From noreply at bro.org Wed Jul 1 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 1 Jul 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507010700.t6170LeX010581@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------ BIT-1399 [1] Bro Seth Hall Robin Sommer 2015-05-29 2.5 Normal topic/seth/deflate-missing-headers-fix [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #31 [6] bro yunzheng [7] 2015-06-19 Fix BIT-1314: Detect "quantum insert" type of attacks [8] #30 [9] bro jsbarber [10] 2015-06-19 Use a common Packet format and preserve layer 2 information [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] #1 [15] btest grigorescu [16] 2015-06-22 Allow testbase overriding in the config [17] [1] BIT-1399 https://bro-tracker.atlassian.net/browse/BIT-1399 [2] deflate-missing-headers-fix https://github.com/bro/bro/tree/topic/seth/deflate-missing-headers-fix [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #31 https://github.com/bro/bro/pull/31 [7] yunzheng https://github.com/yunzheng [8] Merge Pull Request #31 with git pull --no-ff --no-commit https://github.com/yunzheng/bro.git topic/bit-1314 [9] Pull Request #30 https://github.com/bro/bro/pull/30 [10] jsbarber https://github.com/jsbarber [11] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets [15] Pull Request #1 https://github.com/bro/btest/pull/1 [16] grigorescu https://github.com/grigorescu [17] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/grigorescu/btest.git topic/vladg/config_file_testbase From noreply at bro.org Thu Jul 2 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 2 Jul 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507020700.t6270Mgv009831@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------ BIT-1399 [1] Bro Seth Hall Robin Sommer 2015-05-29 2.5 Normal topic/seth/deflate-missing-headers-fix [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #31 [6] bro yunzheng [7] 2015-06-19 Fix BIT-1314: Detect "quantum insert" type of attacks [8] #30 [9] bro jsbarber [10] 2015-06-19 Use a common Packet format and preserve layer 2 information [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] #1 [15] btest grigorescu [16] 2015-06-22 Allow testbase overriding in the config [17] [1] BIT-1399 https://bro-tracker.atlassian.net/browse/BIT-1399 [2] deflate-missing-headers-fix https://github.com/bro/bro/tree/topic/seth/deflate-missing-headers-fix [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #31 https://github.com/bro/bro/pull/31 [7] yunzheng https://github.com/yunzheng [8] Merge Pull Request #31 with git pull --no-ff --no-commit https://github.com/yunzheng/bro.git topic/bit-1314 [9] Pull Request #30 https://github.com/bro/bro/pull/30 [10] jsbarber https://github.com/jsbarber [11] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets [15] Pull Request #1 https://github.com/bro/btest/pull/1 [16] grigorescu https://github.com/grigorescu [17] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/grigorescu/btest.git topic/vladg/config_file_testbase From james.swaro at gmail.com Thu Jul 2 10:18:45 2015 From: james.swaro at gmail.com (James Swaro) Date: Thu, 2 Jul 2015 12:18:45 -0500 Subject: [Bro-Dev] Adding child analyzer to TCP using a non-built-in plugin Message-ID: I'm having some difficulties with this as I'm not entirely sure how to go about it. Usually, adding a child analyzer requires passing the object directly to the function. However, since the plugin isn't built-in, something more abstract needs to happen. I'm at a loss and curious to know if this has been done in the past. If so, who might know how to do this? I'll be tinkering it this on my own over the weekend, but I wouldn't mind some information for the process if I can get it. James Swaro -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150702/0f847a1c/attachment.html From noreply at bro.org Fri Jul 3 00:00:19 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 3 Jul 2015 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507030700.t6370Jsq014216@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------ BIT-1399 [1] Bro Seth Hall Robin Sommer 2015-05-29 2.5 Normal topic/seth/deflate-missing-headers-fix [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #31 [6] bro yunzheng [7] 2015-06-19 Fix BIT-1314: Detect "quantum insert" type of attacks [8] #30 [9] bro jsbarber [10] 2015-06-19 Use a common Packet format and preserve layer 2 information [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] #1 [15] btest grigorescu [16] 2015-06-22 Allow testbase overriding in the config [17] [1] BIT-1399 https://bro-tracker.atlassian.net/browse/BIT-1399 [2] deflate-missing-headers-fix https://github.com/bro/bro/tree/topic/seth/deflate-missing-headers-fix [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #31 https://github.com/bro/bro/pull/31 [7] yunzheng https://github.com/yunzheng [8] Merge Pull Request #31 with git pull --no-ff --no-commit https://github.com/yunzheng/bro.git topic/bit-1314 [9] Pull Request #30 https://github.com/bro/bro/pull/30 [10] jsbarber https://github.com/jsbarber [11] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets [15] Pull Request #1 https://github.com/bro/btest/pull/1 [16] grigorescu https://github.com/grigorescu [17] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/grigorescu/btest.git topic/vladg/config_file_testbase From robin at icir.org Fri Jul 3 09:26:18 2015 From: robin at icir.org (Robin Sommer) Date: Fri, 3 Jul 2015 09:26:18 -0700 Subject: [Bro-Dev] Adding child analyzer to TCP using a non-built-in plugin In-Reply-To: References: Message-ID: <20150703162618.GE92195@icir.org> On Thu, Jul 02, 2015 at 12:18 -0500, you wrote: > something more abstract needs to happen. I'm at a loss and curious to know > if this has been done in the past. If so, who might know how to do this? Do I see it right that the main challenge is the code in analyzer/Manager.cc that adds TCPRS as a child analyzer? That's currently hardcoded but needs to become dynamic with a plugin. Here's an idea for that: we could add a new plugin hook that executes at the end of BuildInitialAnalyzerTree(), giving plugins an opportunity to augment the tree further at that point, for example by adding another child analyzer like TCPRS. See plugin/Plugin.h for the API for existing hooks; we'd add another one of those Hook*() methods to the Plugin class. Would that work for you? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From jira at bro-tracker.atlassian.net Fri Jul 3 11:28:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 3 Jul 2015 13:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1399) topic/seth/deflate-missing-headers-fix In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1399?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1399: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/seth/deflate-missing-headers-fix > -------------------------------------- > > Key: BIT-1399 > URL: https://bro-tracker.atlassian.net/browse/BIT-1399 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.5 > > > Merge request for the topic/seth/deflate-missing-headers-fix branch. > It fixes an issue that is occasionally but regularly seen where servers don't include the headers correctly for deflated content. Browsers cope with this situation just fine and this change makes Bro also deal with the situation. -- This message was sent by Atlassian JIRA (v6.5-OD-07-005#65007) From noreply at bro.org Sat Jul 4 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 4 Jul 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507040700.t6470IQP019084@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- --------------------------------------------------------------- #33 [1] bro jswaro [2] 2015-06-27 Initial commit of the TCPRS analyzer [3] #30 [4] bro jsbarber [5] 2015-06-19 Use a common Packet format and preserve layer 2 information [6] #1 [7] bro-plugins jsbarber [8] 2015-05-23 Use a common Packet format and preserve layer 2 information [9] #1 [10] btest grigorescu [11] 2015-06-22 Allow testbase overriding in the config [12] [1] Pull Request #33 https://github.com/bro/bro/pull/33 [2] jswaro https://github.com/jswaro [3] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [4] Pull Request #30 https://github.com/bro/bro/pull/30 [5] jsbarber https://github.com/jsbarber [6] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [7] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [8] jsbarber https://github.com/jsbarber [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets [10] Pull Request #1 https://github.com/bro/btest/pull/1 [11] grigorescu https://github.com/grigorescu [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/grigorescu/btest.git topic/vladg/config_file_testbase From noreply at bro.org Sun Jul 5 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 5 Jul 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507050700.t6570IBk002213@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- --------------------------------------------------------------- #33 [1] bro jswaro [2] 2015-06-27 Initial commit of the TCPRS analyzer [3] #30 [4] bro jsbarber [5] 2015-06-19 Use a common Packet format and preserve layer 2 information [6] #1 [7] bro-plugins jsbarber [8] 2015-05-23 Use a common Packet format and preserve layer 2 information [9] #1 [10] btest grigorescu [11] 2015-06-22 Allow testbase overriding in the config [12] [1] Pull Request #33 https://github.com/bro/bro/pull/33 [2] jswaro https://github.com/jswaro [3] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [4] Pull Request #30 https://github.com/bro/bro/pull/30 [5] jsbarber https://github.com/jsbarber [6] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [7] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [8] jsbarber https://github.com/jsbarber [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets [10] Pull Request #1 https://github.com/bro/btest/pull/1 [11] grigorescu https://github.com/grigorescu [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/grigorescu/btest.git topic/vladg/config_file_testbase From noreply at bro.org Mon Jul 6 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 6 Jul 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507060700.t6670Lgt019405@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- --------------------------------------------------------------- #33 [1] bro jswaro [2] 2015-06-27 Initial commit of the TCPRS analyzer [3] #30 [4] bro jsbarber [5] 2015-06-19 Use a common Packet format and preserve layer 2 information [6] #1 [7] bro-plugins jsbarber [8] 2015-05-23 Use a common Packet format and preserve layer 2 information [9] #1 [10] btest grigorescu [11] 2015-06-22 Allow testbase overriding in the config [12] [1] Pull Request #33 https://github.com/bro/bro/pull/33 [2] jswaro https://github.com/jswaro [3] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [4] Pull Request #30 https://github.com/bro/bro/pull/30 [5] jsbarber https://github.com/jsbarber [6] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [7] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [8] jsbarber https://github.com/jsbarber [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets [10] Pull Request #1 https://github.com/bro/btest/pull/1 [11] grigorescu https://github.com/grigorescu [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/grigorescu/btest.git topic/vladg/config_file_testbase From jira at bro-tracker.atlassian.net Mon Jul 6 13:46:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 6 Jul 2015 15:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes In-Reply-To: References: Message-ID: Seth Hall created BIT-1431: ------------------------------ Summary: Loss of information due to analyzer capitalization changes Key: BIT-1431 URL: https://bro-tracker.atlassian.net/browse/BIT-1431 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.5 Reporter: Seth Hall Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases. The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased). The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period. I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all). -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Tue Jul 7 00:00:19 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 7 Jul 2015 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507070700.t6770JhZ021051@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #33 [1] bro jswaro [2] 2015-06-27 Initial commit of the TCPRS analyzer [3] #30 [4] bro jsbarber [5] 2015-06-19 Use a common Packet format and preserve layer 2 information [6] #2 [7] bro-plugins cardigliano [8] 2015-07-06 Native pf ring support [9] #1 [10] bro-plugins jsbarber [11] 2015-05-23 Use a common Packet format and preserve layer 2 information [12] [1] Pull Request #33 https://github.com/bro/bro/pull/33 [2] jswaro https://github.com/jswaro [3] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [4] Pull Request #30 https://github.com/bro/bro/pull/30 [5] jsbarber https://github.com/jsbarber [6] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [7] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [8] cardigliano https://github.com/cardigliano [9] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [10] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [11] jsbarber https://github.com/jsbarber [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From jira at bro-tracker.atlassian.net Tue Jul 7 15:44:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 7 Jul 2015 17:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1432) BroControl config reloading In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1432: ---------------------------------- Summary: BroControl config reloading Key: BIT-1432 URL: https://bro-tracker.atlassian.net/browse/BIT-1432 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Fix For: 2.5 Currently, if the BroControl config (node.cfg or broctl.cfg) changes while the interactive broctl shell is running, then a user must exit broctl and re-run broctl in order for broctl to notice the new config. BroControl should check if the config has changed each time a broctl command runs, and issue a warning if it detects a change. In addition, the "deploy" command should be smart enough to notice this and automatically reload the configuration. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Wed Jul 8 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 8 Jul 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507080700.t6870KaW009697@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #33 [1] bro jswaro [2] 2015-06-27 Initial commit of the TCPRS analyzer [3] #30 [4] bro jsbarber [5] 2015-06-19 Use a common Packet format and preserve layer 2 information [6] #2 [7] bro-plugins cardigliano [8] 2015-07-06 Native pf ring support [9] #1 [10] bro-plugins jsbarber [11] 2015-05-23 Use a common Packet format and preserve layer 2 information [12] [1] Pull Request #33 https://github.com/bro/bro/pull/33 [2] jswaro https://github.com/jswaro [3] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [4] Pull Request #30 https://github.com/bro/bro/pull/30 [5] jsbarber https://github.com/jsbarber [6] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [7] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [8] cardigliano https://github.com/cardigliano [9] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [10] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [11] jsbarber https://github.com/jsbarber [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From jira at bro-tracker.atlassian.net Wed Jul 8 10:42:00 2015 From: jira at bro-tracker.atlassian.net (Vern Paxson (JIRA)) Date: Wed, 8 Jul 2015 12:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21200#comment-21200 ] Vern Paxson commented on BIT-1431: ---------------------------------- This can break in a nasty way. The original reason for making the casing uniform was (1) semantically, it shouldn't matter, but (2) without doing so, it's easy to have analysis holes like *if ( domain == "badguy.com" ) ... * then an attacker can just send "badGuy.com" and the test will fail. The same holds for grep'ing through log files and missing stuff just due to casing mismatches. What's the scenario where you're concerned about the lost casing information? If it's compelling, then I'd want to consider an interface that provides both the "name" (which in fact is downcased) and the "raw_name" (say) which has the original casing. > Loss of information due to analyzer capitalization changes > ---------------------------------------------------------- > > Key: BIT-1431 > URL: https://bro-tracker.atlassian.net/browse/BIT-1431 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Seth Hall > > Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases. > The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased). The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period. > I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all). -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 10:43:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 8 Jul 2015 12:43:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1432) BroControl config reloading In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21201#comment-21201 ] Daniel Thayer commented on BIT-1432: ------------------------------------ Branch topic/dnthayer/cfg-reload in the broctl repo contains changes to allow broctl to reload its config. In addition, improvements were made to some error checking regarding local IP addresses, improved checks for dangling Bro nodes when the config is reloaded, and better validation of config option values. > BroControl config reloading > --------------------------- > > Key: BIT-1432 > URL: https://bro-tracker.atlassian.net/browse/BIT-1432 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.5 > > > Currently, if the BroControl config (node.cfg or broctl.cfg) changes while > the interactive broctl shell is running, then a user must exit broctl > and re-run broctl in order for broctl to notice the new config. > BroControl should check if the config has changed each time a > broctl command runs, and issue a warning if it detects a change. > In addition, the "deploy" command should be smart enough to > notice this and automatically reload the configuration. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 10:44:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 8 Jul 2015 12:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1432) BroControl config reloading In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1432: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Justin Azoff) > BroControl config reloading > --------------------------- > > Key: BIT-1432 > URL: https://bro-tracker.atlassian.net/browse/BIT-1432 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.5 > > > Currently, if the BroControl config (node.cfg or broctl.cfg) changes while > the interactive broctl shell is running, then a user must exit broctl > and re-run broctl in order for broctl to notice the new config. > BroControl should check if the config has changed each time a > broctl command runs, and issue a warning if it detects a change. > In addition, the "deploy" command should be smart enough to > notice this and automatically reload the configuration. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 10:44:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 8 Jul 2015 12:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1432) BroControl config reloading In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1432: ---------------------------------- Assignee: Justin Azoff (was: Daniel Thayer) > BroControl config reloading > --------------------------- > > Key: BIT-1432 > URL: https://bro-tracker.atlassian.net/browse/BIT-1432 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Currently, if the BroControl config (node.cfg or broctl.cfg) changes while > the interactive broctl shell is running, then a user must exit broctl > and re-run broctl in order for broctl to notice the new config. > BroControl should check if the config has changed each time a > broctl command runs, and issue a warning if it detects a change. > In addition, the "deploy" command should be smart enough to > notice this and automatically reload the configuration. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 10:44:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 8 Jul 2015 12:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1432) BroControl config reloading In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1432: ---------------------------------- Assignee: Justin Azoff > BroControl config reloading > --------------------------- > > Key: BIT-1432 > URL: https://bro-tracker.atlassian.net/browse/BIT-1432 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Currently, if the BroControl config (node.cfg or broctl.cfg) changes while > the interactive broctl shell is running, then a user must exit broctl > and re-run broctl in order for broctl to notice the new config. > BroControl should check if the config has changed each time a > broctl command runs, and issue a warning if it detects a change. > In addition, the "deploy" command should be smart enough to > notice this and automatically reload the configuration. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 10:44:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 8 Jul 2015 12:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1432) BroControl config reloading In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1432: ---------------------------------- Assignee: Daniel Thayer > BroControl config reloading > --------------------------- > > Key: BIT-1432 > URL: https://bro-tracker.atlassian.net/browse/BIT-1432 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.5 > > > Currently, if the BroControl config (node.cfg or broctl.cfg) changes while > the interactive broctl shell is running, then a user must exit broctl > and re-run broctl in order for broctl to notice the new config. > BroControl should check if the config has changed each time a > broctl command runs, and issue a warning if it detects a change. > In addition, the "deploy" command should be smart enough to > notice this and automatically reload the configuration. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 10:52:00 2015 From: jira at bro-tracker.atlassian.net (Vern Paxson (JIRA)) Date: Wed, 8 Jul 2015 12:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21202#comment-21202 ] Vern Paxson commented on BIT-1431: ---------------------------------- Okay, I see the use-case in my email backlog now, base64 exfiltration. I agree it's a reasonable analysis target; but per the above, I think just getting rid of the downcased version will introduce more trouble than enabling stuff like this offsets. So that argues for providing both, similar to some of the other interfaces that provide both escaped and unescaped versions. > Loss of information due to analyzer capitalization changes > ---------------------------------------------------------- > > Key: BIT-1431 > URL: https://bro-tracker.atlassian.net/browse/BIT-1431 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Seth Hall > > Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases. > The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased). The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period. > I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all). -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 14:53:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 8 Jul 2015 16:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1433) Broctl check gives errors after install In-Reply-To: References: Message-ID: Johanna Amann created BIT-1433: ---------------------------------- Summary: Broctl check gives errors after install Key: BIT-1433 URL: https://bro-tracker.atlassian.net/browse/BIT-1433 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: 2.5 Reporter: Johanna Amann Fix For: 2.5 running a broctl check after a fresh installation before the first install is issued leads to ugly error messages: {quote} [johanna ~/install-master/etc]$ broctl Hint: Run the broctl "deploy" command to get started. Welcome to BroControl 1.4 Type "help" for help. [BroControl] > check manager scripts failed. /home/johanna/install-master/share/broctl/scripts/check-config: line 18: /home/johanna/install-master/share/broctl/scripts/broctl-config.sh: No such file or directory /home/johanna/install-master/share/broctl/scripts/check-config: line 25: /set-bro-path: No such file or directory proxy-1 scripts failed. /home/johanna/install-master/share/broctl/scripts/check-config: line 18: /home/johanna/install-master/share/broctl/scripts/broctl-config.sh: No such file or directory ... {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 8 15:03:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 8 Jul 2015 17:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1434) Broctl top output broken In-Reply-To: References: Message-ID: Johanna Amann created BIT-1434: ---------------------------------- Summary: Broctl top output broken Key: BIT-1434 URL: https://bro-tracker.atlassian.net/browse/BIT-1434 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: 2.4 Reporter: Johanna Amann Fix For: 2.5 BroControl top output is broken on one host for me. Output looks like (note the cmd column) {quote} [johanna ~/install-master/share/bro/site]$ broctl top Name Type Host Pid Proc VSize Rss Cpu Cmd manager manager localhost 57267 parent 252M 112M 4% bro manager manager localhost 57269 child 136M 48M 0% bro proxy-1 proxy localhost 57304 parent 80M 45M 0% bro proxy-1 proxy localhost 57306 child 136M 45M 0% bro worker-1-1 worker localhost 57397 parent 489M 455M 19% bro worker-1-1 worker localhost 57967 child 409M 44M 0% bro worker-1-10 worker localhost 57412 parent 489M 454M 0% 15.38% worker-1-10 worker localhost 57826 child 409M 44M 0% bro worker-1-11 worker localhost 57417 parent 485M 453M 0% 10.60% worker-1-11 worker localhost 57868 child 409M 44M 0% bro worker-1-12 worker localhost 57426 parent 489M 457M 10% bro worker-1-12 worker localhost 57968 child 409M 44M 0% bro worker-1-13 worker localhost 57432 parent 489M 456M 0% 9.08% worker-1-13 worker localhost 57971 child 409M 44M 0% bro worker-1-14 worker localhost 57442 parent 485M 453M 0% 11.67% worker-1-14 worker localhost 57969 child 409M 44M 0% bro worker-1-15 worker localhost 57461 parent 489M 457M 0% 11.57% {quote} The operating system is FreeBSD 9.3. Node.cfg is: {quote} [manager] type=manager host=localhost [worker-1] type=worker host=localhost interface=myri0 lb_method=myricom lb_procs=20 [proxy-1] type=proxy host=localhost {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Thu Jul 9 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 9 Jul 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507090700.t6970OFo023640@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------- c8b7574 [2] bro-aux Daniel Thayer 2015-07-08 Add some documentation for bro-cut Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #30 [6] bro jsbarber [7] 2015-06-19 Use a common Packet format and preserve layer 2 information [8] #2 [9] bro-plugins cardigliano [10] 2015-07-06 Native pf ring support [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] c8b7574 https://github.com/bro/bro-aux/commit/c8b7574703b95a1fab1310197b40395c410c9e72 [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #30 https://github.com/bro/bro/pull/30 [7] jsbarber https://github.com/jsbarber [8] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From jira at bro-tracker.atlassian.net Thu Jul 9 14:53:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 9 Jul 2015 16:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1434) Broctl top output broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21203#comment-21203 ] Daniel Thayer commented on BIT-1434: ------------------------------------ This problem is caused by broctl assuming that every line in the output of "top -u -b all" has the same number of fields. However, in this case the output looks something like this (notice the "STATE" column contains the text "mx cv", which could be caused by the myricom drivers): PID UID THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 57267 20206 31 20 0 324M 166M uwait 21 990:19 101.61% bro 57269 20206 1 52 5 136M 72608K select 18 711:37 66.80% bro 57471 20206 1 44 0 1089M 1060M mx cv 13 293:10 31.30% bro > Broctl top output broken > ------------------------ > > Key: BIT-1434 > URL: https://bro-tracker.atlassian.net/browse/BIT-1434 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.4 > Reporter: Johanna Amann > Fix For: 2.5 > > > BroControl top output is broken on one host for me. > Output looks like (note the cmd column) > {quote} > [johanna ~/install-master/share/bro/site]$ broctl top > Name Type Host Pid Proc VSize Rss Cpu Cmd > manager manager localhost 57267 parent 252M 112M 4% bro > manager manager localhost 57269 child 136M 48M 0% bro > proxy-1 proxy localhost 57304 parent 80M 45M 0% bro > proxy-1 proxy localhost 57306 child 136M 45M 0% bro > worker-1-1 worker localhost 57397 parent 489M 455M 19% bro > worker-1-1 worker localhost 57967 child 409M 44M 0% bro > worker-1-10 worker localhost 57412 parent 489M 454M 0% 15.38% > worker-1-10 worker localhost 57826 child 409M 44M 0% bro > worker-1-11 worker localhost 57417 parent 485M 453M 0% 10.60% > worker-1-11 worker localhost 57868 child 409M 44M 0% bro > worker-1-12 worker localhost 57426 parent 489M 457M 10% bro > worker-1-12 worker localhost 57968 child 409M 44M 0% bro > worker-1-13 worker localhost 57432 parent 489M 456M 0% 9.08% > worker-1-13 worker localhost 57971 child 409M 44M 0% bro > worker-1-14 worker localhost 57442 parent 485M 453M 0% 11.67% > worker-1-14 worker localhost 57969 child 409M 44M 0% bro > worker-1-15 worker localhost 57461 parent 489M 457M 0% 11.57% > {quote} > The operating system is FreeBSD 9.3. Node.cfg is: > {quote} > [manager] > type=manager > host=localhost > [worker-1] > type=worker > host=localhost > interface=myri0 > lb_method=myricom > lb_procs=20 > [proxy-1] > type=proxy > host=localhost > {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 9 15:01:00 2015 From: jira at bro-tracker.atlassian.net (Liang Zhu (JIRA)) Date: Thu, 9 Jul 2015 17:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1435) &read_expire does not work for embedded table In-Reply-To: References: Message-ID: Liang Zhu created BIT-1435: ------------------------------ Summary: &read_expire does not work for embedded table Key: BIT-1435 URL: https://bro-tracker.atlassian.net/browse/BIT-1435 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Liang Zhu I have a script read_expire_test.bro containing: {noformat} type embedded_table: table[string] of string &read_expire=1sec; global level2_table: table[string] of embedded_table; global level1_table: table[string] of string &read_expire=1sec; event bro_init() { level2_table["t1"] = table(); level2_table["t1"]["t2"] = "t2"; level1_table["t"] = "t"; print "level2_table:"; print level2_table; print "level1_table:"; print level1_table; } event bro_done() { print "----------------"; print "level2_table:"; print level2_table; print "level1_table:"; print level1_table; } {noformat} If I run this script through some trace (just to delay some time and let timeout work), for example, {noformat} bro --pseudo-realtime -C -r test.pcap read_expire_test.bro {noformat} the level1_table is cleaned up as expected. However, the embedded table in level2_table is not cleaned up. By running the script, bro does not give any error message or warning, so I assume &read_expire in the following statement {noformat} type embedded_table: table[string] of string &read_expire=1sec; {noformat} is supposed to work? -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 9 17:59:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 9 Jul 2015 19:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1435) &read_expire does not work for embedded table In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1435: ------------------------------- Affects Version/s: git/master > &read_expire does not work for embedded table > --------------------------------------------- > > Key: BIT-1435 > URL: https://bro-tracker.atlassian.net/browse/BIT-1435 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Liang Zhu > Fix For: 2.5 > > > I have a script read_expire_test.bro containing: > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > global level2_table: table[string] of embedded_table; > global level1_table: table[string] of string &read_expire=1sec; > event bro_init() > { > level2_table["t1"] = table(); > level2_table["t1"]["t2"] = "t2"; > level1_table["t"] = "t"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > event bro_done() > { > print "----------------"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > {noformat} > If I run this script through some trace (just to delay some time and let timeout work), > for example, > {noformat} > bro --pseudo-realtime -C -r test.pcap read_expire_test.bro > {noformat} > the level1_table is cleaned up as expected. However, the embedded table in level2_table is not cleaned up. By running the script, bro does not give any error message or warning, so I assume &read_expire in the following statement > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > {noformat} > is supposed to work? -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 9 17:59:02 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 9 Jul 2015 19:59:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1435) &read_expire does not work for embedded table In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1435: ------------------------------- Fix Version/s: 2.5 > &read_expire does not work for embedded table > --------------------------------------------- > > Key: BIT-1435 > URL: https://bro-tracker.atlassian.net/browse/BIT-1435 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Liang Zhu > Fix For: 2.5 > > > I have a script read_expire_test.bro containing: > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > global level2_table: table[string] of embedded_table; > global level1_table: table[string] of string &read_expire=1sec; > event bro_init() > { > level2_table["t1"] = table(); > level2_table["t1"]["t2"] = "t2"; > level1_table["t"] = "t"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > event bro_done() > { > print "----------------"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > {noformat} > If I run this script through some trace (just to delay some time and let timeout work), > for example, > {noformat} > bro --pseudo-realtime -C -r test.pcap read_expire_test.bro > {noformat} > the level1_table is cleaned up as expected. However, the embedded table in level2_table is not cleaned up. By running the script, bro does not give any error message or warning, so I assume &read_expire in the following statement > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > {noformat} > is supposed to work? -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 9 20:57:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 9 Jul 2015 22:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21204#comment-21204 ] Seth Hall commented on BIT-1431: -------------------------------- Seems reasonable. Let's do that. > Loss of information due to analyzer capitalization changes > ---------------------------------------------------------- > > Key: BIT-1431 > URL: https://bro-tracker.atlassian.net/browse/BIT-1431 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Seth Hall > > Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases. > The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased). The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period. > I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all). -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Fri Jul 10 00:00:28 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 10 Jul 2015 00:00:28 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507100700.t6A70S2I002115@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------- c8b7574 [2] bro-aux Daniel Thayer 2015-07-08 Add some documentation for bro-cut Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #30 [6] bro jsbarber [7] 2015-06-19 Use a common Packet format and preserve layer 2 information [8] #2 [9] bro-plugins cardigliano [10] 2015-07-06 Native pf ring support [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] c8b7574 https://github.com/bro/bro-aux/commit/c8b7574703b95a1fab1310197b40395c410c9e72 [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #30 https://github.com/bro/bro/pull/30 [7] jsbarber https://github.com/jsbarber [8] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From robin at icir.org Fri Jul 10 08:02:33 2015 From: robin at icir.org (Robin Sommer) Date: Fri, 10 Jul 2015 08:02:33 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1435) &read_expire does not work for embedded table In-Reply-To: References: Message-ID: <20150710150233.GB60136@icir.org> > type embedded_table: table[string] of string &read_expire=1sec; > global level2_table: table[string] of embedded_table; > global level1_table: table[string] of string &read_expire=1sec; If I remember right, there's a problem with the expire attribute not transferring over in such cases. See if something like this works: event bro_init() { local t: table[string] of string &read_expire=1sec; level2_table["t1"] = t; [...] } From jira at bro-tracker.atlassian.net Fri Jul 10 08:04:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 10 Jul 2015 10:04:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1435) &read_expire does not work for embedded table In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21205#comment-21205 ] Robin Sommer commented on BIT-1435: ----------------------------------- If I remember right, there's a problem with the expire attribute not transferring over in such cases. See if something like this works: event bro_init() { local t: table[string] of string &read_expire=1sec; level2_table["t1"] = t; [...] } > &read_expire does not work for embedded table > --------------------------------------------- > > Key: BIT-1435 > URL: https://bro-tracker.atlassian.net/browse/BIT-1435 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Liang Zhu > Fix For: 2.5 > > > I have a script read_expire_test.bro containing: > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > global level2_table: table[string] of embedded_table; > global level1_table: table[string] of string &read_expire=1sec; > event bro_init() > { > level2_table["t1"] = table(); > level2_table["t1"]["t2"] = "t2"; > level1_table["t"] = "t"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > event bro_done() > { > print "----------------"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > {noformat} > If I run this script through some trace (just to delay some time and let timeout work), > for example, > {noformat} > bro --pseudo-realtime -C -r test.pcap read_expire_test.bro > {noformat} > the level1_table is cleaned up as expected. However, the embedded table in level2_table is not cleaned up. By running the script, bro does not give any error message or warning, so I assume &read_expire in the following statement > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > {noformat} > is supposed to work? -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Sat Jul 11 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 11 Jul 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507110700.t6B70HuA008509@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------ ---------- ------------------------------------ 8d8dc89 [2] bro Justin Azoff 2015-07-10 Correct perl package name on freebsd Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #30 [6] bro jsbarber [7] 2015-06-19 Use a common Packet format and preserve layer 2 information [8] #2 [9] bro-plugins cardigliano [10] 2015-07-06 Native pf ring support [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] 8d8dc89 https://github.com/bro/bro/commit/8d8dc890ddd550942cc3ebb3336d96a5a6337e0b [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #30 https://github.com/bro/bro/pull/30 [7] jsbarber https://github.com/jsbarber [8] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From noreply at bro.org Sun Jul 12 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 12 Jul 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507120700.t6C70HjS024431@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------ ---------- ------------------------------------ 8d8dc89 [2] bro Justin Azoff 2015-07-10 Correct perl package name on freebsd Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #30 [6] bro jsbarber [7] 2015-06-19 Use a common Packet format and preserve layer 2 information [8] #2 [9] bro-plugins cardigliano [10] 2015-07-06 Native pf ring support [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] 8d8dc89 https://github.com/bro/bro/commit/8d8dc890ddd550942cc3ebb3336d96a5a6337e0b [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #30 https://github.com/bro/bro/pull/30 [7] jsbarber https://github.com/jsbarber [8] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From noreply at bro.org Mon Jul 13 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 13 Jul 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507130700.t6D70NF9024019@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------ ---------- ------------------------------------ 8d8dc89 [2] bro Justin Azoff 2015-07-10 Correct perl package name on freebsd Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #30 [6] bro jsbarber [7] 2015-06-19 Use a common Packet format and preserve layer 2 information [8] #2 [9] bro-plugins cardigliano [10] 2015-07-06 Native pf ring support [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] 8d8dc89 https://github.com/bro/bro/commit/8d8dc890ddd550942cc3ebb3336d96a5a6337e0b [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #30 https://github.com/bro/bro/pull/30 [7] jsbarber https://github.com/jsbarber [8] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From jira at bro-tracker.atlassian.net Mon Jul 13 08:58:02 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 13 Jul 2015 10:58:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1435) &read_expire does not work for embedded table In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21300#comment-21300 ] Jon Siwek commented on BIT-1435: -------------------------------- Yeah, probably the same basic issue as BIT-248 (there's also other tickets about attribute quirks). I'd also suggest trying to go through an intermediate local value and apply the attribute that way. > &read_expire does not work for embedded table > --------------------------------------------- > > Key: BIT-1435 > URL: https://bro-tracker.atlassian.net/browse/BIT-1435 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Liang Zhu > Fix For: 2.5 > > > I have a script read_expire_test.bro containing: > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > global level2_table: table[string] of embedded_table; > global level1_table: table[string] of string &read_expire=1sec; > event bro_init() > { > level2_table["t1"] = table(); > level2_table["t1"]["t2"] = "t2"; > level1_table["t"] = "t"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > event bro_done() > { > print "----------------"; > print "level2_table:"; > print level2_table; > print "level1_table:"; > print level1_table; > } > {noformat} > If I run this script through some trace (just to delay some time and let timeout work), > for example, > {noformat} > bro --pseudo-realtime -C -r test.pcap read_expire_test.bro > {noformat} > the level1_table is cleaned up as expected. However, the embedded table in level2_table is not cleaned up. By running the script, bro does not give any error message or warning, so I assume &read_expire in the following statement > {noformat} > type embedded_table: table[string] of string &read_expire=1sec; > {noformat} > is supposed to work? -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Tue Jul 14 00:00:34 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 14 Jul 2015 00:00:34 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507140700.t6E70YeN024446@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------ ---------- ------------------------------------ 8d8dc89 [2] bro Justin Azoff 2015-07-10 Correct perl package name on freebsd Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------------- ---------- ---------------------------------------------------------------- #33 [3] bro jswaro [4] 2015-06-27 Initial commit of the TCPRS analyzer [5] #30 [6] bro jsbarber [7] 2015-06-19 Use a common Packet format and preserve layer 2 information [8] #2 [9] bro-plugins cardigliano [10] 2015-07-06 Native pf ring support [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] 8d8dc89 https://github.com/bro/bro/commit/8d8dc890ddd550942cc3ebb3336d96a5a6337e0b [3] Pull Request #33 https://github.com/bro/bro/pull/33 [4] jswaro https://github.com/jswaro [5] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [6] Pull Request #30 https://github.com/bro/bro/pull/30 [7] jsbarber https://github.com/jsbarber [8] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From noreply at bro.org Wed Jul 15 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 15 Jul 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507150700.t6F70Md8032101@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #33 [2] bro jswaro [3] 2015-06-27 Initial commit of the TCPRS analyzer [4] #30 [5] bro jsbarber [6] 2015-06-19 Use a common Packet format and preserve layer 2 information [7] #2 [8] bro-plugins cardigliano [9] 2015-07-06 Native pf ring support [10] #1 [11] bro-plugins jsbarber [12] 2015-05-23 Use a common Packet format and preserve layer 2 information [13] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #33 https://github.com/bro/bro/pull/33 [3] jswaro https://github.com/jswaro [4] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [5] Pull Request #30 https://github.com/bro/bro/pull/30 [6] jsbarber https://github.com/jsbarber [7] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [11] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [12] jsbarber https://github.com/jsbarber [13] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From robin at icir.org Wed Jul 15 08:14:53 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 15 Jul 2015 08:14:53 -0700 Subject: [Bro-Dev] Broker test failures Re: [Bro-Commits-Internal] UnitTests - Build # 6444 - Failure! In-Reply-To: <919212310.43.1436947747163.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> References: <919212310.43.1436947747163.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> Message-ID: <20150715151453.GW61080@icir.org> We keep getting Jenkins errors with Broker tests like the one below. Does Anybody has an idea how to make these work more reliably? Robin On Wed, Jul 15, 2015 at 03:09 -0500, jenkins at brotestbed.ncsa.illinois.edu wrote: > broker.master_store ... failed > ### NOTE: This file has been sorted with diff-sort. > +'lookup' query timeout > +'lookup' query timeout > +'lookup' query timeout > +'lookup' query timeout > +'lookup' query timeout > exists(four): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] > exists(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]] > exists(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{1}]] > exists(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] > keys: [status=BrokerStore::SUCCESS, result=[d=broker::data{[myvec, myset, one]}]] > -lookup(four): [status=BrokerStore::SUCCESS, result=[d=]] > -lookup(myset): [status=BrokerStore::SUCCESS, result=[d=broker::data{{a, c, d}}]] > -lookup(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{[delta, alpha, beta, gamma, omega]}]] > -lookup(one): [status=BrokerStore::SUCCESS, result=[d=broker::data{111}]] > -lookup(two): [status=BrokerStore::SUCCESS, result=[d=broker::data{222}]] > pop_left(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{delta}]] > pop_right(myvec): [status=BrokerStore::SUCCESS, result=[d=broker::data{omega}]] > size (after clear): [status=BrokerStore::SUCCESS, result=[d=broker::data{0}]] > ======================================= -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From robin at icir.org Wed Jul 15 08:20:18 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 15 Jul 2015 08:20:18 -0700 Subject: [Bro-Dev] More test failures (Re: [Bro-Commits-Internal] UnitTests - Build # 6455 - Failure!) In-Reply-To: <590102297.51.1436950515039.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> References: <590102297.51.1436950515039.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> Message-ID: <20150715152018.GX61080@icir.org> Unclear to me why these are failing? Robin On Wed, Jul 15, 2015 at 03:55 -0500, jenkins at brotestbed.ncsa.illinois.edu wrote: > scripts.base.frameworks.logging.sqlite.wikipedia ... failed > % 'bro -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE' failed unexpectedly (exit code -10) > % cat .stderr > 1300475173.475401 , line 1: packet_filter/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path packet_filter > 1300475173.475401 , line 1: weird/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path weird > 1300475173.475401 , line 1: http/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path http > 1300475173.475401 , line 1: dns/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path dns > 1300475173.475401 , line 1: conn/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path conn (The messages about Log::WRITER_SQLITE are ok, I'm getting these here locally as well even with the test passing.) > scripts.policy.frameworks.intel.seen.certs ... failed > % 'cat intel.log > intel-all.log' failed unexpectedly (exit code 1) > % cat .stderr > 1416942647.041795 warning in /home/jenkins/workspace/CompileDefault/bro/scripts/base/misc/find-checksum-offloading.bro, line 54: Your trace file likely has invalid IP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted. > cat: intel.log: No such file or directory -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From johanna at icir.org Wed Jul 15 09:04:16 2015 From: johanna at icir.org (Johanna Amann) Date: Wed, 15 Jul 2015 09:04:16 -0700 Subject: [Bro-Dev] More test failures (Re: [Bro-Commits-Internal] UnitTests - Build # 6455 - Failure!) In-Reply-To: <20150715152018.GX61080@icir.org> References: <590102297.51.1436950515039.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20150715152018.GX61080@icir.org> Message-ID: <20150715160416.GC31920@Beezling.dhcp.lbnl.us> On Wed, Jul 15, 2015 at 08:20:18AM -0700, Robin Sommer wrote: > Unclear to me why these are failing? I think the .seen.certs one is a race condition between loading of the intel file and running the trace. Let me take a look at that, I might be able to fix it. Not sure about the other one. Johanna > > Robin > > On Wed, Jul 15, 2015 at 03:55 -0500, jenkins at brotestbed.ncsa.illinois.edu wrote: > > > scripts.base.frameworks.logging.sqlite.wikipedia ... failed > > % 'bro -r $TRACES/wikipedia.trace Log::default_writer=Log::WRITER_SQLITE' failed unexpectedly (exit code -10) > > % cat .stderr > > 1300475173.475401 , line 1: packet_filter/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path packet_filter > > 1300475173.475401 , line 1: weird/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path weird > > 1300475173.475401 , line 1: http/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path http > > 1300475173.475401 , line 1: dns/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path dns > > 1300475173.475401 , line 1: conn/Log::WRITER_SQLITE: tablename configuration option not found. Defaulting to path conn > > (The messages about Log::WRITER_SQLITE are ok, I'm getting these here > locally as well even with the test passing.) > > > scripts.policy.frameworks.intel.seen.certs ... failed > > % 'cat intel.log > intel-all.log' failed unexpectedly (exit code 1) > > % cat .stderr > > 1416942647.041795 warning in /home/jenkins/workspace/CompileDefault/bro/scripts/base/misc/find-checksum-offloading.bro, line 54: Your trace file likely has invalid IP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted. > > cat: intel.log: No such file or directory > > > > -- > Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > > From johanna at icir.org Wed Jul 15 09:16:05 2015 From: johanna at icir.org (Johanna Amann) Date: Wed, 15 Jul 2015 09:16:05 -0700 Subject: [Bro-Dev] More test failures (Re: [Bro-Commits-Internal] UnitTests - Build # 6455 - Failure!)y In-Reply-To: <20150715160416.GC31920@Beezling.dhcp.lbnl.us> References: <590102297.51.1436950515039.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20150715152018.GX61080@icir.org> <20150715160416.GC31920@Beezling.dhcp.lbnl.us> Message-ID: <20150715161605.GA44571@Beezling.dhcp.lbnl.us> On Wed, Jul 15, 2015 at 09:04:16AM -0700, Johanna Amann wrote: > On Wed, Jul 15, 2015 at 08:20:18AM -0700, Robin Sommer wrote: > > Unclear to me why these are failing? > > I think the .seen.certs one is a race condition between loading of the > intel file and running the trace. Let me take a look at that, I might be > able to fix it. This should be fixed in 0d9869a2aae66a907db11bc4890be98a13da78ce. Johanna From noreply at bro.org Thu Jul 16 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 16 Jul 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507160700.t6G70I6A008052@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #33 [2] bro jswaro [3] 2015-06-27 Initial commit of the TCPRS analyzer [4] #30 [5] bro jsbarber [6] 2015-06-19 Use a common Packet format and preserve layer 2 information [7] #2 [8] bro-plugins cardigliano [9] 2015-07-06 Native pf ring support [10] #1 [11] bro-plugins jsbarber [12] 2015-05-23 Use a common Packet format and preserve layer 2 information [13] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #33 https://github.com/bro/bro/pull/33 [3] jswaro https://github.com/jswaro [4] Merge Pull Request #33 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/initial-tcprs-release [5] Pull Request #30 https://github.com/bro/bro/pull/30 [6] jsbarber https://github.com/jsbarber [7] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [11] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [12] jsbarber https://github.com/jsbarber [13] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From jsiwek at illinois.edu Thu Jul 16 07:42:15 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Thu, 16 Jul 2015 14:42:15 +0000 Subject: [Bro-Dev] Broker test failures Re: [Bro-Commits-Internal] UnitTests - Build # 6444 - Failure! In-Reply-To: <20150715151453.GW61080@icir.org> References: <919212310.43.1436947747163.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20150715151453.GW61080@icir.org> Message-ID: > On Jul 15, 2015, at 10:14 AM, Robin Sommer wrote: > > We keep getting Jenkins errors with Broker tests like the one below. > Does Anybody has an idea how to make these work more reliably? > > Robin > > On Wed, Jul 15, 2015 at 03:09 -0500, jenkins at brotestbed.ncsa.illinois.edu wrote: > >> broker.master_store ... failed > >> ### NOTE: This file has been sorted with diff-sort. >> +'lookup' query timeout Do you recall when pending triggers get evaluated? I think they were tied to event processing and if that fully drains and stalls out, then the ?when? statements in the test are maybe waiting until the timeout timer happens? If that?s the situation, maybe add a recurring/scheduled event is enough of a trick to make the test more reliable. Or running on a longer pcap (I think that was the trick I initially went with because there?s no real reason it needs to use wikipedia.trace like it currently does). Or maybe an overhaul of the main event and I/O loop would help :) - Jon From jira at bro-tracker.atlassian.net Thu Jul 16 10:06:00 2015 From: jira at bro-tracker.atlassian.net (Doris Schioberg (JIRA)) Date: Thu, 16 Jul 2015 12:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1436) Put back the --help option to bro-cut In-Reply-To: References: Message-ID: Doris Schioberg created BIT-1436: ------------------------------------ Summary: Put back the --help option to bro-cut Key: BIT-1436 URL: https://bro-tracker.atlassian.net/browse/BIT-1436 Project: Bro Issue Tracker Issue Type: Task Components: Bro Affects Versions: git/master Reporter: Doris Schioberg Assignee: Justin Azoff bro-cut --help gives the error message: bro-cut: illegal option -- - -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 16 10:38:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 16 Jul 2015 12:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1436) Put back the --help option to bro-cut In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21301#comment-21301 ] Justin Azoff commented on BIT-1436: ----------------------------------- bro-cut needs to use getopt_long to add support for --help back in. I see that bro ships with src/bsd-getopt-long.c for platforms that do not have it.. does anyone know the history behind this? I'm not sure if this should be imported into the bro-cut repository as well, or just assume that it is already present on all supported platforms. in the meantime I will at least get the underlying issue fixed. > Put back the --help option to bro-cut > ------------------------------------- > > Key: BIT-1436 > URL: https://bro-tracker.atlassian.net/browse/BIT-1436 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Doris Schioberg > Assignee: Justin Azoff > > bro-cut --help gives the error message: > bro-cut: illegal option -- - -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 16 10:56:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 16 Jul 2015 12:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1436) Put back the --help option to bro-cut In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21302#comment-21302 ] Justin Azoff commented on BIT-1436: ----------------------------------- I pushed an initial fix for this to topic/jazoff/ticket1436 https://github.com/bro/bro-aux/commit/94dcc3723e677b62ff8706a8f40c28ddd7308638 Other than the bsd-getopt inclusion issue that should be all there is to it. > Put back the --help option to bro-cut > ------------------------------------- > > Key: BIT-1436 > URL: https://bro-tracker.atlassian.net/browse/BIT-1436 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Doris Schioberg > Assignee: Justin Azoff > > bro-cut --help gives the error message: > bro-cut: illegal option -- - -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Fri Jul 17 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 17 Jul 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507170700.t6H70Ht6015274@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------- ---------- ---------------------------------------------------------------- #30 [2] bro jsbarber [3] 2015-07-17 Use a common Packet format and preserve layer 2 information [4] #2 [5] bro-plugins cardigliano [6] 2015-07-06 Native pf ring support [7] #1 [8] bro-plugins jsbarber [9] 2015-05-23 Use a common Packet format and preserve layer 2 information [10] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #30 https://github.com/bro/bro/pull/30 [3] jsbarber https://github.com/jsbarber [4] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [5] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [6] cardigliano https://github.com/cardigliano [7] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [8] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [9] jsbarber https://github.com/jsbarber [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From robin at icir.org Fri Jul 17 08:33:21 2015 From: robin at icir.org (Robin Sommer) Date: Fri, 17 Jul 2015 08:33:21 -0700 Subject: [Bro-Dev] Broker test failures Re: [Bro-Commits-Internal] UnitTests - Build # 6444 - Failure! In-Reply-To: References: <919212310.43.1436947747163.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20150715151453.GW61080@icir.org> Message-ID: <20150717153321.GG47537@icir.org> On Thu, Jul 16, 2015 at 14:42 +0000, you wrote: > Do you recall when pending triggers get evaluated? I think they were > tied to event processing and if that fully drains and stalls out, then > the ?when? statements in the test are maybe waiting until the timeout > timer happens? Yes, it does take place at the time of event draining, but that should keep happening even without new events being queued, as the draining executes regularly in any case. > Or maybe an overhaul of the main event and I/O loop would help :) :-) Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From vern at icir.org Fri Jul 17 15:20:18 2015 From: vern at icir.org (Vern Paxson) Date: Fri, 17 Jul 2015 15:20:18 -0700 Subject: [Bro-Dev] NTOP DPD Message-ID: <20150717222012.72AA62C4044@rock.ICSI.Berkeley.EDU> http://www.ntop.org/products/deep-packet-inspection/ndpi/ just came on my radar. Do folks already know about it? Has anyone assessed what they've put together and whether any of it is leverageable for Bro in a useful way? Vern From noreply at bro.org Sat Jul 18 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 18 Jul 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507180700.t6I70NHQ018370@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ---------------------------------------------------------------- #30 [2] bro jsbarber [3] 2015-07-18 Use a common Packet format and preserve layer 2 information [4] #3 [5] bro-plugins albertzaharovits [6] 2015-07-17 Redis Log Writer [7] #2 [8] bro-plugins cardigliano [9] 2015-07-06 Native pf ring support [10] #1 [11] bro-plugins jsbarber [12] 2015-05-23 Use a common Packet format and preserve layer 2 information [13] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #30 https://github.com/bro/bro/pull/30 [3] jsbarber https://github.com/jsbarber [4] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [5] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [11] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [12] jsbarber https://github.com/jsbarber [13] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From noreply at bro.org Sun Jul 19 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 19 Jul 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507190700.t6J70HXx004747@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ---------------------------------------------------------------- #30 [2] bro jsbarber [3] 2015-07-18 Use a common Packet format and preserve layer 2 information [4] #3 [5] bro-plugins albertzaharovits [6] 2015-07-17 Redis Log Writer [7] #2 [8] bro-plugins cardigliano [9] 2015-07-06 Native pf ring support [10] #1 [11] bro-plugins jsbarber [12] 2015-05-23 Use a common Packet format and preserve layer 2 information [13] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #30 https://github.com/bro/bro/pull/30 [3] jsbarber https://github.com/jsbarber [4] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [5] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [11] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [12] jsbarber https://github.com/jsbarber [13] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From noreply at bro.org Mon Jul 20 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 20 Jul 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507200700.t6K70KZf023705@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ---------------------------------------------------------------- #30 [2] bro jsbarber [3] 2015-07-18 Use a common Packet format and preserve layer 2 information [4] #3 [5] bro-plugins albertzaharovits [6] 2015-07-17 Redis Log Writer [7] #2 [8] bro-plugins cardigliano [9] 2015-07-06 Native pf ring support [10] #1 [11] bro-plugins jsbarber [12] 2015-05-23 Use a common Packet format and preserve layer 2 information [13] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #30 https://github.com/bro/bro/pull/30 [3] jsbarber https://github.com/jsbarber [4] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [5] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [11] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [12] jsbarber https://github.com/jsbarber [13] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From slagell at illinois.edu Mon Jul 20 06:54:29 2015 From: slagell at illinois.edu (Slagell, Adam J) Date: Mon, 20 Jul 2015 13:54:29 +0000 Subject: [Bro-Dev] Bro Project and the Software Freedom Conservancy Message-ID: Some of you know that we have been talking with the Software Freedom Conservancy (SFC) about joining their non-profit foundation. In fact, current and past contributors have probably been directly contacted by the SFC already. We have been looking at joining a foundation or starting one for some time for several reasons: to signify longevity for the project, clarify and manage intellectual property rights and licensing, accept donations for the project with low overhead, build community transparency and trust, and provide legal protection for contributors. The SFC provides all of these. They also leave the technical and artistic control of the project to the contributors and community. As we negotiate a membership contract with the SFC, we would like to open this conversation up to the broader community of developers, users and other stakeholders. This includes not only thoughts on joining with SFC, but also on the contract (draft attached) with them and our plans to further open up the documentation, which we would like to license as Creative Commons Share-alike or Attribution. So please let us know your thoughts. If possible, I?d like to wrap this discussion up by the end of this week as I?d like to have something to announce at BroCon. Thanks, Adam Slagell ------ Adam J. Slagell Chief Information Security Officer Assistant Director, Cybersecurity Directorate National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150720/6d5067bc/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Bro-sponsorship-agreement-draft.odt Type: application/vnd.oasis.opendocument.text Size: 7675 bytes Desc: Bro-sponsorship-agreement-draft.odt Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150720/6d5067bc/attachment.bin From jira at bro-tracker.atlassian.net Mon Jul 20 14:10:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 20 Jul 2015 16:10:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1437) broctl doesn't handle a missing broctl-config.sh well In-Reply-To: References: Message-ID: Justin Azoff created BIT-1437: --------------------------------- Summary: broctl doesn't handle a missing broctl-config.sh well Key: BIT-1437 URL: https://bro-tracker.atlassian.net/browse/BIT-1437 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Justin Azoff On a few install from homebrew, this happens: {code} [BroControl] > install removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/site ... removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/auto ... creating policy directories ... installing site policies ... generating standalone-layout.bro ... generating local-networks.bro ... generating broctl-config.bro ... generating broctl-config.sh ... Error: failed to resolve symlink '/usr/local/Cellar/bro/2.4/share/broctl/scripts/broctl-config.sh': No such file or directory {code} Broctl assumes that broctl-config.sh will always exist. Apparently the other binary bro packages have workarounds to ship an initially broken symlink for this file. We could probably work around this for homebrew, but I think I have a fix that will just ignore a missing file initially. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Jul 20 14:12:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 20 Jul 2015 16:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1437) broctl doesn't handle a missing broctl-config.sh well In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff reassigned BIT-1437: --------------------------------- Assignee: Daniel Thayer I think I fixed this in topic/jazoff/ticket1437, can you take a look? > broctl doesn't handle a missing broctl-config.sh well > ----------------------------------------------------- > > Key: BIT-1437 > URL: https://bro-tracker.atlassian.net/browse/BIT-1437 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Daniel Thayer > > On a few install from homebrew, this happens: > {code} > [BroControl] > install > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/site ... > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/auto ... > creating policy directories ... > installing site policies ... > generating standalone-layout.bro ... > generating local-networks.bro ... > generating broctl-config.bro ... > generating broctl-config.sh ... > Error: failed to resolve symlink '/usr/local/Cellar/bro/2.4/share/broctl/scripts/broctl-config.sh': No such file or directory > {code} > Broctl assumes that broctl-config.sh will always exist. Apparently the other binary bro packages have workarounds to ship an initially broken symlink for this file. We could probably work around this for homebrew, but I think I have a fix that will just ignore a missing file initially. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Jul 20 14:16:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 20 Jul 2015 16:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1437) broctl doesn't handle a missing broctl-config.sh well In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21401#comment-21401 ] Johanna Amann commented on BIT-1437: ------------------------------------ Actually - you might have misunderstood me there -- the broken symlink is by default present after a bro make install. Packaging utilities often refuse to ship broken symlinks -- which requires the manual fix to make it appear in a system exactly as it does after a bro "make install". I assume the same thing happens with homebrew. In any case, needing a broken symlink is kind of awkward in any case. Johanna > broctl doesn't handle a missing broctl-config.sh well > ----------------------------------------------------- > > Key: BIT-1437 > URL: https://bro-tracker.atlassian.net/browse/BIT-1437 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Daniel Thayer > > On a few install from homebrew, this happens: > {code} > [BroControl] > install > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/site ... > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/auto ... > creating policy directories ... > installing site policies ... > generating standalone-layout.bro ... > generating local-networks.bro ... > generating broctl-config.bro ... > generating broctl-config.sh ... > Error: failed to resolve symlink '/usr/local/Cellar/bro/2.4/share/broctl/scripts/broctl-config.sh': No such file or directory > {code} > Broctl assumes that broctl-config.sh will always exist. Apparently the other binary bro packages have workarounds to ship an initially broken symlink for this file. We could probably work around this for homebrew, but I think I have a fix that will just ignore a missing file initially. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Jul 20 14:19:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 20 Jul 2015 16:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1436) Put back the --help option to bro-cut In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1436: ------------------------------ Status: Merge Request (was: Open) Assignee: (was: Justin Azoff) > Put back the --help option to bro-cut > ------------------------------------- > > Key: BIT-1436 > URL: https://bro-tracker.atlassian.net/browse/BIT-1436 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Doris Schioberg > > bro-cut --help gives the error message: > bro-cut: illegal option -- - -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Jul 20 14:20:01 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 20 Jul 2015 16:20:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1436) Put back the --help option to bro-cut In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff reassigned BIT-1436: --------------------------------- Assignee: Daniel Thayer > Put back the --help option to bro-cut > ------------------------------------- > > Key: BIT-1436 > URL: https://bro-tracker.atlassian.net/browse/BIT-1436 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Doris Schioberg > Assignee: Daniel Thayer > > bro-cut --help gives the error message: > bro-cut: illegal option -- - -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Tue Jul 21 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 21 Jul 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507210700.t6L70InD018670@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------- ---------- ------------- ---------- ------------------------------------- BIT-1436 [1] Bro Doris Schioberg Daniel Thayer 2015-07-20 - Normal Put back the --help option to bro-cut BIT-1432 [2] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ---------------------------------------------------------------- #30 [3] bro jsbarber [4] 2015-07-20 Use a common Packet format and preserve layer 2 information [5] #3 [6] bro-plugins albertzaharovits [7] 2015-07-17 Redis Log Writer [8] #2 [9] bro-plugins cardigliano [10] 2015-07-06 Native pf ring support [11] #1 [12] bro-plugins jsbarber [13] 2015-05-23 Use a common Packet format and preserve layer 2 information [14] [1] BIT-1436 https://bro-tracker.atlassian.net/browse/BIT-1436 [2] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [3] Pull Request #30 https://github.com/bro/bro/pull/30 [4] jsbarber https://github.com/jsbarber [5] Merge Pull Request #30 with git pull --no-ff --no-commit https://github.com/jsbarber/bro.git topic/rework-packets [6] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support [12] Pull Request #1 https://github.com/bro/bro-plugins/pull/1 [13] jsbarber https://github.com/jsbarber [14] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/jsbarber/bro-plugins.git topic/rework-packets From jira at bro-tracker.atlassian.net Tue Jul 21 09:39:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 21 Jul 2015 11:39:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1436) Put back the --help option to bro-cut In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21402#comment-21402 ] Robin Sommer commented on BIT-1436: ----------------------------------- Using getopt_long shouldn't be a problem I'm guessing. I'll merge as is, and if no problems show up, I'll remove the custom code from Bro as well. > Put back the --help option to bro-cut > ------------------------------------- > > Key: BIT-1436 > URL: https://bro-tracker.atlassian.net/browse/BIT-1436 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Doris Schioberg > Assignee: Daniel Thayer > > bro-cut --help gives the error message: > bro-cut: illegal option -- - -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Jul 21 09:41:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 21 Jul 2015 11:41:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1436) Put back the --help option to bro-cut In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1436: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Put back the --help option to bro-cut > ------------------------------------- > > Key: BIT-1436 > URL: https://bro-tracker.atlassian.net/browse/BIT-1436 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Doris Schioberg > Assignee: Daniel Thayer > > bro-cut --help gives the error message: > bro-cut: illegal option -- - -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Tue Jul 21 10:55:01 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Tue, 21 Jul 2015 12:55:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: earl eiland created BIT-1438: -------------------------------- Summary: Code example from the documentation fails with "unknown identifier" error Key: BIT-1438 URL: https://bro-tracker.atlassian.net/browse/BIT-1438 Project: Bro Issue Tracker Issue Type: Problem Components: Bro, Documentation Affects Versions: 2.3 Environment: ArchLinux Reporter: earl eiland event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) { local service_id = split_string_all("a-b--cd", /(\-)+/); } Executing this script fails with "unknown identifier split_string_all, at or near ?split_string_all??. The split_string_all command is taken directly from the documentation: https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html#id-split_string_all -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Wed Jul 22 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 22 Jul 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507220700.t6M70HVD003111@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- -------------------------- #3 [2] bro-plugins albertzaharovits [3] 2015-07-17 Redis Log Writer [4] #2 [5] bro-plugins cardigliano [6] 2015-07-21 Native pf ring support [7] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [3] albertzaharovits https://github.com/albertzaharovits [4] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [5] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [6] cardigliano https://github.com/cardigliano [7] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support From robin at icir.org Wed Jul 22 07:11:20 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 22 Jul 2015 07:11:20 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: <20150722141120.GE14091@icir.org> split_string_all() was introduced with 2.4, 2.3 doesn't have it. From jira at bro-tracker.atlassian.net Wed Jul 22 07:12:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 22 Jul 2015 09:12:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21403#comment-21403 ] Robin Sommer commented on BIT-1438: ----------------------------------- split_string_all() was introduced with 2.4, 2.3 doesn't have it. > Code example from the documentation fails with "unknown identifier" error > ------------------------------------------------------------------------- > > Key: BIT-1438 > URL: https://bro-tracker.atlassian.net/browse/BIT-1438 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Documentation > Affects Versions: 2.3 > Environment: ArchLinux > Reporter: earl eiland > Labels: event, script > > event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) > { > local service_id = split_string_all("a-b--cd", /(\-)+/); > } > Executing this script fails with "unknown identifier split_string_all, at or near ?split_string_all??. > The split_string_all command is taken directly from the documentation: https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html#id-split_string_all -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 22 07:57:01 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Wed, 22 Jul 2015 09:57:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21404#comment-21404 ] earl eiland commented on BIT-1438: ---------------------------------- That would indeed cause an error! I installed from the git repository last week using the instructions in the document, and thought I was getting the latest and greatest release. Do I need to go elsewhere for 2.4? > Code example from the documentation fails with "unknown identifier" error > ------------------------------------------------------------------------- > > Key: BIT-1438 > URL: https://bro-tracker.atlassian.net/browse/BIT-1438 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Documentation > Affects Versions: 2.3 > Environment: ArchLinux > Reporter: earl eiland > Labels: event, script > > event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) > { > local service_id = split_string_all("a-b--cd", /(\-)+/); > } > Executing this script fails with "unknown identifier split_string_all, at or near ?split_string_all??. > The split_string_all command is taken directly from the documentation: https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html#id-split_string_all -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From robin at icir.org Wed Jul 22 08:07:24 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 22 Jul 2015 08:07:24 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: <20150722150724.GM14091@icir.org> That should indeed get you the latest version, although you selected 2.3 as the version with the ticket? What does "bro -v" say? From jira at bro-tracker.atlassian.net Wed Jul 22 08:08:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 22 Jul 2015 10:08:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21405#comment-21405 ] Robin Sommer commented on BIT-1438: ----------------------------------- That should indeed get you the latest version, although you selected 2.3 as the version with the ticket? What does "bro -v" say? > Code example from the documentation fails with "unknown identifier" error > ------------------------------------------------------------------------- > > Key: BIT-1438 > URL: https://bro-tracker.atlassian.net/browse/BIT-1438 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Documentation > Affects Versions: 2.3 > Environment: ArchLinux > Reporter: earl eiland > Labels: event, script > > event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) > { > local service_id = split_string_all("a-b--cd", /(\-)+/); > } > Executing this script fails with "unknown identifier split_string_all, at or near ?split_string_all??. > The split_string_all command is taken directly from the documentation: https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html#id-split_string_all -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 22 10:51:01 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Wed, 22 Jul 2015 12:51:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21406#comment-21406 ] earl eiland commented on BIT-1438: ---------------------------------- 2.3-392 > Code example from the documentation fails with "unknown identifier" error > ------------------------------------------------------------------------- > > Key: BIT-1438 > URL: https://bro-tracker.atlassian.net/browse/BIT-1438 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Documentation > Affects Versions: 2.3 > Environment: ArchLinux > Reporter: earl eiland > Labels: event, script > > event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) > { > local service_id = split_string_all("a-b--cd", /(\-)+/); > } > Executing this script fails with "unknown identifier split_string_all, at or near ?split_string_all??. > The split_string_all command is taken directly from the documentation: https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html#id-split_string_all -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 22 12:58:01 2015 From: jira at bro-tracker.atlassian.net (earl eiland (JIRA)) Date: Wed, 22 Jul 2015 14:58:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1438) Code example from the documentation fails with "unknown identifier" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21407#comment-21407 ] earl eiland commented on BIT-1438: ---------------------------------- I checked on the install. It turns out that the previous version had not been removed, and I was still using it -- the classic PICNIC error :) Tomorrow, I'll try the correct executable. > Code example from the documentation fails with "unknown identifier" error > ------------------------------------------------------------------------- > > Key: BIT-1438 > URL: https://bro-tracker.atlassian.net/browse/BIT-1438 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Documentation > Affects Versions: 2.3 > Environment: ArchLinux > Reporter: earl eiland > Labels: event, script > > event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) > { > local service_id = split_string_all("a-b--cd", /(\-)+/); > } > Executing this script fails with "unknown identifier split_string_all, at or near ?split_string_all??. > The split_string_all command is taken directly from the documentation: https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html#id-split_string_all -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Thu Jul 23 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 23 Jul 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507230700.t6N70HNK029662@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------- #34 [2] bro aaronmbr [3] 2015-07-22 Allow for logging VLAN information with Connections [4] #3 [5] bro-plugins albertzaharovits [6] 2015-07-17 Redis Log Writer [7] #2 [8] bro-plugins cardigliano [9] 2015-07-21 Native pf ring support [10] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #34 https://github.com/bro/bro/pull/34 [3] aaronmbr https://github.com/aaronmbr [4] Merge Pull Request #34 with git pull --no-ff --no-commit https://github.com/aaronmbr/bro.git master [5] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support From noreply at bro.org Fri Jul 24 00:00:17 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 24 Jul 2015 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507240700.t6O70Hxm002007@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------- #34 [2] bro aaronmbr [3] 2015-07-23 Allow for logging VLAN information with Connections [4] #3 [5] bro-plugins albertzaharovits [6] 2015-07-17 Redis Log Writer [7] #2 [8] bro-plugins cardigliano [9] 2015-07-21 Native pf ring support [10] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #34 https://github.com/bro/bro/pull/34 [3] aaronmbr https://github.com/aaronmbr [4] Merge Pull Request #34 with git pull --no-ff --no-commit https://github.com/aaronmbr/bro.git master [5] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support From noreply at bro.org Sat Jul 25 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 25 Jul 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507250700.t6P70Ito000958@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1432 [1] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- -------------------------------------------- #35 [2] bro J-Gras [3] 2015-07-24 Updated detection of Flash and AdobeAIR. [4] #3 [5] bro-plugins albertzaharovits [6] 2015-07-17 Redis Log Writer [7] #2 [8] bro-plugins cardigliano [9] 2015-07-21 Native pf ring support [10] [1] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [2] Pull Request #35 https://github.com/bro/bro/pull/35 [3] J-Gras https://github.com/J-Gras [4] Merge Pull Request #35 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/flash-detection [5] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [8] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [9] cardigliano https://github.com/cardigliano [10] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support From jira at bro-tracker.atlassian.net Sat Jul 25 14:25:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sat, 25 Jul 2015 16:25:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1434) Broctl top output broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21408#comment-21408 ] Daniel Thayer commented on BIT-1434: ------------------------------------ Branch topic/dnthayer/ticket1434 in the broctl repo has a fix for this. I changed the awk script contained in the "top" helper script to account for a varying number of fields in the output of the "top" command on FreeBSD. > Broctl top output broken > ------------------------ > > Key: BIT-1434 > URL: https://bro-tracker.atlassian.net/browse/BIT-1434 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.4 > Reporter: Johanna Amann > Fix For: 2.5 > > > BroControl top output is broken on one host for me. > Output looks like (note the cmd column) > {quote} > [johanna ~/install-master/share/bro/site]$ broctl top > Name Type Host Pid Proc VSize Rss Cpu Cmd > manager manager localhost 57267 parent 252M 112M 4% bro > manager manager localhost 57269 child 136M 48M 0% bro > proxy-1 proxy localhost 57304 parent 80M 45M 0% bro > proxy-1 proxy localhost 57306 child 136M 45M 0% bro > worker-1-1 worker localhost 57397 parent 489M 455M 19% bro > worker-1-1 worker localhost 57967 child 409M 44M 0% bro > worker-1-10 worker localhost 57412 parent 489M 454M 0% 15.38% > worker-1-10 worker localhost 57826 child 409M 44M 0% bro > worker-1-11 worker localhost 57417 parent 485M 453M 0% 10.60% > worker-1-11 worker localhost 57868 child 409M 44M 0% bro > worker-1-12 worker localhost 57426 parent 489M 457M 10% bro > worker-1-12 worker localhost 57968 child 409M 44M 0% bro > worker-1-13 worker localhost 57432 parent 489M 456M 0% 9.08% > worker-1-13 worker localhost 57971 child 409M 44M 0% bro > worker-1-14 worker localhost 57442 parent 485M 453M 0% 11.67% > worker-1-14 worker localhost 57969 child 409M 44M 0% bro > worker-1-15 worker localhost 57461 parent 489M 457M 0% 11.57% > {quote} > The operating system is FreeBSD 9.3. Node.cfg is: > {quote} > [manager] > type=manager > host=localhost > [worker-1] > type=worker > host=localhost > interface=myri0 > lb_method=myricom > lb_procs=20 > [proxy-1] > type=proxy > host=localhost > {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Sat Jul 25 14:26:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sat, 25 Jul 2015 16:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1434) Broctl top output broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1434: ---------------------------------- Assignee: Justin Azoff > Broctl top output broken > ------------------------ > > Key: BIT-1434 > URL: https://bro-tracker.atlassian.net/browse/BIT-1434 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.4 > Reporter: Johanna Amann > Assignee: Justin Azoff > Fix For: 2.5 > > > BroControl top output is broken on one host for me. > Output looks like (note the cmd column) > {quote} > [johanna ~/install-master/share/bro/site]$ broctl top > Name Type Host Pid Proc VSize Rss Cpu Cmd > manager manager localhost 57267 parent 252M 112M 4% bro > manager manager localhost 57269 child 136M 48M 0% bro > proxy-1 proxy localhost 57304 parent 80M 45M 0% bro > proxy-1 proxy localhost 57306 child 136M 45M 0% bro > worker-1-1 worker localhost 57397 parent 489M 455M 19% bro > worker-1-1 worker localhost 57967 child 409M 44M 0% bro > worker-1-10 worker localhost 57412 parent 489M 454M 0% 15.38% > worker-1-10 worker localhost 57826 child 409M 44M 0% bro > worker-1-11 worker localhost 57417 parent 485M 453M 0% 10.60% > worker-1-11 worker localhost 57868 child 409M 44M 0% bro > worker-1-12 worker localhost 57426 parent 489M 457M 10% bro > worker-1-12 worker localhost 57968 child 409M 44M 0% bro > worker-1-13 worker localhost 57432 parent 489M 456M 0% 9.08% > worker-1-13 worker localhost 57971 child 409M 44M 0% bro > worker-1-14 worker localhost 57442 parent 485M 453M 0% 11.67% > worker-1-14 worker localhost 57969 child 409M 44M 0% bro > worker-1-15 worker localhost 57461 parent 489M 457M 0% 11.57% > {quote} > The operating system is FreeBSD 9.3. Node.cfg is: > {quote} > [manager] > type=manager > host=localhost > [worker-1] > type=worker > host=localhost > interface=myri0 > lb_method=myricom > lb_procs=20 > [proxy-1] > type=proxy > host=localhost > {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Sat Jul 25 14:26:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Sat, 25 Jul 2015 16:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1434) Broctl top output broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1434: ------------------------------- Status: Merge Request (was: Open) > Broctl top output broken > ------------------------ > > Key: BIT-1434 > URL: https://bro-tracker.atlassian.net/browse/BIT-1434 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.4 > Reporter: Johanna Amann > Fix For: 2.5 > > > BroControl top output is broken on one host for me. > Output looks like (note the cmd column) > {quote} > [johanna ~/install-master/share/bro/site]$ broctl top > Name Type Host Pid Proc VSize Rss Cpu Cmd > manager manager localhost 57267 parent 252M 112M 4% bro > manager manager localhost 57269 child 136M 48M 0% bro > proxy-1 proxy localhost 57304 parent 80M 45M 0% bro > proxy-1 proxy localhost 57306 child 136M 45M 0% bro > worker-1-1 worker localhost 57397 parent 489M 455M 19% bro > worker-1-1 worker localhost 57967 child 409M 44M 0% bro > worker-1-10 worker localhost 57412 parent 489M 454M 0% 15.38% > worker-1-10 worker localhost 57826 child 409M 44M 0% bro > worker-1-11 worker localhost 57417 parent 485M 453M 0% 10.60% > worker-1-11 worker localhost 57868 child 409M 44M 0% bro > worker-1-12 worker localhost 57426 parent 489M 457M 10% bro > worker-1-12 worker localhost 57968 child 409M 44M 0% bro > worker-1-13 worker localhost 57432 parent 489M 456M 0% 9.08% > worker-1-13 worker localhost 57971 child 409M 44M 0% bro > worker-1-14 worker localhost 57442 parent 485M 453M 0% 11.67% > worker-1-14 worker localhost 57969 child 409M 44M 0% bro > worker-1-15 worker localhost 57461 parent 489M 457M 0% 11.57% > {quote} > The operating system is FreeBSD 9.3. Node.cfg is: > {quote} > [manager] > type=manager > host=localhost > [worker-1] > type=worker > host=localhost > interface=myri0 > lb_method=myricom > lb_procs=20 > [proxy-1] > type=proxy > host=localhost > {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Sun Jul 26 00:00:14 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 26 Jul 2015 00:00:14 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507260700.t6Q70EZ9018948@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1434 [1] BroControl Johanna Amann Justin Azoff 2015-07-25 2.5 Normal Broctl top output broken BIT-1432 [2] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- -------------------------------------------- #35 [3] bro J-Gras [4] 2015-07-24 Updated detection of Flash and AdobeAIR. [5] #3 [6] bro-plugins albertzaharovits [7] 2015-07-17 Redis Log Writer [8] #2 [9] bro-plugins cardigliano [10] 2015-07-21 Native pf ring support [11] [1] BIT-1434 https://bro-tracker.atlassian.net/browse/BIT-1434 [2] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [3] Pull Request #35 https://github.com/bro/bro/pull/35 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #35 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/flash-detection [6] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [7] albertzaharovits https://github.com/albertzaharovits [8] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [9] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [10] cardigliano https://github.com/cardigliano [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support From noreply at bro.org Mon Jul 27 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 27 Jul 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507270700.t6R70MuC010061@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1434 [1] BroControl Johanna Amann Justin Azoff 2015-07-25 2.5 Normal Broctl top output broken BIT-1432 [2] BroControl Daniel Thayer Justin Azoff 2015-07-08 2.5 Normal BroControl config reloading Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ---------------------------------------------------------------------------------- #37 [3] bro albertzaharovits [4] 2015-07-26 [BIT-1429] The SMTP logs should include CC: addresses as well as To: addresses [5] #36 [6] bro jswaro [7] 2015-07-26 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [8] #35 [9] bro J-Gras [10] 2015-07-24 Updated detection of Flash and AdobeAIR. [11] #5 [12] bro-plugins jswaro [13] 2015-07-26 Adding initial conversion of TCPRS to a plugin [14] #3 [15] bro-plugins albertzaharovits [16] 2015-07-17 Redis Log Writer [17] #2 [18] bro-plugins cardigliano [19] 2015-07-21 Native pf ring support [20] [1] BIT-1434 https://bro-tracker.atlassian.net/browse/BIT-1434 [2] BIT-1432 https://bro-tracker.atlassian.net/browse/BIT-1432 [3] Pull Request #37 https://github.com/bro/bro/pull/37 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #37 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #36 https://github.com/bro/bro/pull/36 [7] jswaro https://github.com/jswaro [8] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [9] Pull Request #35 https://github.com/bro/bro/pull/35 [10] J-Gras https://github.com/J-Gras [11] Merge Pull Request #35 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/flash-detection [12] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [13] jswaro https://github.com/jswaro [14] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [15] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [16] albertzaharovits https://github.com/albertzaharovits [17] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [18] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [19] cardigliano https://github.com/cardigliano [20] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support From jira at bro-tracker.atlassian.net Mon Jul 27 06:14:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 27 Jul 2015 08:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1432) BroControl config reloading In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1432: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > BroControl config reloading > --------------------------- > > Key: BIT-1432 > URL: https://bro-tracker.atlassian.net/browse/BIT-1432 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Justin Azoff > Fix For: 2.5 > > > Currently, if the BroControl config (node.cfg or broctl.cfg) changes while > the interactive broctl shell is running, then a user must exit broctl > and re-run broctl in order for broctl to notice the new config. > BroControl should check if the config has changed each time a > broctl command runs, and issue a warning if it detects a change. > In addition, the "deploy" command should be smart enough to > notice this and automatically reload the configuration. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Jul 27 06:14:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 27 Jul 2015 08:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1434) Broctl top output broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1434?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1434: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Broctl top output broken > ------------------------ > > Key: BIT-1434 > URL: https://bro-tracker.atlassian.net/browse/BIT-1434 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.4 > Reporter: Johanna Amann > Assignee: Justin Azoff > Fix For: 2.5 > > > BroControl top output is broken on one host for me. > Output looks like (note the cmd column) > {quote} > [johanna ~/install-master/share/bro/site]$ broctl top > Name Type Host Pid Proc VSize Rss Cpu Cmd > manager manager localhost 57267 parent 252M 112M 4% bro > manager manager localhost 57269 child 136M 48M 0% bro > proxy-1 proxy localhost 57304 parent 80M 45M 0% bro > proxy-1 proxy localhost 57306 child 136M 45M 0% bro > worker-1-1 worker localhost 57397 parent 489M 455M 19% bro > worker-1-1 worker localhost 57967 child 409M 44M 0% bro > worker-1-10 worker localhost 57412 parent 489M 454M 0% 15.38% > worker-1-10 worker localhost 57826 child 409M 44M 0% bro > worker-1-11 worker localhost 57417 parent 485M 453M 0% 10.60% > worker-1-11 worker localhost 57868 child 409M 44M 0% bro > worker-1-12 worker localhost 57426 parent 489M 457M 10% bro > worker-1-12 worker localhost 57968 child 409M 44M 0% bro > worker-1-13 worker localhost 57432 parent 489M 456M 0% 9.08% > worker-1-13 worker localhost 57971 child 409M 44M 0% bro > worker-1-14 worker localhost 57442 parent 485M 453M 0% 11.67% > worker-1-14 worker localhost 57969 child 409M 44M 0% bro > worker-1-15 worker localhost 57461 parent 489M 457M 0% 11.57% > {quote} > The operating system is FreeBSD 9.3. Node.cfg is: > {quote} > [manager] > type=manager > host=localhost > [worker-1] > type=worker > host=localhost > interface=myri0 > lb_method=myricom > lb_procs=20 > [proxy-1] > type=proxy > host=localhost > {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Jul 27 07:18:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 27 Jul 2015 09:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1431) Loss of information due to analyzer capitalization changes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21409#comment-21409 ] Justin Azoff commented on BIT-1431: ----------------------------------- Here's another simple use-case (that I remember from an IRC discussion). Someone runs a http service and is trying to identify certain clients. A bad actor is spoofing a valid user agent, but a capture shows they are sending "user-Agent:" vs. "User-Agent:" in the http header. Since bro normalizes the header, it is not possible to identify this client. > Loss of information due to analyzer capitalization changes > ---------------------------------------------------------- > > Key: BIT-1431 > URL: https://bro-tracker.atlassian.net/browse/BIT-1431 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.5 > Reporter: Seth Hall > > Currently some of Bro's analyzers are changing the case of data before passing it along to events which is fairly dramatic loss of information in some cases. > The two known examples right now are the query in DNS (lowercased) and the header field name in HTTP (uppercased). The question is if we should brute force change these to stop modifying the original values and have people fix any scripts that it breaks (watching for header value names is the biggie here) or if we should use some alternate mechanism to allow the existing behavior to have a sundown time period. > I say we should just break it since the quantity of existing scripts in the world is still fairly small and the number of scripts that it affects is even less (many scripts won't be affected at all). -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Mon Jul 27 11:30:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Mon, 27 Jul 2015 13:30:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1437) broctl doesn't handle a missing broctl-config.sh well In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21410#comment-21410 ] Daniel Thayer commented on BIT-1437: ------------------------------------ Justin, I looked at your fix and it looks good. It allows broctl to create the symlink in case it ever gets deleted, which makes sense because broctl already had the ability to modify the target of the symlink (if a config change caused the target to be in a new location). If you're done with this branch, please do a merge request and I'll merge it. > broctl doesn't handle a missing broctl-config.sh well > ----------------------------------------------------- > > Key: BIT-1437 > URL: https://bro-tracker.atlassian.net/browse/BIT-1437 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Daniel Thayer > > On a few install from homebrew, this happens: > {code} > [BroControl] > install > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/site ... > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/auto ... > creating policy directories ... > installing site policies ... > generating standalone-layout.bro ... > generating local-networks.bro ... > generating broctl-config.bro ... > generating broctl-config.sh ... > Error: failed to resolve symlink '/usr/local/Cellar/bro/2.4/share/broctl/scripts/broctl-config.sh': No such file or directory > {code} > Broctl assumes that broctl-config.sh will always exist. Apparently the other binary bro packages have workarounds to ship an initially broken symlink for this file. We could probably work around this for homebrew, but I think I have a fix that will just ignore a missing file initially. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Tue Jul 28 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 28 Jul 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507280700.t6S70OFv022732@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ---------------------------------------------------------------------------------- #37 [1] bro albertzaharovits [2] 2015-07-26 [BIT-1429] The SMTP logs should include CC: addresses as well as To: addresses [3] #36 [4] bro jswaro [5] 2015-07-27 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [6] #35 [7] bro J-Gras [8] 2015-07-27 Updated detection of Flash and AdobeAIR. [9] #5 [10] bro-plugins jswaro [11] 2015-07-26 Adding initial conversion of TCPRS to a plugin [12] #3 [13] bro-plugins albertzaharovits [14] 2015-07-17 Redis Log Writer [15] #2 [16] bro-plugins cardigliano [17] 2015-07-27 Native pf ring support [18] [1] Pull Request #37 https://github.com/bro/bro/pull/37 [2] albertzaharovits https://github.com/albertzaharovits [3] Merge Pull Request #37 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [4] Pull Request #36 https://github.com/bro/bro/pull/36 [5] jswaro https://github.com/jswaro [6] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [7] Pull Request #35 https://github.com/bro/bro/pull/35 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #35 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/flash-detection [10] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [13] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [14] albertzaharovits https://github.com/albertzaharovits [15] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master [16] Pull Request #2 https://github.com/bro/bro-plugins/pull/2 [17] cardigliano https://github.com/cardigliano [18] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/cardigliano/bro-plugins.git native-pf_ring-support From noreply at bro.org Wed Jul 29 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 29 Jul 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507290700.t6T70PS5010901@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ---------------------------------------------------------------------------------- #37 [1] bro albertzaharovits [2] 2015-07-28 [BIT-1429] The SMTP logs should include CC: addresses as well as To: addresses [3] #36 [4] bro jswaro [5] 2015-07-27 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [6] #35 [7] bro J-Gras [8] 2015-07-28 Updated detection of Flash and AdobeAIR. [9] #5 [10] bro-plugins jswaro [11] 2015-07-26 Adding initial conversion of TCPRS to a plugin [12] #3 [13] bro-plugins albertzaharovits [14] 2015-07-17 Redis Log Writer [15] [1] Pull Request #37 https://github.com/bro/bro/pull/37 [2] albertzaharovits https://github.com/albertzaharovits [3] Merge Pull Request #37 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [4] Pull Request #36 https://github.com/bro/bro/pull/36 [5] jswaro https://github.com/jswaro [6] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [7] Pull Request #35 https://github.com/bro/bro/pull/35 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #35 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/flash-detection [10] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [13] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [14] albertzaharovits https://github.com/albertzaharovits [15] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From jira at bro-tracker.atlassian.net Wed Jul 29 12:17:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 29 Jul 2015 14:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1437) broctl doesn't handle a missing broctl-config.sh well In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1437: ------------------------------ Status: Merge Request (was: Open) Assignee: (was: Daniel Thayer) > broctl doesn't handle a missing broctl-config.sh well > ----------------------------------------------------- > > Key: BIT-1437 > URL: https://bro-tracker.atlassian.net/browse/BIT-1437 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > > On a few install from homebrew, this happens: > {code} > [BroControl] > install > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/site ... > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/auto ... > creating policy directories ... > installing site policies ... > generating standalone-layout.bro ... > generating local-networks.bro ... > generating broctl-config.bro ... > generating broctl-config.sh ... > Error: failed to resolve symlink '/usr/local/Cellar/bro/2.4/share/broctl/scripts/broctl-config.sh': No such file or directory > {code} > Broctl assumes that broctl-config.sh will always exist. Apparently the other binary bro packages have workarounds to ship an initially broken symlink for this file. We could probably work around this for homebrew, but I think I have a fix that will just ignore a missing file initially. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 29 13:49:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 29 Jul 2015 15:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1437) broctl doesn't handle a missing broctl-config.sh well In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1437: ------------------------------- Assignee: Daniel Thayer Fix Version/s: 2.5 Status: Closed (was: Merge Request) > broctl doesn't handle a missing broctl-config.sh well > ----------------------------------------------------- > > Key: BIT-1437 > URL: https://bro-tracker.atlassian.net/browse/BIT-1437 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Daniel Thayer > Fix For: 2.5 > > > On a few install from homebrew, this happens: > {code} > [BroControl] > install > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/site ... > removing old policies in /usr/local/Cellar/bro/2.4/spool/installed-scripts-do-not-touch/auto ... > creating policy directories ... > installing site policies ... > generating standalone-layout.bro ... > generating local-networks.bro ... > generating broctl-config.bro ... > generating broctl-config.sh ... > Error: failed to resolve symlink '/usr/local/Cellar/bro/2.4/share/broctl/scripts/broctl-config.sh': No such file or directory > {code} > Broctl assumes that broctl-config.sh will always exist. Apparently the other binary bro packages have workarounds to ship an initially broken symlink for this file. We could probably work around this for homebrew, but I think I have a fix that will just ignore a missing file initially. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 29 13:59:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 29 Jul 2015 15:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1433) Broctl check gives errors after install In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21411#comment-21411 ] Daniel Thayer commented on BIT-1433: ------------------------------------ In addition to the "check" command, there were a number of other commands that produced similar error messages. This issue has been fixed as part of the changes in BIT-1432 (BroControl config reloading). > Broctl check gives errors after install > --------------------------------------- > > Key: BIT-1433 > URL: https://bro-tracker.atlassian.net/browse/BIT-1433 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.5 > Reporter: Johanna Amann > Fix For: 2.5 > > > running a broctl check after a fresh installation before the first install is issued leads to ugly error messages: > {quote} > [johanna ~/install-master/etc]$ broctl > Hint: Run the broctl "deploy" command to get started. > Welcome to BroControl 1.4 > Type "help" for help. > [BroControl] > check > manager scripts failed. > /home/johanna/install-master/share/broctl/scripts/check-config: line 18: /home/johanna/install-master/share/broctl/scripts/broctl-config.sh: No such file or directory > /home/johanna/install-master/share/broctl/scripts/check-config: line 25: /set-bro-path: No such file or directory > proxy-1 scripts failed. > /home/johanna/install-master/share/broctl/scripts/check-config: line 18: /home/johanna/install-master/share/broctl/scripts/broctl-config.sh: No such file or directory > ... > {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Wed Jul 29 14:00:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 29 Jul 2015 16:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1433) Broctl check gives errors after install In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1433: ------------------------------- Resolution: Fixed Status: Closed (was: Open) > Broctl check gives errors after install > --------------------------------------- > > Key: BIT-1433 > URL: https://bro-tracker.atlassian.net/browse/BIT-1433 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.5 > Reporter: Johanna Amann > Fix For: 2.5 > > > running a broctl check after a fresh installation before the first install is issued leads to ugly error messages: > {quote} > [johanna ~/install-master/etc]$ broctl > Hint: Run the broctl "deploy" command to get started. > Welcome to BroControl 1.4 > Type "help" for help. > [BroControl] > check > manager scripts failed. > /home/johanna/install-master/share/broctl/scripts/check-config: line 18: /home/johanna/install-master/share/broctl/scripts/broctl-config.sh: No such file or directory > /home/johanna/install-master/share/broctl/scripts/check-config: line 25: /set-bro-path: No such file or directory > proxy-1 scripts failed. > /home/johanna/install-master/share/broctl/scripts/check-config: line 18: /home/johanna/install-master/share/broctl/scripts/broctl-config.sh: No such file or directory > ... > {quote} -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Thu Jul 30 00:00:20 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 30 Jul 2015 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507300700.t6U70KUc025422@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ---------------------------------------------------------------------------------- #37 [1] bro albertzaharovits [2] 2015-07-28 [BIT-1429] The SMTP logs should include CC: addresses as well as To: addresses [3] #36 [4] bro jswaro [5] 2015-07-27 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [6] #35 [7] bro J-Gras [8] 2015-07-29 Updated detection of Flash and AdobeAIR. [9] #5 [10] bro-plugins jswaro [11] 2015-07-26 Adding initial conversion of TCPRS to a plugin [12] #3 [13] bro-plugins albertzaharovits [14] 2015-07-17 Redis Log Writer [15] [1] Pull Request #37 https://github.com/bro/bro/pull/37 [2] albertzaharovits https://github.com/albertzaharovits [3] Merge Pull Request #37 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [4] Pull Request #36 https://github.com/bro/bro/pull/36 [5] jswaro https://github.com/jswaro [6] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [7] Pull Request #35 https://github.com/bro/bro/pull/35 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #35 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/flash-detection [10] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [11] jswaro https://github.com/jswaro [12] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [13] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [14] albertzaharovits https://github.com/albertzaharovits [15] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From ray321478965 at gmail.com Thu Jul 30 08:49:36 2015 From: ray321478965 at gmail.com (Fun Ray) Date: Thu, 30 Jul 2015 23:49:36 +0800 Subject: [Bro-Dev] Developing a simplified Bro IDS Message-ID: Hi! I'm trying to develop a simplified Bro IDS on ClickOS. Can anyone help me to identify some of the core source code that is about the event engine and scrip interpreter? Thanks! Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150730/62b8c8ea/attachment.html From jira at bro-tracker.atlassian.net Thu Jul 30 11:14:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 30 Jul 2015 13:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1439) bro-cut segfaults for some invalid logs In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1439: ---------------------------------- Summary: bro-cut segfaults for some invalid logs Key: BIT-1439 URL: https://bro-tracker.atlassian.net/browse/BIT-1439 Project: Bro Issue Tracker Issue Type: Problem Components: bro-aux Reporter: Daniel Thayer Fix For: 2.5 Justin was testing bro-cut and found a few cases where an invalid log file could trigger a segfault. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 30 11:16:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 30 Jul 2015 13:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1439) bro-cut segfaults for some invalid logs In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1439?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21412#comment-21412 ] Daniel Thayer commented on BIT-1439: ------------------------------------ Branch topic/jazoff/bro-cut-crash-fixes in the bro-aux git repo contains fixes and also some new test cases. I also added a few more fixes for a few obscure bugs. > bro-cut segfaults for some invalid logs > --------------------------------------- > > Key: BIT-1439 > URL: https://bro-tracker.atlassian.net/browse/BIT-1439 > Project: Bro Issue Tracker > Issue Type: Problem > Components: bro-aux > Reporter: Daniel Thayer > Fix For: 2.5 > > > Justin was testing bro-cut and found a few cases where an invalid log file > could trigger a segfault. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Thu Jul 30 11:16:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 30 Jul 2015 13:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1439) bro-cut segfaults for some invalid logs In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1439: ------------------------------- Status: Merge Request (was: Open) > bro-cut segfaults for some invalid logs > --------------------------------------- > > Key: BIT-1439 > URL: https://bro-tracker.atlassian.net/browse/BIT-1439 > Project: Bro Issue Tracker > Issue Type: Problem > Components: bro-aux > Reporter: Daniel Thayer > Fix For: 2.5 > > > Justin was testing bro-cut and found a few cases where an invalid log file > could trigger a segfault. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From noreply at bro.org Fri Jul 31 00:00:19 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 31 Jul 2015 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201507310700.t6V70Jxx024896@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- --------------------------------------- BIT-1439 [1] bro-aux Daniel Thayer - 2015-07-30 2.5 Normal bro-cut segfaults for some invalid logs Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- --------------------- ---------- ---------------------------------------------------------------------------------- #37 [2] bro albertzaharovits [3] 2015-07-28 [BIT-1429] The SMTP logs should include CC: addresses as well as To: addresses [4] #36 [5] bro jswaro [6] 2015-07-27 Add hook 'HookAddToAnalyzerTree' to support TCPRS plugin [7] #5 [8] bro-plugins jswaro [9] 2015-07-26 Adding initial conversion of TCPRS to a plugin [10] #3 [11] bro-plugins albertzaharovits [12] 2015-07-17 Redis Log Writer [13] [1] BIT-1439 https://bro-tracker.atlassian.net/browse/BIT-1439 [2] Pull Request #37 https://github.com/bro/bro/pull/37 [3] albertzaharovits https://github.com/albertzaharovits [4] Merge Pull Request #37 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [5] Pull Request #36 https://github.com/bro/bro/pull/36 [6] jswaro https://github.com/jswaro [7] Merge Pull Request #36 with git pull --no-ff --no-commit https://github.com/jswaro/bro.git topic/jswaro/feature/HookAddToAnalyzer-tcprs-support [8] Pull Request #5 https://github.com/bro/bro-plugins/pull/5 [9] jswaro https://github.com/jswaro [10] Merge Pull Request #5 with git pull --no-ff --no-commit https://github.com/jswaro/bro-plugins.git topic/jswaro/feature/initial-tcprs-plugin [11] Pull Request #3 https://github.com/bro/bro-plugins/pull/3 [12] albertzaharovits https://github.com/albertzaharovits [13] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro-plugins.git master From jira at bro-tracker.atlassian.net Fri Jul 31 12:47:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 31 Jul 2015 14:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1440) Remove perl from list of Bro build dependencies In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1440: ---------------------------------- Summary: Remove perl from list of Bro build dependencies Key: BIT-1440 URL: https://bro-tracker.atlassian.net/browse/BIT-1440 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Daniel Thayer Fix For: 2.5 Currently, perl is required to build Bro due to one small perl script. Since that script doesn't rely on any special features of perl, it can easily be rewritten to avoid the dependency on perl. This is mostly relevant for FreeBSD, where perl is not installed by default. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Fri Jul 31 13:06:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 31 Jul 2015 15:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1440) Remove perl from list of Bro build dependencies In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1440: ------------------------------- Status: Merge Request (was: Open) > Remove perl from list of Bro build dependencies > ----------------------------------------------- > > Key: BIT-1440 > URL: https://bro-tracker.atlassian.net/browse/BIT-1440 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Fix For: 2.5 > > > Currently, perl is required to build Bro due to one small perl script. > Since that script doesn't rely on any special features of perl, it can > easily be rewritten to avoid the dependency on perl. This is mostly > relevant for FreeBSD, where perl is not installed by default. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007) From jira at bro-tracker.atlassian.net Fri Jul 31 13:06:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 31 Jul 2015 15:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1440) Remove perl from list of Bro build dependencies In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21413#comment-21413 ] Daniel Thayer commented on BIT-1440: ------------------------------------ Branch topic/dnthayer/ticket1440 in the bro git repo contains the necessary changes. > Remove perl from list of Bro build dependencies > ----------------------------------------------- > > Key: BIT-1440 > URL: https://bro-tracker.atlassian.net/browse/BIT-1440 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Fix For: 2.5 > > > Currently, perl is required to build Bro due to one small perl script. > Since that script doesn't rely on any special features of perl, it can > easily be rewritten to avoid the dependency on perl. This is mostly > relevant for FreeBSD, where perl is not installed by default. -- This message was sent by Atlassian JIRA (v6.5-OD-08-001#65007)