init-plugin now takes an additional parameter with a directory where to create the plugin. > - the "configure" script now sources a local "configure.plugin" for adding custom options without touch the main script. > - Makefile reloads cached CMake variables when Bro has been reconfigured. Addresses #1302. > > The changes further include: > - Bro's "make install" now always creates the plugin installation directory. > - Removed setting BRO_PLUGIN_PATH from bro-path-dev.sh. Addresses #1312. > - Adapting plugin documentation to the changes. > - Adapting the three plugins aux/plugins to changes. > - Bro's "make install" removes some old scripts that have moved into plugins, but might still exist from a previous installation. > - Plugin managers treats plugin names as case-insenstive for some internal lookups to be a bit more tolerant in cases that could be hard to catch otherwise. > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From johanna at icir.org Mon Feb 23 10:47:46 2015 From: johanna at icir.org (Johanna Amann) Date: Mon, 23 Feb 2015 10:47:46 -0800 Subject: [Bro-Dev] Compiling Bro on RedHat, CentOs 6 and earlier (cmake) In-Reply-To: <20150221160656.GR48843@icir.org> References: <20150217204857.GA14869@wifi86.sys.ICSI.Berkeley.EDU> <6E709765-844A-4C93-819E-8395BA71391A@illinois.edu> <20150217225814.GA16845@wifi86.sys.ICSI.Berkeley.EDU> <7AB4A9F9-25ED-4AC9-ACDD-E1CFF9E078F6@illinois.edu> <20150218191002.GA61208@Beezling.local> <47AD611E-2268-4B98-BA67-37C9D0DBF35F@illinois.edu> <20150220214830.GK48843@icir.org> <20150220230848.GA26054@wifi86.sys.ICSI.Berkeley.EDU> <20150221160656.GR48843@icir.org> Message-ID: <20150223184746.GA55723@wifi86.sys.ICSI.Berkeley.EDU> > > newer libpcap version - now the build fails because of > > pcap_offline_filter: > > Oh, I thought that's a function which had been around for a while. > That's not easy to get rid of, it provides BPF filtering for packet > source plugins that can't do that natively (like netmap). Do you > happen to know if there's another way to do that with older pcaps? No, I don't. But that is fine I guess - in that case we just do not have packages for RH5 anymore. Your fix made it compile on a few other distributions (like older ubuntus), so it was not in vain :) Johanna From noreply at bro.org Tue Feb 24 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 24 Feb 2015 00:00:29 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502240800.t1O80Tbi003043@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ---------------------------------- BIT-1319 [1] Bro Jon Siwek - 2015-02-23 2.4 Normal topic/jsiwek/broker [2] BIT-1270 [3] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [4] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- --------------------------------------------------------- #25 [5] bro eunsilhan [6] 2015-02-24 Topic/jshlbrd/rdp [7] #24 [8] bro msmiley [9] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [10] [1] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [2] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [3] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [4] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [5] Pull Request #25 https://github.com/bro/bro/pull/25 [6] eunsilhan https://github.com/eunsilhan [7] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [8] Pull Request #24 https://github.com/bro/bro/pull/24 [9] msmiley https://github.com/msmiley [10] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From noreply at bro.org Wed Feb 25 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 25 Feb 2015 00:00:25 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502250800.t1P80P6h026430@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ---------------------------------- BIT-1319 [1] Bro Jon Siwek - 2015-02-23 2.4 Normal topic/jsiwek/broker [2] BIT-1270 [3] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [4] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- --------------------------------------------------------- #25 [5] bro eunsilhan [6] 2015-02-24 Topic/jshlbrd/rdp [7] #24 [8] bro msmiley [9] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [10] [1] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [2] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [3] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [4] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [5] Pull Request #25 https://github.com/bro/bro/pull/25 [6] eunsilhan https://github.com/eunsilhan [7] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [8] Pull Request #24 https://github.com/bro/bro/pull/24 [9] msmiley https://github.com/msmiley [10] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From jira at bro-tracker.atlassian.net Wed Feb 25 09:32:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 25 Feb 2015 11:32:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1320: ---------------------------------- Summary: topic/jazoff/broctld Key: BIT-1320 URL: https://bro-tracker.atlassian.net/browse/BIT-1320 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Fix For: 2.4 Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization for the upcoming broctld. Here is a high-level list of changes: 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run "broctl install"), 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, 9) Added new broctl option StatusCmdShowAll to enable users to speed up "broctl status" significantly, 10) Fixed the stats-to-csv script to not create files that can never include any data, 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, 12) Improved post-terminate script to process log files more consistently, 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), 14) Improved the default broctl.cfg file to show more of the useful options, 15) Added more error checks to help catch errors earlier, 16) Some error message output is more specific and helpful now -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Feb 25 11:27:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 25 Feb 2015 13:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1320: ------------------------------- Status: Merge Request (was: Open) > topic/jazoff/broctld > -------------------- > > Key: BIT-1320 > URL: https://bro-tracker.atlassian.net/browse/BIT-1320 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization > for the upcoming broctld. Here is a high-level list of changes: > 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), > 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run "broctl install"), > 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), > 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, > 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, > 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, > 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, > 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, > 9) Added new broctl option StatusCmdShowAll to enable users to speed up "broctl status" significantly, > 10) Fixed the stats-to-csv script to not create files that can never include any data, > 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, > 12) Improved post-terminate script to process log files more consistently, > 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), > 14) Improved the default broctl.cfg file to show more of the useful options, > 15) Added more error checks to help catch errors earlier, > 16) Some error message output is more specific and helpful now > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Feb 25 14:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Feb 2015 16:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1321) Merge topic/johanna/ssl-policy In-Reply-To: References: Message-ID: Johanna Amann created BIT-1321: ---------------------------------- Summary: Merge topic/johanna/ssl-policy Key: BIT-1321 URL: https://bro-tracker.atlassian.net/browse/BIT-1321 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Please merge topic/johanna/ssl-policy. It changes the TLS policy files and mainly adds the ability to alert when encountering old ssl versions & cipher suites that should no longer be used. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Feb 25 14:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Feb 2015 16:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1321) Merge topic/johanna/ssl-policy In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1321?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1321: ------------------------------- Status: Merge Request (was: Open) > Merge topic/johanna/ssl-policy > ------------------------------ > > Key: BIT-1321 > URL: https://bro-tracker.atlassian.net/browse/BIT-1321 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Labels: ssl > Fix For: 2.4 > > > Please merge topic/johanna/ssl-policy. It changes the TLS policy files and mainly adds the ability to alert when encountering old ssl versions & cipher suites that should no longer be used. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Thu Feb 26 00:00:16 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 26 Feb 2015 00:00:16 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502260800.t1Q80GV7021096@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ---------------------------------- BIT-1321 [1] Bro Johanna Amann - 2015-02-25 2.4 Normal Merge topic/johanna/ssl-policy BIT-1320 [2] BroControl Daniel Thayer - 2015-02-25 2.4 Normal topic/jazoff/broctld [3] BIT-1319 [4] Bro Jon Siwek - 2015-02-23 2.4 Normal topic/jsiwek/broker [5] BIT-1270 [6] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [7] Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- ------------- ---------- --------------------------------------------------------- #25 [8] bro eunsilhan [9] 2015-02-24 Topic/jshlbrd/rdp [10] #24 [11] bro msmiley [12] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [13] [1] BIT-1321 https://bro-tracker.atlassian.net/browse/BIT-1321 [2] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [3] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [4] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [5] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [6] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [7] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [8] Pull Request #25 https://github.com/bro/bro/pull/25 [9] eunsilhan https://github.com/eunsilhan [10] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [11] Pull Request #24 https://github.com/bro/bro/pull/24 [12] msmiley https://github.com/msmiley [13] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From jira at bro-tracker.atlassian.net Thu Feb 26 08:14:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 26 Feb 2015 10:14:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1319: --------------------------- Description: The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. Notes/Disclaimers/Caveats: - Bro has a --enable-broker configure flag. - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. - no C bindings yet - no Python bindings yet - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. was: The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. Notes/Disclaimers/Caveats: - Bro has a --enable-broker configure flag. - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. - no C bindings yet - no Python bindings yet - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. - the serialization format for persistent data stores is currently unversioned, so backwards compatibility is pretty sketchy for most data types if they're ever changed in the future. Should be easy to add a version tag for each C++ class/struct that needs to be persisted. Do we also need to assume persistent data may be transferred to different hosts (i.e. be mindful of endianness) ? I guess that could even be an option left to user to select if they're certain they'd rather have a bit better performance than portability. > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Feb 26 11:43:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 26 Feb 2015 13:43:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1322) btest should warn when using -T option but cannot create timing baseline In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1322: ---------------------------------- Summary: btest should warn when using -T option but cannot create timing baseline Key: BIT-1322 URL: https://bro-tracker.atlassian.net/browse/BIT-1322 Project: Bro Issue Tracker Issue Type: Problem Components: BTest Reporter: Daniel Thayer Fix For: 2.4 When using "btest -T" on a system that cannot perform timing measurements there is no warning message to notify the user that the requested operation (create a timing baseline) cannot be performed. This is especially confusing on a Linux machine that has the "perf" command installed, but not other required components. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Feb 26 14:52:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 26 Feb 2015 16:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1322) btest should warn when using -T option but cannot create timing baseline In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19802#comment-19802 ] Daniel Thayer commented on BIT-1322: ------------------------------------ Branch topic/dnthayer/ticket1322 in the btest repo contains the fix, and also improved documentation about the timing functionality. > btest should warn when using -T option but cannot create timing baseline > ------------------------------------------------------------------------ > > Key: BIT-1322 > URL: https://bro-tracker.atlassian.net/browse/BIT-1322 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.4 > > > When using "btest -T" on a system that cannot perform timing measurements there > is no warning message to notify the user that the requested operation (create a timing > baseline) cannot be performed. This is especially confusing on a Linux machine > that has the "perf" command installed, but not other required components. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Feb 26 14:52:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 26 Feb 2015 16:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1322) btest should warn when using -T option but cannot create timing baseline In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1322: ------------------------------- Status: Merge Request (was: Open) > btest should warn when using -T option but cannot create timing baseline > ------------------------------------------------------------------------ > > Key: BIT-1322 > URL: https://bro-tracker.atlassian.net/browse/BIT-1322 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.4 > > > When using "btest -T" on a system that cannot perform timing measurements there > is no warning message to notify the user that the requested operation (create a timing > baseline) cannot be performed. This is especially confusing on a Linux machine > that has the "perf" command installed, but not other required components. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Fri Feb 27 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 27 Feb 2015 00:00:25 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502270800.t1R80PmS029939@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ------------------------------------------------------------------------ BIT-1322 [1] BTest Daniel Thayer - 2015-02-26 2.4 Normal btest should warn when using -T option but cannot create timing baseline BIT-1321 [2] Bro Johanna Amann - 2015-02-25 2.4 Normal Merge topic/johanna/ssl-policy BIT-1320 [3] BroControl Daniel Thayer - 2015-02-25 2.4 Normal topic/jazoff/broctld [4] BIT-1319 [5] Bro Jon Siwek - 2015-02-26 2.4 Normal topic/jsiwek/broker [6] BIT-1270 [7] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [8] Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------- #25 [9] bro eunsilhan [10] 2015-02-24 Topic/jshlbrd/rdp [11] #24 [12] bro msmiley [13] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [14] [1] BIT-1322 https://bro-tracker.atlassian.net/browse/BIT-1322 [2] BIT-1321 https://bro-tracker.atlassian.net/browse/BIT-1321 [3] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [4] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [5] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [6] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [7] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [8] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [9] Pull Request #25 https://github.com/bro/bro/pull/25 [10] eunsilhan https://github.com/eunsilhan [11] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [12] Pull Request #24 https://github.com/bro/bro/pull/24 [13] msmiley https://github.com/msmiley [14] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From jira at bro-tracker.atlassian.net Fri Feb 27 12:33:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 27 Feb 2015 14:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19803#comment-19803 ] Daniel Thayer commented on BIT-1320: ------------------------------------ I just added another commit to this branch to address an issue reported on the bro mailing list involving PF_RING+DNA interface names. > topic/jazoff/broctld > -------------------- > > Key: BIT-1320 > URL: https://bro-tracker.atlassian.net/browse/BIT-1320 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization > for the upcoming broctld. Here is a high-level list of changes: > 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), > 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run "broctl install"), > 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), > 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, > 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, > 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, > 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, > 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, > 9) Added new broctl option StatusCmdShowAll to enable users to speed up "broctl status" significantly, > 10) Fixed the stats-to-csv script to not create files that can never include any data, > 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, > 12) Improved post-terminate script to process log files more consistently, > 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), > 14) Improved the default broctl.cfg file to show more of the useful options, > 15) Added more error checks to help catch errors earlier, > 16) Some error message output is more specific and helpful now > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Feb 27 12:38:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 27 Feb 2015 14:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1319: --------------------------------- Assignee: Robin Sommer > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Feb 27 23:01:03 2015 From: jira at bro-tracker.atlassian.net (Vern Paxson (JIRA)) Date: Sat, 28 Feb 2015 01:01:03 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1255) TCP reassembly issue In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19804#comment-19804 ] Vern Paxson commented on BIT-1255: ---------------------------------- That behavior is to not chew up tons of buffer when asymmetric routing leads to not seeing any acks. *However* I'm finding that modern traffic not infrequently is using much larger initial windows such that indeed there's routinely > 4KB of data at the beginning of a flow without any acknowledgments. I think this value needs to be cranked to at least 16KB lest a lot of routine traffic goes unanalyzed. > TCP reassembly issue > -------------------- > > Key: BIT-1255 > URL: https://bro-tracker.atlassian.net/browse/BIT-1255 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Environment: CentOS 6 > Reporter: Jimmy Jones > Attachments: out.pcap > > > Been testing bro with some messy (but valid) TCP streams, using docker and netem (happy to upload a gist if people are interested). > The attached file reassembles correctly in wireshark, but bro only gives the first 4069 bytes when extracted with the file analysis framework, and obviously the wrong hash (md5 is the URI). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Sat Feb 28 00:00:53 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 28 Feb 2015 00:00:53 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201502280800.t1S80rQr019590@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ------------------------------------------------------------------------ BIT-1322 [1] BTest Daniel Thayer - 2015-02-26 2.4 Normal btest should warn when using -T option but cannot create timing baseline BIT-1321 [2] Bro Johanna Amann - 2015-02-25 2.4 Normal Merge topic/johanna/ssl-policy BIT-1320 [3] BroControl Daniel Thayer - 2015-02-27 2.4 Normal topic/jazoff/broctld [4] BIT-1319 [5] Bro Jon Siwek Robin Sommer 2015-02-27 2.4 Normal topic/jsiwek/broker [6] BIT-1270 [7] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [8] Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------- #25 [9] bro eunsilhan [10] 2015-02-24 Topic/jshlbrd/rdp [11] #24 [12] bro msmiley [13] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [14] [1] BIT-1322 https://bro-tracker.atlassian.net/browse/BIT-1322 [2] BIT-1321 https://bro-tracker.atlassian.net/browse/BIT-1321 [3] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [4] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [5] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [6] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [7] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [8] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [9] Pull Request #25 https://github.com/bro/bro/pull/25 [10] eunsilhan https://github.com/eunsilhan [11] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [12] Pull Request #24 https://github.com/bro/bro/pull/24 [13] msmiley https://github.com/msmiley [14] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd