From noreply at bro.org Sun Mar 1 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 1 Mar 2015 00:00:21 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503010800.t2180LAZ001950@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ------------------------------------------------------------------------ BIT-1322 [1] BTest Daniel Thayer - 2015-02-26 2.4 Normal btest should warn when using -T option but cannot create timing baseline BIT-1321 [2] Bro Johanna Amann - 2015-02-25 2.4 Normal Merge topic/johanna/ssl-policy BIT-1320 [3] BroControl Daniel Thayer - 2015-02-27 2.4 Normal topic/jazoff/broctld [4] BIT-1319 [5] Bro Jon Siwek Robin Sommer 2015-02-27 2.4 Normal topic/jsiwek/broker [6] BIT-1270 [7] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [8] Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------- #25 [9] bro eunsilhan [10] 2015-02-24 Topic/jshlbrd/rdp [11] #24 [12] bro msmiley [13] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [14] [1] BIT-1322 https://bro-tracker.atlassian.net/browse/BIT-1322 [2] BIT-1321 https://bro-tracker.atlassian.net/browse/BIT-1321 [3] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [4] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [5] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [6] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [7] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [8] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [9] Pull Request #25 https://github.com/bro/bro/pull/25 [10] eunsilhan https://github.com/eunsilhan [11] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [12] Pull Request #24 https://github.com/bro/bro/pull/24 [13] msmiley https://github.com/msmiley [14] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From noreply at bro.org Mon Mar 2 00:00:27 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 2 Mar 2015 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503020800.t2280RE2001449@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ------------------------------------------------------------------------ BIT-1322 [1] BTest Daniel Thayer - 2015-02-26 2.4 Normal btest should warn when using -T option but cannot create timing baseline BIT-1321 [2] Bro Johanna Amann - 2015-02-25 2.4 Normal Merge topic/johanna/ssl-policy BIT-1320 [3] BroControl Daniel Thayer - 2015-02-27 2.4 Normal topic/jazoff/broctld [4] BIT-1319 [5] Bro Jon Siwek Robin Sommer 2015-02-27 2.4 Normal topic/jsiwek/broker [6] BIT-1270 [7] Bro gclark gclark 2015-02-22 - Normal topic/gilbert/plugin-api-tweak [8] Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------- #25 [9] bro eunsilhan [10] 2015-02-24 Topic/jshlbrd/rdp [11] #24 [12] bro msmiley [13] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [14] [1] BIT-1322 https://bro-tracker.atlassian.net/browse/BIT-1322 [2] BIT-1321 https://bro-tracker.atlassian.net/browse/BIT-1321 [3] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [4] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [5] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [6] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [7] BIT-1270 https://bro-tracker.atlassian.net/browse/BIT-1270 [8] plugin-api-tweak https://github.com/bro/bro/tree/topic/gilbert/plugin-api-tweak [9] Pull Request #25 https://github.com/bro/bro/pull/25 [10] eunsilhan https://github.com/eunsilhan [11] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [12] Pull Request #24 https://github.com/bro/bro/pull/24 [13] msmiley https://github.com/msmiley [14] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From jira at bro-tracker.atlassian.net Mon Mar 2 11:27:01 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Mon, 2 Mar 2015 13:27:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19900#comment-19900 ] Aashish Sharma commented on BIT-1306: ------------------------------------- Yes, We spent good time with myricom on this issue. Problem wasn't myricom but bro master (atleast specifically (379593c7fded0f9791ae71a52dd78a4c9d5a2c1f) ) Same drivers run fine with bro-2.2 and bro-2.3.2 Aashish > bro process would get stuck/freeze with myricom drivers > ------------------------------------------------------- > > Key: BIT-1306 > URL: https://bro-tracker.atlassian.net/browse/BIT-1306 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: OS: FreeBSD 9.3-RELEASE-p5 OS > bro version 2.3-328 > git log -1 --format="%H" > 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f > Reporter: Aashish Sharma > Labels: bro-git, myricom > > When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. > System has to be ultimately rebooted to remove stuck bro process. > On running myri_start_stop I see: > # /usr/local/opt/snf/sbin/myri_start_stop stop > Removing myri_snf.ko > kldunload: can't unload file: Device busy > It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes > More details: > The bro process is stuck in RNE state > R Marks a runnable process. > N The process has reduced CPU scheduling priority (see setpriority(2)). > E The process is trying to exit. > Here is an example: > ### stuck process: > [bro at 01 ~]$ ps auxwww | fgrep 1616 > bro 1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto > ####when checking for process in proc: > [bro at c ~]$ ls -l /proc/1616 > ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 2 11:42:00 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Mon, 2 Mar 2015 13:42:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1182) Input-framework thread spwan In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19901#comment-19901 ] Aashish Sharma commented on BIT-1182: ------------------------------------- (Mostly FYI) I encountered this issue again, while feeding a file with 30-40,000 IP's where about 10K or so change periodically. In FreeBSD, bro would die because of limit of 1500 on kern.threads.max_threads_per_proc After changing kern.threads.max_threads_per_proc=12000 bro runs and doesn't die, but won't log until input-framework events are finished ! > Input-framework thread spwan > ---------------------------- > > Key: BIT-1182 > URL: https://bro-tracker.atlassian.net/browse/BIT-1182 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Labels: input-framework > > Using the mode REREAD, I noticed that input-framework spawns a thread for every add/change/delete for the elements in the feed file. > this is a VERY desired feature and powerful capability and works quite well in general settings. > Since, all the changes in a file spawns a thread to process for: EVENT_NEW, EVENT_CHANGED, EVENT_REMOVED, If there are lets say 5000 Changes in the file, there would be 5000 threads spawned at the same time. this is still alright and system can handle load and processing is done in a few seconds. > However, if I include a when statement along with exec framework usage to execute an action in Input::EVENT_NEW, Input::EVENT_CHANGED or Input::EVENT_REMOVED - all threads spawned together freezes bro from processing any packets at all. > It would be nice if we can serialize this thread creation and spawn only a few at a time. This way we can spread out the increased load over next N mins instead of freezing bro to a standstill. > (As always, please let me know if you want code to be able to re-produce this issue). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 2 17:23:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 2 Mar 2015 19:23:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1320: --------------------------------- Assignee: Robin Sommer > topic/jazoff/broctld > -------------------- > > Key: BIT-1320 > URL: https://bro-tracker.atlassian.net/browse/BIT-1320 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Robin Sommer > Fix For: 2.4 > > > Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization > for the upcoming broctld. Here is a high-level list of changes: > 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), > 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run "broctl install"), > 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), > 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, > 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, > 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, > 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, > 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, > 9) Added new broctl option StatusCmdShowAll to enable users to speed up "broctl status" significantly, > 10) Fixed the stats-to-csv script to not create files that can never include any data, > 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, > 12) Improved post-terminate script to process log files more consistently, > 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), > 14) Improved the default broctl.cfg file to show more of the useful options, > 15) Added more error checks to help catch errors earlier, > 16) Some error message output is more specific and helpful now > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 2 18:18:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 2 Mar 2015 20:18:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19902#comment-19902 ] Robin Sommer commented on BIT-1319: ----------------------------------- Merged. Looked primarily at the Bro parts; it's nice to see this all fitting in without too much surgery, seems the interface is right. I have a few smaller points and some broader thoughts/questions: - cmake/RequireCXX11.cmake says: {{TODO: don't seem to be any great/easy ways to get a clang version string.}} Isn't that as easy as: {{clang --version | grep ^clang | cut -d ' ' -f 3}} ? - in the Bro docs for the Broker interface, I think it would be helpful to revert the order of the consumer/producer examples to show producer/consumer instead. In particular for the Store example, it took me a bit to realize some missing context is really in the 2nd script. - {{Store::create_clone(?name?)}}: I'm not quite sure how to interpret this in terms of which peer this goes out to: is it cloning any store of that name, independent of the peer? What if two peers both happen to have a store with that name? Should the function explicitly specify the peer instead? - two tests don't terminate for me (the 2nd one I have to kill, presumably because it doesn't use btest-bg-wait) {code} [ 0%] comm.clone_store ... failed % 'btest-bg-wait 20' failed unexpectedly (exit code 1) % cat .stderr The following processes did not terminate: bro -b ../clone.bro broker_port=9999/tcp >clone.out bro -b ../master.bro broker_port=9999/tcp >master.out ----------- <<< [906] bro -b ../clone.bro broker_port=9999/tcp >clone.out , line 1: received termination signal >>> <<< [985] bro -b ../master.bro broker_port=9999/tcp >master.out , line 1: received termination signal >>> [ 33%] comm.master_store ...^C {code} - I was wondering about namespaces for the broker parts, both script-land and C++. I'm kind of inclined to just call it {{Broker}}, and maybe {{BrokerComm}} and {{BrokerStore}} in script-land. That way it's clear what it's about. The script framework would then also become {{broker}}. - The script API for the Store looks a bit cumbersome to use, because of the async interface through when. Could we add sync versions of the various functions that just go to the local cache? Or does that not work architecturally with how the communication between Bro/Broker/CAF is structured? - I also wondered about this: {{Comm::refine_to_string(Comm::vector_lookup(res$result, 0)));}} That also looks somewhat cumbersome, but I haven't further traced down yet what exactly is happening there. > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 2 18:23:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 2 Mar 2015 20:23:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1319: --------------------------------- Assignee: Jon Siwek (was: Robin Sommer) > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 2 18:24:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 2 Mar 2015 20:24:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1270) topic/gilbert/plugin-api-tweak In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1270: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/gilbert/plugin-api-tweak > ------------------------------ > > Key: BIT-1270 > URL: https://bro-tracker.atlassian.net/browse/BIT-1270 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: gclark > Assignee: gclark > > This branch makes a few changes to the API: > * Wraps values in a simple class (ValWrapper) that include an explicit processed / not processed flag (to avoid confusion with delayed / opaque invocations). > * Adds a Frame argument to HookCallFunction > * Adds support for Frame argument types to HookArgument > * Adds support for ValWrapper argument types to HookArgument > * Tweaks the plugin.hooks tests a bit to include new output (from additional argument) > * Tweaks the plugin.api-version-mismatch to remove explicit home directory path via simple regex -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 2 18:24:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 2 Mar 2015 20:24:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1321) Merge topic/johanna/ssl-policy In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1321?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1321: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Merge topic/johanna/ssl-policy > ------------------------------ > > Key: BIT-1321 > URL: https://bro-tracker.atlassian.net/browse/BIT-1321 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Labels: ssl > Fix For: 2.4 > > > Please merge topic/johanna/ssl-policy. It changes the TLS policy files and mainly adds the ability to alert when encountering old ssl versions & cipher suites that should no longer be used. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 2 18:24:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 2 Mar 2015 20:24:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1322) btest should warn when using -T option but cannot create timing baseline In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1322?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1322: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > btest should warn when using -T option but cannot create timing baseline > ------------------------------------------------------------------------ > > Key: BIT-1322 > URL: https://bro-tracker.atlassian.net/browse/BIT-1322 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Reporter: Daniel Thayer > Fix For: 2.4 > > > When using "btest -T" on a system that cannot perform timing measurements there > is no warning message to notify the user that the requested operation (create a timing > baseline) cannot be performed. This is especially confusing on a Linux machine > that has the "perf" command installed, but not other required components. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Tue Mar 3 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 3 Mar 2015 00:00:21 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503030800.t2380L4l032053@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ------------------------ BIT-1320 [1] BroControl Daniel Thayer Robin Sommer 2015-03-02 2.4 Normal topic/jazoff/broctld [2] BIT-1319 [3] Bro Jon Siwek Jon Siwek 2015-03-02 2.4 Normal topic/jsiwek/broker [4] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- --------------------------------------------------------- #25 [5] bro eunsilhan [6] 2015-02-24 Topic/jshlbrd/rdp [7] #24 [8] bro msmiley [9] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [10] [1] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [2] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [3] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [4] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [5] Pull Request #25 https://github.com/bro/bro/pull/25 [6] eunsilhan https://github.com/eunsilhan [7] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [8] Pull Request #24 https://github.com/bro/bro/pull/24 [9] msmiley https://github.com/msmiley [10] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From jira at bro-tracker.atlassian.net Tue Mar 3 11:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 3 Mar 2015 13:06:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19906#comment-19906 ] Jon Siwek commented on BIT-1319: -------------------------------- {quote} cmake/RequireCXX11.cmake says: TODO: don't seem to be any great/easy ways to get a clang version string. Isn't that as easy as: clang --version | grep ^clang | cut -d ' ' -f 3 ? {quote} On mac: $ clang --version Apple LLVM version 6.0 (clang-600.0.56) (based on LLVM 3.5svn) The suggested grep/cut doesn't work on that. I'm not that excited about parsing a version string whose format differs across platforms or maybe even across time just to give a nice error message than a compilation failure. It's also not the common case: new versions of CMake will be able to directly supply compiler version information and I used that instead if it's available. I just want to avoid telling someone with a valid compiler that it won't work when it actually will. {quote} in the Bro docs for the Broker interface, I think it would be helpful to revert the order of the consumer/producer examples to show producer/consumer instead. In particular for the Store example, it took me a bit to realize some missing context is really in the 2nd script. {quote} Ok, I'll take a look. I organized it as listen() side comes before the connect() side just to avoid adding the little extra complexity to the doc (or tests) to explain that the connect() side will do automatic reconnect attempts and emit warnings when it fails, but I wasn't thinking in terms of producer/consumer. {quote} Store::create_clone(?name?): I'm not quite sure how to interpret this in terms of which peer this goes out to: is it cloning any store of that name, independent of the peer? What if two peers both happen to have a store with that name? Should the function explicitly specify the peer instead? {quote} Master data store names are meant to be unique, so the first peer who told us it has a store by that name wins. Any subsequent peers that try to register a store with the same name will fail and the error will show up in reporter.log. Maybe it's a bit clumsy to handle those types of error programmatically; it is technically possible, but I figure most of the time that will be the type of programmer-error you debug and fix once the first time you run new code. Don't think it would be hard to change it to Store::create_clone(?name?, peer) in order to require the master counterpart be located on the given peer, but maybe that just gives another chance for programmer-error to slip in by specifying the wrong peer/endpoint? {quote} two tests don't terminate for me (the 2nd one I have to kill, presumably because it doesn't use btest-bg-wait) [ 0%] comm.clone_store ... failed [ 33%] comm.master_store ...^C {quote} Thanks, I'll take a look. {quote} I was wondering about namespaces for the broker parts, both script-land and C++. I'm kind of inclined to just call it Broker, and maybe BrokerComm and BrokerStore in script-land. That way it's clear what it's about. The script framework would then also become broker. {quote} I don't have much preference. I went with the generic "comm" in case it ended up that the interface was good, but the implementation was bad, then you could come up with yet another library to silently replace broker as if it never happened :). But maybe it's just clearer to have "broker" in the namespaces for users to make the right associations at the moment. So I'll switch to your naming suggestion unless there's other ideas. {quote} The script API for the Store looks a bit cumbersome to use, because of the async interface through when. Could we add sync versions of the various functions that just go to the local cache? Or does that not work architecturally with how the communication between Bro/Broker/CAF is structured? {quote} Blocking versions can be added, but some caution is still probably needed when using them because even though it goes to the local cache, queries are still processed via a queue of all other data store operations and I don't think there's a good way to tell what the current load is. So I think you could unknowingly block for longer than you'd want if the store is severely overloaded. I also think the "when" interface is a bit cumbersome, but maybe also "good habit". Let me know if you want the blocking version of the data store queries. {quote} I also wondered about this: Comm::refine_to_string(Comm::vector_lookup(res$result, 0))); That also looks somewhat cumbersome, but I haven't further traced down yet what exactly is happening there. {quote} Looks like a data store query returned a vector of strings and this is retrieving the first element of that. i.e. it's translating broker data types to bro data types. The two aren't similar enough to simply "cast" res$result to a ``vector of string`` (if we had a way to cast, or made one). e.g. broker vectors don't necessarily contain homogenous data types. > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 3 16:29:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 3 Mar 2015 18:29:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1182) Input-framework thread spwan In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19907#comment-19907 ] Johanna Amann commented on BIT-1182: ------------------------------------ I am actually not sure if this is an input framework issue. The input framework does not spawn a new thread for each change in an input file. Instead, all the changes are serialized into events by a single input reader, which is responsible for the file. For 5,000 changed lines, this should be rather fast - it probably processes all changes in less then a second. If I understood everything correctly, things work as long as you do not use the exec framework. The problem here is actually that the exec framework spawns a thread for each execution that you want to perform (...because one input reader is spawned per execution...). As you get all change events near-simultaneously, all of them are spawned near-simultaneously - and I can see that leading to all kinds of problems. I am not quite sure what the best way to handle that is though. Throttling the number of events that the input framework sends should be possible -- however, I am not sure if it is desirable since it should usually work without too much troubles. You would run into the same problem if you try to spawn a lot of exec framework tasks because of some other event (e.g. a lot of network packets that trigger it at the same time). > Input-framework thread spwan > ---------------------------- > > Key: BIT-1182 > URL: https://bro-tracker.atlassian.net/browse/BIT-1182 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Labels: input-framework > > Using the mode REREAD, I noticed that input-framework spawns a thread for every add/change/delete for the elements in the feed file. > this is a VERY desired feature and powerful capability and works quite well in general settings. > Since, all the changes in a file spawns a thread to process for: EVENT_NEW, EVENT_CHANGED, EVENT_REMOVED, If there are lets say 5000 Changes in the file, there would be 5000 threads spawned at the same time. this is still alright and system can handle load and processing is done in a few seconds. > However, if I include a when statement along with exec framework usage to execute an action in Input::EVENT_NEW, Input::EVENT_CHANGED or Input::EVENT_REMOVED - all threads spawned together freezes bro from processing any packets at all. > It would be nice if we can serialize this thread creation and spawn only a few at a time. This way we can spread out the increased load over next N mins instead of freezing bro to a standstill. > (As always, please let me know if you want code to be able to re-produce this issue). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 3 16:35:00 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Tue, 3 Mar 2015 18:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1182) Input-framework thread spwan In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19908#comment-19908 ] Aashish Sharma commented on BIT-1182: ------------------------------------- ah! that makes sense now. You are correct. I was inadvertently calling exec framework after an entry gets removed. Infact, thats what I was working on to fix, and I see this comment. I will report back once I eliminate exec framework spawn for removals and make that a batch-job ( only 1 exec call for all removals) Thanks, Aashish > Input-framework thread spwan > ---------------------------- > > Key: BIT-1182 > URL: https://bro-tracker.atlassian.net/browse/BIT-1182 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Labels: input-framework > > Using the mode REREAD, I noticed that input-framework spawns a thread for every add/change/delete for the elements in the feed file. > this is a VERY desired feature and powerful capability and works quite well in general settings. > Since, all the changes in a file spawns a thread to process for: EVENT_NEW, EVENT_CHANGED, EVENT_REMOVED, If there are lets say 5000 Changes in the file, there would be 5000 threads spawned at the same time. this is still alright and system can handle load and processing is done in a few seconds. > However, if I include a when statement along with exec framework usage to execute an action in Input::EVENT_NEW, Input::EVENT_CHANGED or Input::EVENT_REMOVED - all threads spawned together freezes bro from processing any packets at all. > It would be nice if we can serialize this thread creation and spawn only a few at a time. This way we can spread out the increased load over next N mins instead of freezing bro to a standstill. > (As always, please let me know if you want code to be able to re-produce this issue). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 3 17:26:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 3 Mar 2015 19:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1323) Merge topic/johanna/x509-cn In-Reply-To: References: Message-ID: Johanna Amann created BIT-1323: ---------------------------------- Summary: Merge topic/johanna/x509-cn Key: BIT-1323 URL: https://bro-tracker.atlassian.net/browse/BIT-1323 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Please merge topic/johanna/x509-cn. It makes the most specific common name of a certificate available to scriptland, without having to parse the certificate subject by hand (which is difficult and slow). This should allow easier validation to check if a certificate belongs to a specific domain. The branch also changes the intel framework policy scripts to send domains contained in the common name and subject alternative name fields of certificates to the intel framework. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 3 17:26:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 3 Mar 2015 19:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1323) Merge topic/johanna/x509-cn In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1323: ------------------------------- Status: Merge Request (was: Open) > Merge topic/johanna/x509-cn > --------------------------- > > Key: BIT-1323 > URL: https://bro-tracker.atlassian.net/browse/BIT-1323 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Please merge topic/johanna/x509-cn. It makes the most specific common name of a certificate available to scriptland, without having to parse the certificate subject by hand (which is difficult and slow). This should allow easier validation to check if a certificate belongs to a specific domain. > The branch also changes the intel framework policy scripts to send domains contained in the common name and subject alternative name fields of certificates to the intel framework. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From gc355804 at ohio.edu Tue Mar 3 20:40:36 2015 From: gc355804 at ohio.edu (Gilbert Clark) Date: Tue, 3 Mar 2015 23:40:36 -0500 Subject: [Bro-Dev] WIP: Instrumentation plugin Message-ID: <54F68CC4.2070608@ohio.edu> Hi all: Just a brief note that https://github.com/cubic1271/bro-plugin-instrumentation exists as a work in progress, and should now be supported by the current bro master. It knows four tricks at the moment: * Per-packet statistics - memory, file I/O, and CPU information either every X seconds or every Y packets. This differs from existing functionality only in the way data is gathered: it uses RDTSC to grab CPU cycles, hooks the malloc familiy of functions to gather memory data, and also hooks I/O methods to gather information about what is generating input / output in the application. * Per-function statistics - memory information and aggregate cycle counts for the time spent in each bro function. * Function call-graphs - output graphviz formatted call graphs that can be rendered via e.g. dot. * Export of arbitrary data via HTTP - populate arbitrary JSON objects in bro script and serve them directly from a HTTP server embedded in the plugin. Overhead is pretty high at the moment, and there are things that need to be researched on different platforms (e.g. mechanics of RDTSC, reduce error associated with cost of collecting data, etc). I haven't crashed it with the data I've thrown at it as of yet, but I'm sure it's only a matter of time... It's a work in progress, so feedback / comments / concerns are welcome. Hope something in there is interesting to someone :) --Gilbert From noreply at bro.org Wed Mar 4 00:00:19 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 4 Mar 2015 00:00:19 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503040800.t2480J1f024186@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------- BIT-1323 [1] Bro Johanna Amann - 2015-03-03 2.4 Normal Merge topic/johanna/x509-cn BIT-1320 [2] BroControl Daniel Thayer Robin Sommer 2015-03-02 2.4 Normal topic/jazoff/broctld [3] BIT-1319 [4] Bro Jon Siwek Jon Siwek 2015-03-03 2.4 Normal topic/jsiwek/broker [5] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- --------------------------------------------------------- #25 [6] bro eunsilhan [7] 2015-02-24 Topic/jshlbrd/rdp [8] #24 [9] bro msmiley [10] 2015-02-24 add bytes_recvd to Stats and stats.bro for reporting [11] [1] BIT-1323 https://bro-tracker.atlassian.net/browse/BIT-1323 [2] BIT-1320 https://bro-tracker.atlassian.net/browse/BIT-1320 [3] broctld https://github.com/bro/brocontrol/tree/topic/jazoff/broctld [4] BIT-1319 https://bro-tracker.atlassian.net/browse/BIT-1319 [5] broker https://github.com/bro/bro/tree/topic/jsiwek/broker [6] Pull Request #25 https://github.com/bro/bro/pull/25 [7] eunsilhan https://github.com/eunsilhan [8] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp [9] Pull Request #24 https://github.com/bro/bro/pull/24 [10] msmiley https://github.com/msmiley [11] Merge Pull Request #24 with git pull --no-ff --no-commit https://github.com/msmiley/bro.git stats-bytes-recvd From seth at icir.org Wed Mar 4 06:05:30 2015 From: seth at icir.org (Seth Hall) Date: Wed, 4 Mar 2015 09:05:30 -0500 Subject: [Bro-Dev] WIP: Instrumentation plugin In-Reply-To: <54F68CC4.2070608@ohio.edu> References: <54F68CC4.2070608@ohio.edu> Message-ID: <81225777-9F95-4CCC-9B6D-719B97B78EE8@icir.org> > On Mar 3, 2015, at 11:40 PM, Gilbert Clark wrote: > > https://github.com/cubic1271/bro-plugin-instrumentation exists as a work > in progress, and should now be supported by the current bro master. That?s pretty neat. I?ve enjoyed watching the evolution of your approaches over time. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Wed Mar 4 07:22:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Wed, 4 Mar 2015 09:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1319: --------------------------- Status: Open (was: Merge Request) > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 08:28:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 4 Mar 2015 10:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: Justin Azoff created BIT-1324: --------------------------------- Summary: default_path_func does weird things to underscores Key: BIT-1324 URL: https://bro-tracker.atlassian.net/browse/BIT-1324 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Justin Azoff Priority: Low The following script creates a {noformat} foo__b_ar.log {noformat} instead of the expected {noformat}foo_bar{noformat} {code} module FOO_BAR; export { redef enum Log::ID += { LOG }; type Info: record { ts: time &log; msg: string &log; }; } event bro_init() { Log::create_stream(LOG, [$columns=Info]); local l = [$ts = network_time(), $msg="hello"]; Log::write(LOG, l); print "Logged"; } {code} The problem is in script land in default_path_func {code} local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); print module_parts; {code} outputs {code} [FOO, _B, AR] {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 10:17:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 4 Mar 2015 12:17:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19909#comment-19909 ] Robin Sommer commented on BIT-1319: ----------------------------------- {quote} $ clang --version Apple LLVM version 6.0 (clang-600.0.56) (based on LLVM 3.5svn) {quote} Doh, Apple! I didn't expect them to change the format of the version string. I take it back. {quote} Don't think it would be hard to change it to Store::create_clone(?name?, peer) in order to require the master counterpart be located on the given peer, but maybe that just gives another chance for programmer-error to slip in by specifying the wrong peer/endpoint? {quote} Don't have a good handle on the programming/usage aspects of this yet (obviously). That said, my gut feeling would be that identifying a store by peer/name tuple is less confiusing/error-prone that just name. But whatever you prefer, might be something to see over time. {quote} Blocking versions can be added, but some caution is still probably needed when using them because even though it goes to the local cache, queries are still processed via a queue of all other data store operations and I don't think there's a good way to tell what the current load is. So I think you could unknowingly block for longer than you'd want if the store is severely overloaded. {quote} Yeah, I was afraid that that's the answer. :-) I'm torn. On the one hand, "when" is the right answer here. On the other hand, I see Broker being used for lots of smaller tasks as well, including, say, just keeping some local state persistently. Forcing the async interface on usages where performance is unlikely to matter much at all, looks a bit painful from a usability perspective. Question: could we skip the queue of operations for sync operations? We'd tell people: "look, you can use this, but you might get inconsistent results in exchange for a less cumbersome interface". My guess is that often, it'll be good enough. So the sync store operations would always go directly to the local cache. {quote} e.g. broker vectors don't necessarily contain homogenous data types. {quote} Maybe eventually we can provide some convenience functions for turning common types into corresponding Bro values. But that's another thing to collect some experience with first. > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 11:29:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Wed, 4 Mar 2015 13:29:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19910#comment-19910 ] Jon Siwek commented on BIT-1319: -------------------------------- {quote} Question: could we skip the queue of operations for sync operations? We'd tell people: "look, you can use this, but you might get inconsistent results in exchange for a less cumbersome interface". My guess is that often, it'll be good enough. So the sync store operations would always go directly to the local cache. {quote} Yes, should be possible to give these operations high priority when talking to a data store clone. Another problem at the moment is that queries against a clone store will wait to be processed until the clone has performed an initial synchronization with the master store. Without doing that wait, it seems prone to a lot of bad results at startup. But it also means if you do a synchronous query and a corresponding master store just doesn't exist yet, you can still end up blocking for an indeterminate amount of time, possibly indefinitely. What should be the behavior/solution here? * don't distinguish high priority queries from low-priority queries, but change blocking query API to require timeout parameters * distinguish high-priority queries and they are still held up by the wait-for-initial-sync, but all methods in the blocking query API require a timeout parameter (this may make synchronous queries less affected by overload, but then maybe it opens up some starvation possibilities if one sends high-priority queries too often) * high-priority (synchronous) queries bypass the wait-for-initial-sync, but low-priority (asynchronous) queries do not * all queries bypass the wait-for-initial-sync, but updates/modifications wait for master to become available instead of just dropping them * get rid of wait-for-initial-sync behavior entirely The first option seems to have fewest drawbacks and may be least complex to implement. And you'd get a less cumbersome API in Bro for synchronous queries: you don't have to use a when statement, but do need to specify the maximum time you want to allow the call to block. > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 12:26:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 4 Mar 2015 14:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19911#comment-19911 ] Robin Sommer commented on BIT-1320: ----------------------------------- Merging. This is such a large change set across the whole code base that I can't really review it. But I trust you guys. :-) > topic/jazoff/broctld > -------------------- > > Key: BIT-1320 > URL: https://bro-tracker.atlassian.net/browse/BIT-1320 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Robin Sommer > Fix For: 2.4 > > > Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization > for the upcoming broctld. Here is a high-level list of changes: > 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), > 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run "broctl install"), > 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), > 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, > 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, > 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, > 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, > 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, > 9) Added new broctl option StatusCmdShowAll to enable users to speed up "broctl status" significantly, > 10) Fixed the stats-to-csv script to not create files that can never include any data, > 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, > 12) Improved post-terminate script to process log files more consistently, > 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), > 14) Improved the default broctl.cfg file to show more of the useful options, > 15) Added more error checks to help catch errors earlier, > 16) Some error message output is more specific and helpful now > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 12:28:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 4 Mar 2015 14:28:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19912#comment-19912 ] Daniel Thayer commented on BIT-1324: ------------------------------------ I'm not aware of any module names that have an underscore currently. If you rename your module to "FooBar", then you'll get the expected log filename "foo_bar.log". Alternatively, you always have the option to rename a log file by replacing the "default" filter, like this: Log::create_stream(LOG, [$columns=Info]); local filter: Log::Filter = [$name="default", $path="foo_bar"]; Log::add_filter(LOG, filter); > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Priority: Low > Labels: logging > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 12:40:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 4 Mar 2015 14:40:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19913#comment-19913 ] Justin Azoff commented on BIT-1324: ----------------------------------- Ran into the issue using https://github.com/set-element/misc-scripts/blob/master/wordpress.bro which ends up creating a wp__p_arse.log It should probably be module Wordpress, but it is still odd behaviour. > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Priority: Low > Labels: logging > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 13:02:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 4 Mar 2015 15:02:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1323) Merge topic/johanna/x509-cn In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1323: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Merge topic/johanna/x509-cn > --------------------------- > > Key: BIT-1323 > URL: https://bro-tracker.atlassian.net/browse/BIT-1323 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Please merge topic/johanna/x509-cn. It makes the most specific common name of a certificate available to scriptland, without having to parse the certificate subject by hand (which is difficult and slow). This should allow easier validation to check if a certificate belongs to a specific domain. > The branch also changes the intel framework policy scripts to send domains contained in the common name and subject alternative name fields of certificates to the intel framework. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 13:02:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 4 Mar 2015 15:02:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1320) topic/jazoff/broctld In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1320: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/jazoff/broctld > -------------------- > > Key: BIT-1320 > URL: https://bro-tracker.atlassian.net/browse/BIT-1320 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Robin Sommer > Fix For: 2.4 > > > Branch topic/jazoff/broctld in the broctl repo contains significant code reorganization > for the upcoming broctld. Here is a high-level list of changes: > 1) Refactor broctl to make it usable as a library (reduce global state, module-level setup code, and functions return results instead of printing), > 2) Integrate ssh_runner code into broctl to fix current problems (use only one connection per host instead of one per Bro node, broctl shouldn't hang when a host goes down or if we forgot to run "broctl install"), > 3) Write state info using SQLite state storage instead of writing to a plain text file (broctl.dat), > 4) When the node config changes, we now do additional checks if there are any Bro nodes running that are no longer in our node config and warn user if any are detected, > 5) Keep track of the expected state (running or stopped) of each Bro node, and have broctl cron start or stop nodes as needed, > 6) Improved broctl cron by adding two new options (MailHostUpDown and StatsLogEnable) to enable users the option to turn off unwanted functionality to speed up broctl cron and reduce the chance of errors, > 7) When broctl cron tries to send email but fails, now it will output a message that includes the text it was trying to mail, > 8) Silence warning messages (that are intended for interactive use of broctl) when broctl cron runs to reduce unwanted emails from cron, > 9) Added new broctl option StatusCmdShowAll to enable users to speed up "broctl status" significantly, > 10) Fixed the stats-to-csv script to not create files that can never include any data, > 11) Fixed archive-log script to detect exit status of gzip or cp command, so that we don't delete log file when the archival fails, > 12) Improved post-terminate script to process log files more consistently, > 13) Made all broctl command output go to stdout (previously, some output would go to stderr, which made grepping or redirecting the output more difficult), > 14) Improved the default broctl.cfg file to show more of the useful options, > 15) Added more error checks to help catch errors earlier, > 16) Some error message output is more specific and helpful now > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 14:37:00 2015 From: jira at bro-tracker.atlassian.net (Tony Cebzanov (JIRA)) Date: Wed, 4 Mar 2015 16:37:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: Tony Cebzanov created BIT-1325: ---------------------------------- Summary: multiple sqlite writers to same db file yields "database is locked" error Key: BIT-1325 URL: https://bro-tracker.atlassian.net/browse/BIT-1325 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.2 Reporter: Tony Cebzanov I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: {code} local filter: Log::Filter = [ $name="sqlite_conn", $path="analysis", $config=table(["tablename"] = "conn"), $writer=Log::WRITER_SQLITE ]; Log::add_filter(Conn::LOG, filter); local http_filter: Log::Filter = [ $name="sqlite_http", $path="analysis", $config=table(["tablename"] = "http"), $writer=Log::WRITER_SQLITE ]; Log::add_filter(HTTP::LOG, http_filter); {code} I get the following error: {code} error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 15:00:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Mar 2015 17:00:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19914#comment-19914 ] Johanna Amann commented on BIT-1325: ------------------------------------ I just took a look at the source - the reason this happens at the moment is the way that we write to SQLite database. We currently create a prepared statement when opening the database for logging; this statement is then re-used for each logging line inserted into the database. The database (apparently) remains locked as long as that statement is active. In theory, we could walk away from this approach; however, that would mean not using a prepared statement anymore and having to re-execute the insert sql statement for each line that we get sent from the main thread. Which will mean slower executions. It also means that we will have to deal with locking issues -- the current approach sidesteps that because the database is locked for writing from the moment it opens. After looking at this, I am not sure if we even want to or should support multiple simultaneous writers to sqlite. It seems to come with a whole can of worms and potential problems. Reading from databases while a thread writes to them should still be possible at the moment. But - I am open for other opinions on this... > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Tony Cebzanov > Labels: logging, sqlite > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 15:01:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Mar 2015 17:01:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1325: ------------------------------- Affects Version/s: (was: 2.2) 2.3 > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Labels: logging, sqlite > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 15:28:02 2015 From: jira at bro-tracker.atlassian.net (Tony Cebzanov (JIRA)) Date: Wed, 4 Mar 2015 17:28:02 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19915#comment-19915 ] Tony Cebzanov commented on BIT-1325: ------------------------------------ What in particular is giving you the impression that the prepared statement that's locking the entire database for as long as the prepared statement is active? Obviously not using prepared statements would be a non-starter performance-wise, but I feel like when the current code isn't even trying to catch the SQLITE_BUSY and SQLITE_LOCKED return codes, it's hard for me to accept the notion that it's a case of prepared statements being the problem. Maybe catching SQLITE_BUSY and then retrying after some time would take care of things once the other writer is finished? > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Labels: logging, sqlite > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 4 16:30:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Mar 2015 18:30:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19916#comment-19916 ] Johanna Amann commented on BIT-1325: ------------------------------------ Sorry, I misunderstood some documentation - you are actually right, the lock should end after each statement, once sqlite3_reset is called on it. Hence we should fix it... > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Labels: logging, sqlite > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Thu Mar 5 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 5 Mar 2015 00:00:25 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503050800.t2580P3h012070@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- --------------------- #25 [1] bro eunsilhan [2] 2015-02-24 Topic/jshlbrd/rdp [3] [1] Pull Request #25 https://github.com/bro/bro/pull/25 [2] eunsilhan https://github.com/eunsilhan [3] Merge Pull Request #25 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git topic/jshlbrd/rdp From jira at bro-tracker.atlassian.net Thu Mar 5 11:41:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Mar 2015 13:41:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence In-Reply-To: References: Message-ID: Johanna Amann created BIT-1326: ---------------------------------- Summary: Broctl installation requires sqlite but does not check for its presence Key: BIT-1326 URL: https://bro-tracker.atlassian.net/browse/BIT-1326 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: {code} [bro at marge ~/master]$ broctl Traceback (most recent call last): File "/xa/bro/master/bin/broctl", line 29, in from BroControl.broctl import BroCtl File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 8, in from BroControl import util File "/xa/bro/master/lib/broctl/BroControl/util.py", line 6, in from BroControl import config File "/xa/bro/master/lib/broctl/BroControl/config.py", line 10, in from .state import SqliteState File "/xa/bro/master/lib/broctl/BroControl/state.py", line 2, in import sqlite3 File "/usr/local/lib/python2.7/sqlite3/__init__.py", line 24, in from dbapi2 import * File "/usr/local/lib/python2.7/sqlite3/dbapi2.py", line 28, in from _sqlite3 import * ImportError: No module named _sqlite3 {code} We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 5 13:16:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Mar 2015 15:16:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1327) broctl status output is not sorted correctly In-Reply-To: References: Message-ID: Johanna Amann created BIT-1327: ---------------------------------- Summary: broctl status output is not sorted correctly Key: BIT-1327 URL: https://bro-tracker.atlassian.net/browse/BIT-1327 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 With the current version of BroControl, broctl status is no longer sorted in the traditional order that we had in old versions (master, proxy, workers). Instead, the order seems to be more-or-less-random, but static (it does not change inbetween runs). I think we should revert this to the old behavior - having sorted output is nice and makes it more convenient to see what is going on. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 5 13:22:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Mar 2015 15:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1328) BroControl displays backtrace for all failed / mistyped commands In-Reply-To: References: Message-ID: Johanna Amann created BIT-1328: ---------------------------------- Summary: BroControl displays backtrace for all failed / mistyped commands Key: BIT-1328 URL: https://bro-tracker.atlassian.net/browse/BIT-1328 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 BroControl shows a backtrace for failing commands, instead of just an error message. Example: {code} [BroControl] > status sdd Traceback (most recent call last): File "/xa/bro/master/lib/broctl/BroControl/brocmd.py", line 49, in cmdloop success = self.onecmd(line) File "/usr/local/lib/python2.7/cmd.py", line 221, in onecmd return func(arg) File "/xa/bro/master/bin/broctl", line 190, in do_status results = self.broctl.status(node_list=args) File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 36, in wrapper return func(self, *args, **kwargs) File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 231, in status nodes = self.node_args(node_list) File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 98, in node_args raise InvalidNodeError("unknown node '%s'" % arg) InvalidNodeError: unknown node 'sdd' [BroControl] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 5 13:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Mar 2015 15:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger In-Reply-To: References: Message-ID: Johanna Amann created BIT-1329: ---------------------------------- Summary: BroControl scripts displays meta-information from bro logger Key: BIT-1329 URL: https://bro-tracker.atlassian.net/browse/BIT-1329 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Affects Versions: git/master Environment: When issuing a broctl status, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. Example: {code} [BroControl] > scripts manager manager scripts are ok. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path loaded_scripts #open 2015-03-05-13-24-34 #fields name #types string /xa/bro/master/share/bro/base/init-bare.bro /xa/bro/master/share/bro/base/bif/const.bif.bro ... /xa/bro/master/share/bro/broctl/check.bro #close 2015-03-05-13-24-34 {code} Reporter: Johanna Amann Fix For: 2.4 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 5 13:48:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 5 Mar 2015 15:48:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1304) trace-summary should be updated to support newer versions of Python In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1304: ------------------------------- Status: Merge Request (was: Open) > trace-summary should be updated to support newer versions of Python > ------------------------------------------------------------------- > > Key: BIT-1304 > URL: https://bro-tracker.atlassian.net/browse/BIT-1304 > Project: Bro Issue Tracker > Issue Type: Problem > Components: trace-summary > Reporter: Daniel Thayer > Fix For: 2.4 > > > Some of the code in trace-summary is not valid syntax on > Python version >= 3. It should be updated to work on > any Python version >= 2.6. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Fri Mar 6 00:00:27 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 6 Mar 2015 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503060800.t2680RrK006442@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------- ------------- ---------- ---------- ------------- ---------- ------------------------------------------------------------------- BIT-1304 [1] trace-summary Daniel Thayer - 2015-03-05 2.4 Normal trace-summary should be updated to support newer versions of Python [1] BIT-1304 https://bro-tracker.atlassian.net/browse/BIT-1304 From jira at bro-tracker.atlassian.net Fri Mar 6 07:44:00 2015 From: jira at bro-tracker.atlassian.net (Tony Cebzanov (JIRA)) Date: Fri, 6 Mar 2015 09:44:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Tony Cebzanov updated BIT-1325: ------------------------------- Attachment: bro_sqlite_busy_wait.patch I threw together a pretty naive patch to try to work around this problem for now -- it simply checks the sqlite error code, and if it comes back as SQLITE_BUSY it does a short usleep (repeating as necessary) until the call succeeds. I've only tested it lightly, and in theory with a lot of log writers and locks being held for a long time this could cause the log writer threads to fall behind as they all wait to acquire the lock, but it meets my needs for what I'm doing now. A better solution wold probably involve the log writers waiting until they have X number of records then inserting them as part of a single transaction (flushed on some kind of idle timeout) but I don't really know enough about the bro architecture to make that happen right now. > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Labels: logging, sqlite > Attachments: bro_sqlite_busy_wait.patch > > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 07:45:02 2015 From: jira at bro-tracker.atlassian.net (Tony Cebzanov (JIRA)) Date: Fri, 6 Mar 2015 09:45:02 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19917#comment-19917 ] Tony Cebzanov edited comment on BIT-1325 at 3/6/15 9:44 AM: ------------------------------------------------------------ I threw together a pretty naive patch ([^bro_sqlite_busy_wait.patch]) to try to work around this problem for now -- it simply checks the sqlite error code, and if it comes back as SQLITE_BUSY it does a short usleep (repeating as necessary) until the call succeeds. I've only tested it lightly, and in theory with a lot of log writers and locks being held for a long time this could cause the log writer threads to fall behind as they all wait to acquire the lock, but it meets my needs for what I'm doing now. A better solution wold probably involve the log writers waiting until they have X number of records then inserting them as part of a single transaction (flushed on some kind of idle timeout) but I don't really know enough about the bro architecture to make that happen right now. was (Author: tonycpsu): I threw together a pretty naive patch to try to work around this problem for now -- it simply checks the sqlite error code, and if it comes back as SQLITE_BUSY it does a short usleep (repeating as necessary) until the call succeeds. I've only tested it lightly, and in theory with a lot of log writers and locks being held for a long time this could cause the log writer threads to fall behind as they all wait to acquire the lock, but it meets my needs for what I'm doing now. A better solution wold probably involve the log writers waiting until they have X number of records then inserting them as part of a single transaction (flushed on some kind of idle timeout) but I don't really know enough about the bro architecture to make that happen right now. > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Labels: logging, sqlite > Attachments: bro_sqlite_busy_wait.patch > > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 09:25:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 6 Mar 2015 11:25:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1319: --------------------------- Status: Merge Request (was: Open) > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 09:33:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 6 Mar 2015 11:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19918#comment-19918 ] Jon Siwek commented on BIT-1319: -------------------------------- topic/jsiwek/broker in the bro repo addresses some feedback: * rename namespaces, c++ "comm" to "bro_broker", module "Comm" to "BrokerComm" and module "Store" to "BrokerStore" * reorganize directories by renaming comm/ to broker/ * tried to improve the data store unit tests, if they still fail for you, please send me the associated output directory from the .tmp/ * some fixes for problems I found with remote logging * updated broker submodule to a version that now supports python bindings Didn't do anything about adding synchronous data store query API, maybe that's an improvement we can think about for later? So not much here is probably that critical to review; let me know if you just want me to merge it (but I'd still like if you could let me know about the unit tests that failed before). > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 09:33:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 6 Mar 2015 11:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1319: ------------------------------ Assignee: Robin Sommer (was: Jon Siwek) > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From robin at icir.org Fri Mar 6 09:45:42 2015 From: robin at icir.org (Robin Sommer) Date: Fri, 6 Mar 2015 09:45:42 -0800 Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: <20150306174542.GX52253@icir.org> > Didn't do anything about adding synchronous data store query API, > maybe that's an improvement we can think about for later? Yeah, I'm still mulling over that. Let's chat a bit about that next week, it's certainly not a must-have right now. > So not much here is probably that critical to review; let me know if > you just want me to merge it (but I'd still like if you could let me > know about the unit tests that failed before). Just go ahead and merge, I'll try the tests later. THanks for the renaming. Great to see we have Python bindings! From jira at bro-tracker.atlassian.net Fri Mar 6 09:47:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 6 Mar 2015 11:47:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1319: ------------------------------ Yeah, I'm still mulling over that. Let's chat a bit about that next week, it's certainly not a must-have right now. Just go ahead and merge, I'll try the tests later. THanks for the renaming. Great to see we have Python bindings! > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 11:33:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 6 Mar 2015 13:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1319: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 11:34:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 6 Mar 2015 13:34:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1319) topic/jsiwek/broker In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1319?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19920#comment-19920 ] Jon Siwek commented on BIT-1319: -------------------------------- Merged; feel free to re-open the ticket if you want as a reminder to check the unit tests or for the synchronous data store query API. > topic/jsiwek/broker > ------------------- > > Key: BIT-1319 > URL: https://bro-tracker.atlassian.net/browse/BIT-1319 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > The "topic/jsiwek/broker" branch is in the bro and cmake repos to add the initial support for Broker. > Notes/Disclaimers/Caveats: > - Bro has a --enable-broker configure flag. > - requires actor-framework "develop" branch. When version 0.13 is out, I will put that as a requirement in the README and have CMake check for that. > - no C bindings yet > - no Python bindings yet > - other than checking compilation that the new unit tests pass on Linux/FreeBSD/Mac, I've not done must extensive of testing, profiling, optimization etc. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 14:53:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 6 Mar 2015 16:53:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1304) trace-summary should be updated to support newer versions of Python In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1304: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > trace-summary should be updated to support newer versions of Python > ------------------------------------------------------------------- > > Key: BIT-1304 > URL: https://bro-tracker.atlassian.net/browse/BIT-1304 > Project: Bro Issue Tracker > Issue Type: Problem > Components: trace-summary > Reporter: Daniel Thayer > Fix For: 2.4 > > > Some of the code in trace-summary is not valid syntax on > Python version >= 3. It should be updated to work on > any Python version >= 2.6. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 20:53:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 6 Mar 2015 22:53:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1227) netstats should compute statistics In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1227: ------------------------------- Fix Version/s: 2.4 Component/s: Bro > netstats should compute statistics > ---------------------------------- > > Key: BIT-1227 > URL: https://bro-tracker.atlassian.net/browse/BIT-1227 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro, BroControl > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Trivial > Fix For: 2.4 > > Attachments: signature.asc > > > Someone on irc had shared a really hackish script that parsed the output of broctl netstats to add drop percentages and totals. This is trivial to do inside of broctl. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 21:06:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 6 Mar 2015 23:06:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1219) broctl should have options to turn off cron emails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1219?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1219: ------------------------------- Resolution: Fixed Status: Closed (was: Open) This has been addressed and the branch has been merged already. > broctl should have options to turn off cron emails > -------------------------------------------------- > > Key: BIT-1219 > URL: https://bro-tracker.atlassian.net/browse/BIT-1219 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > Several users have requested an easy way to turn off some emails > that broctl cron sends (such as host up/down, "...not seeing any packets on interface...", etc.). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 21:12:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 6 Mar 2015 23:12:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1228) broctl needs to keep track of desired state In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1228: ------------------------------- Fix Version/s: 2.4 > broctl needs to keep track of desired state > ------------------------------------------- > > Key: BIT-1228 > URL: https://bro-tracker.atlassian.net/browse/BIT-1228 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > Fix For: 2.4 > > > On a multi-node cluster the following sequence of events can happen: > * A cluster node (node-2) has a power problem and is shut down > * broctl stop is ran on the manager > * broctl then fails to stop bro on node-2 > * node-2 reboots > * broctl cron restarts bro on node-2 because the last known state is up > The problem can happen in reverse as well, where broctl will not restart bro on a node that was down. > The problem arises because broctl stores the actual state of the nodes, but not the desired state. commands like stop and start need to set the desired start first, and then attempt to sync reality with that state information. broctl cron then just needs to attempt the similar sync. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 21:13:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 6 Mar 2015 23:13:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1194) broctl deploy command In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1194: ------------------------------- Fix Version/s: 2.4 > broctl deploy command > --------------------- > > Key: BIT-1194 > URL: https://bro-tracker.atlassian.net/browse/BIT-1194 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > Fix For: 2.4 > > > (mostly notes for me right now) > Currently broctl makes it too easy for an end user to do the wrong thing when changing the bro config. > restart --clean is close, however, it does things in this order: > stop -> clean -> check -> install -> start > This is bad because in the event of a 'check' failure bro will not restart. > So, I think what needs to be done is 'restart --clean' should only do: > stop -> clean -> start > and a new command 'broctl deploy' should do > check -> install -> restart > 'broctl deploy --clean' can do > check -> stop -> clean -> install -> start > Also, I think the 'install' operation should always run 'check', is there any reason it shouldn't? Would someone every want to force install a broken config? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 21:14:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 6 Mar 2015 23:14:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1165) [Bro] cron: error running update-stats In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1165: ------------------------------- Resolution: Fixed Status: Closed (was: Open) The update-stats script hasn't been part of broctl since the Bro 2.2 release. > [Bro] cron: error running update-stats > -------------------------------------- > > Key: BIT-1165 > URL: https://bro-tracker.atlassian.net/browse/BIT-1165 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.2 > Environment: Linux Fedora 19 on x86_64 > Reporter: Paolo Galtieri > Labels: logging > Attachments: broctl.cfg > > > I have configured bro so that all log files and spool files are saved to an external hard drive. I have modified the broctl.cfg file to point to the new locations. However, I continue to get lots of email about the following problem: > error running update-stats > ['cat: /usr/local/bro/spool/stats.log: No such file or directory'] > How do I stop this email? > The stats.log file is located in > /media/NSM/NSM-SENSOR-2/logs/bro/logs/stats > ls -l /media/NSM/NSM-SENSOR-2/logs/bro/logs/stats > total 13456 > -rw-r--r--. 1 root root 238 Mar 20 17:35 meta.dat > -rw-r--r--. 1 root root 13762847 Mar 18 22:50 stats.log > drwxr-xr-x. 2 root root 4096 Dec 5 13:25 www > Paolo -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 6 21:17:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 6 Mar 2015 23:17:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1029) support printing arbitrary expressions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1029?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1029: ------------------------------- Fix Version/s: (was: 2.4) > support printing arbitrary expressions > -------------------------------------- > > Key: BIT-1029 > URL: https://bro-tracker.atlassian.net/browse/BIT-1029 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: dmandelb > Priority: Low > > {{broctl}}'s print command can be very verbose for large tables. It would be nice if it could support at least the below two styles of commands, but ideally it could support any Bro Scripting Language expression. > {noformat} > [BroControl] > print BBNHostPeering::host_peers[127.0.0.1] > [BroControl] > print |BBNHostPeering::host_peers| > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 9 07:40:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 9 Mar 2015 09:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1330) topic/python3-compat In-Reply-To: References: Message-ID: Jon Siwek created BIT-1330: ------------------------------ Summary: topic/python3-compat Key: BIT-1330 URL: https://bro-tracker.atlassian.net/browse/BIT-1330 Project: Bro Issue Tracker Issue Type: Improvement Components: pysubnettree Reporter: Jon Siwek Fix For: 2.4 Updates to pysubnettree for Python 3 compatibility: have to now consider that bytes are a distinct type from strings and allow the API to accept either. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 9 07:41:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 9 Mar 2015 09:41:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1330) topic/python3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1330: --------------------------- Status: Merge Request (was: Open) > topic/python3-compat > -------------------- > > Key: BIT-1330 > URL: https://bro-tracker.atlassian.net/browse/BIT-1330 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: pysubnettree > Reporter: Jon Siwek > Fix For: 2.4 > > > Updates to pysubnettree for Python 3 compatibility: have to now consider that bytes are a distinct type from strings and allow the API to accept either. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 9 12:23:00 2015 From: jira at bro-tracker.atlassian.net (Josh Liburdi (JIRA)) Date: Mon, 9 Mar 2015 14:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: Josh Liburdi created BIT-1331: --------------------------------- Summary: BroControl manager crashes when logs rotate Key: BIT-1331 URL: https://bro-tracker.atlassian.net/browse/BIT-1331 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master, 2.4 Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method Reporter: Josh Liburdi Priority: High The BroControl manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 9 13:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 9 Mar 2015 15:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: Johanna Amann created BIT-1332: ---------------------------------- Summary: Please merge topic/johanna/cert-validation Key: BIT-1332 URL: https://bro-tracker.atlassian.net/browse/BIT-1332 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: {quote} Update certificate validation script - new version will cache valid intermediate chains that it encounters on the wire and use those to try to validate chains that might be missing intermediate certificates. This vastly improves the number of certificates that Bro can validate. The only drawback is that now validation behavior is not entirely predictable anymore - the certificate of a server can fail to validate when Bro just started up (due to the intermediate missing), and succeed later, when the intermediate can be found in the cache. Has been tested on big-ish clusters and should not introduce any performance problems. {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 9 13:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 9 Mar 2015 15:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1332: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/cert-validation > ------------------------------------------ > > Key: BIT-1332 > URL: https://bro-tracker.atlassian.net/browse/BIT-1332 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: > {quote} > Update certificate validation script - new version will cache valid > intermediate chains that it encounters on the wire and use those to try > to validate chains that might be missing intermediate certificates. > This vastly improves the number of certificates that Bro can validate. > The only drawback is that now validation behavior is not entirely > predictable anymore - the certificate of a server can fail to validate > when Bro just started up (due to the intermediate missing), and succeed > later, when the intermediate can be found in the cache. > Has been tested on big-ish clusters and should not introduce any > performance problems. > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 9 15:25:00 2015 From: jira at bro-tracker.atlassian.net (Paul Pearce (JIRA)) Date: Mon, 9 Mar 2015 17:25:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: Paul Pearce created BIT-1333: -------------------------------- Summary: Bro's ASCII logging facilities do not escape escape characters Key: BIT-1333 URL: https://bro-tracker.atlassian.net/browse/BIT-1333 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Reporter: Paul Pearce * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). * Bro does not however escape \ or ^. * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. Examples: $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' foo \xc2\xae bar \xc2\xae baz $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' foo\0bar\0baz $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' foo ^N bar ^N baz Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Tue Mar 10 00:00:44 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 10 Mar 2015 00:00:44 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503100700.t2A70iRq003284@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ---------- ---------- ------------- ---------- ------------------------------------------ BIT-1332 [1] Bro Johanna Amann - 2015-03-09 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [2] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [3] [1] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [2] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [3] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat From jira at bro-tracker.atlassian.net Tue Mar 10 05:49:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 10 Mar 2015 07:49:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall reassigned BIT-1333: ------------------------------ Assignee: Seth Hall > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > Assignee: Seth Hall > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 05:49:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 10 Mar 2015 07:49:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19923#comment-19923 ] Seth Hall commented on BIT-1333: -------------------------------- A first try at addressing this has been implemented in this branch: topic/seth/ascii-escape-normalization Could you try that and let me know how it goes? I haven't updated the tests in that branch yet so it's not quite ready for merging and I'm not sure I hit all of the edge cases, I implemented it pretty quickly. > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 05:53:00 2015 From: jira at bro-tracker.atlassian.net (Robert Udd (JIRA)) Date: Tue, 10 Mar 2015 07:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1334) ARP packets tagged as unknown In-Reply-To: References: Message-ID: Robert Udd created BIT-1334: ------------------------------- Summary: ARP packets tagged as unknown Key: BIT-1334 URL: https://bro-tracker.atlassian.net/browse/BIT-1334 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Robert Udd Attachments: arp8.pcap The ARP script fails to identify the supplied arp packets. Running the ARP script on the supplied pcap only gives unknown_packet_type in weird.log. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 08:01:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Tue, 10 Mar 2015 10:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: grigorescu created BIT-1335: ------------------------------- Summary: Extract all files policy script Key: BIT-1335 URL: https://bro-tracker.atlassian.net/browse/BIT-1335 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: 2.4 Reporter: grigorescu Priority: Trivial We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 08:03:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Tue, 10 Mar 2015 10:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC In-Reply-To: References: Message-ID: grigorescu created BIT-1336: ------------------------------- Summary: ElasticSearch indices in UTC Key: BIT-1336 URL: https://bro-tracker.atlassian.net/browse/BIT-1336 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu Priority: Trivial For improved compatibility with Kibana and other ElasticSearch frontends, the timestamps on the Bro indices should be changed to UTC. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 09:23:00 2015 From: jira at bro-tracker.atlassian.net (Josh Liburdi (JIRA)) Date: Tue, 10 Mar 2015 11:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error' In-Reply-To: References: Message-ID: Josh Liburdi created BIT-1337: --------------------------------- Summary: Bro worker crash - terminate after 'std::length_error' Key: BIT-1337 URL: https://bro-tracker.atlassian.net/browse/BIT-1337 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Josh Liburdi Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: terminate called after throwing an instance of 'std::length_error' what(): basic_string::_S_create /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro "$@" -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 10:32:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 10 Mar 2015 12:32:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19924#comment-19924 ] Seth Hall commented on BIT-1337: -------------------------------- First of all, you win for getting the most LEET ticket so far. :) Do you have a back trace for this? What you've provided doesn't point to any obvious culprits. > Bro worker crash - terminate after 'std::length_error' > ------------------------------------------------------ > > Key: BIT-1337 > URL: https://bro-tracker.atlassian.net/browse/BIT-1337 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Josh Liburdi > > Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: > terminate called after throwing an instance of 'std::length_error' > what(): basic_string::_S_create > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro "$@" -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 10:59:01 2015 From: jira at bro-tracker.atlassian.net (Josh Liburdi (JIRA)) Date: Tue, 10 Mar 2015 12:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19925#comment-19925 ] Josh Liburdi commented on BIT-1337: ----------------------------------- Unfortunately, I don't have a back trace and I've already restarted BroControl. If the issue pops up again, I'll provide as much information as I can. > Bro worker crash - terminate after 'std::length_error' > ------------------------------------------------------ > > Key: BIT-1337 > URL: https://bro-tracker.atlassian.net/browse/BIT-1337 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Josh Liburdi > > Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: > terminate called after throwing an instance of 'std::length_error' > what(): basic_string::_S_create > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro "$@" -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 18:21:01 2015 From: jira at bro-tracker.atlassian.net (Paul Pearce (JIRA)) Date: Tue, 10 Mar 2015 20:21:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19926#comment-19926 ] Paul Pearce commented on BIT-1333: ---------------------------------- Thanks for taking this on. That branch behaves correctly on the toy above. Unfortunately I can't get my analysis pipeline working with this branch to test further. connection$http$resp_mime_types is never initialized when inside a file_over_new_connection event. This breaks my pipeline. I see from the release notes (https://www.bro.org/sphinx-git/install/release-notes.html#changed-functionality) that some mime type behavior has changed. Is this new behavior correct but undocumented, or a bug? > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > Assignee: Seth Hall > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 18:22:02 2015 From: jira at bro-tracker.atlassian.net (Paul Pearce (JIRA)) Date: Tue, 10 Mar 2015 20:22:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19926#comment-19926 ] Paul Pearce edited comment on BIT-1333 at 3/10/15 8:21 PM: ----------------------------------------------------------- Thanks for taking this on. That branch behaves correctly on the toy examples above. Unfortunately I can't get my analysis pipeline working with this branch to test further. connection$http$resp_mime_types is never initialized when inside a file_over_new_connection event. This breaks my pipeline. I see from the release notes (https://www.bro.org/sphinx-git/install/release-notes.html#changed-functionality) that some mime type behavior has changed. Is this new behavior correct but undocumented, or a bug? was (Author: pearce): Thanks for taking this on. That branch behaves correctly on the toy above. Unfortunately I can't get my analysis pipeline working with this branch to test further. connection$http$resp_mime_types is never initialized when inside a file_over_new_connection event. This breaks my pipeline. I see from the release notes (https://www.bro.org/sphinx-git/install/release-notes.html#changed-functionality) that some mime type behavior has changed. Is this new behavior correct but undocumented, or a bug? > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > Assignee: Seth Hall > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 10 20:50:02 2015 From: jira at bro-tracker.atlassian.net (Paul Pearce (JIRA)) Date: Tue, 10 Mar 2015 22:50:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event In-Reply-To: References: Message-ID: Paul Pearce created BIT-1338: -------------------------------- Summary: http response mime types uninitialized in file_over_new_connection event Key: BIT-1338 URL: https://bro-tracker.atlassian.net/browse/BIT-1338 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Paul Pearce http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master. The following snippet shows the new behavior on one of the included bro test traces. {code:bash} $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace T $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace F {code} It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events. {code:bash} $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace T $ bro_git -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace T {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Wed Mar 11 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 11 Mar 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503110700.t2B70PVh002608@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ---------- ---------- ------------- ---------- ------------------------------------------ BIT-1332 [1] Bro Johanna Amann - 2015-03-09 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [2] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [3] Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [4] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing [1] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [2] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [3] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat [4] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 From jira at bro-tracker.atlassian.net Wed Mar 11 08:14:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Wed, 11 Mar 2015 10:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19927#comment-19927 ] Jon Siwek commented on BIT-1338: -------------------------------- The earliest point that new mime type information is available is in the file_mime_type event which now comes after file_new/file_over_new_connection. Can you extract what you need at that time? E.g.: {code} event file_mime_type(f: fa_file, mime_type: string) { if ( f?$http ) print "file_mime_type", f$http; } {code} > http response mime types uninitialized in file_over_new_connection event > ------------------------------------------------------------------------ > > Key: BIT-1338 > URL: https://bro-tracker.atlassian.net/browse/BIT-1338 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Paul Pearce > Labels: mime > > http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master. > The following snippet shows the new behavior on one of the included bro test traces. > {code:bash} > $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > F > {code} > It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events. > {code:bash} > $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 11 12:38:02 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 11 Mar 2015 14:38:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19928#comment-19928 ] Seth Hall commented on BIT-1333: -------------------------------- The new behavior is correct. We changed how the file framework handles files a bit in the core and part of this was breaking out the file type identification. > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > Assignee: Seth Hall > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 11 18:48:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 11 Mar 2015 20:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice In-Reply-To: References: Message-ID: Seth Hall created BIT-1339: ------------------------------ Summary: Remove src and dst from notice Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Assignee: Seth Hall Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg="An SQL injection attacker was discovered!", $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); ? NOTICE([$note=SQL_Injection_Victim, $msg="An SQL injection victim was discovered!", $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); ? NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt("%s seems to be running traceroute using %s", src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 11 18:53:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 11 Mar 2015 20:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1340) RDP analyzer (topic/seth/rdp) In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1340?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1340: --------------------------- Status: Merge Request (was: Open) > RDP analyzer (topic/seth/rdp) > ----------------------------- > > Key: BIT-1340 > URL: https://bro-tracker.atlassian.net/browse/BIT-1340 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > > This is Josh Liburdi's RDP analyzer which was cleaned up some and extended by myself and it's now prepared for merging into master. It's includes a small change by Johanna Amann to make it work with some odd X509 certificates that are transferred over RDP. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 11 18:53:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 11 Mar 2015 20:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1340) RDP analyzer (topic/seth/rdp) In-Reply-To: References: Message-ID: Seth Hall created BIT-1340: ------------------------------ Summary: RDP analyzer (topic/seth/rdp) Key: BIT-1340 URL: https://bro-tracker.atlassian.net/browse/BIT-1340 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Seth Hall This is Josh Liburdi's RDP analyzer which was cleaned up some and extended by myself and it's now prepared for merging into master. It's includes a small change by Johanna Amann to make it work with some odd X509 certificates that are transferred over RDP. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 11 19:57:00 2015 From: jira at bro-tracker.atlassian.net (Paul Pearce (JIRA)) Date: Wed, 11 Mar 2015 21:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19929#comment-19929 ] Paul Pearce commented on BIT-1338: ---------------------------------- Interesting. I can extract the information I need during the file_mime_type event but I can't store it where needed (directly). Based mime-types I perform specific analysis and then annotation connections for use in later events. The connection object is not available directly from fa_file. A workaround for this behavior is to add a connection field to the fa_file record, set the connection inside the file_over_new_connection event, then decorate the connection in the file_mime_type event. This works (tested) but seems oddly complex. {code:none} redef record fa_file += { conn: connection &optional; }; event file_over_new_connection(f: fa_file, c:connection, is_orig:bool) { if(c?$http && !is_orig){ f$conn = c; } } event file_mime_type(f: fa_file, mime_type: string) { if (f?$conn){ # Do work } } {code} I'll leave it you folks to decide if that is a desired behavioral change. One suggestion I'd make is 2.4 release notes do not adequately convey this event change (https://www.bro.org/sphinx-git/install/release-notes.html#changed-functionality), at least to me. A note about changes in when information is available in event progression would have helped me. Thanks. > http response mime types uninitialized in file_over_new_connection event > ------------------------------------------------------------------------ > > Key: BIT-1338 > URL: https://bro-tracker.atlassian.net/browse/BIT-1338 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Paul Pearce > Labels: mime > > http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master. > The following snippet shows the new behavior on one of the included bro test traces. > {code:bash} > $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > F > {code} > It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events. > {code:bash} > $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 11 20:00:01 2015 From: jira at bro-tracker.atlassian.net (Paul Pearce (JIRA)) Date: Wed, 11 Mar 2015 22:00:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19930#comment-19930 ] Paul Pearce commented on BIT-1333: ---------------------------------- I ported some code and was able to push my complete pipeline through the ascii-escape-normalization topic branch. It went well. It behaved as I hoped it would. Thanks! > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > Assignee: Seth Hall > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Thu Mar 12 00:00:22 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 12 Mar 2015 00:00:22 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503120700.t2C70Mrn000525@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ---------- ---------- ------------- ---------- ------------------------------------------ BIT-1340 [1] Bro Seth Hall - 2015-03-11 - Normal RDP analyzer (topic/seth/rdp) BIT-1332 [2] Bro Johanna Amann - 2015-03-09 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [3] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [4] Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [5] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [3] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [4] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat [5] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 From jira at bro-tracker.atlassian.net Thu Mar 12 05:53:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 12 Mar 2015 07:53:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19931#comment-19931 ] Seth Hall commented on BIT-1333: -------------------------------- Thanks for testing. I need to add a test and then I think I'll mark this branch for merging for 2.4. > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > Assignee: Seth Hall > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 12 07:54:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Mar 2015 09:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19932#comment-19932 ] Jon Siwek commented on BIT-1338: -------------------------------- {quote} The connection object is not available directly from fa_file. {quote} The "conns" field of fa_file should hold all the connection records over which the file was transferred, if any. Does that help simplify your analysis? E.g.: {code} event file_mime_type(f: fa_file, mime_type: string) { if ( ! f?$conns ) return; for ( cid in f$conns ) { local c: connection = f$conns[cid]; # Do stuff with 'c' ... } } {code} {quote} One suggestion I'd make is 2.4 release notes do not adequately convey this event change (https://www.bro.org/sphinx-git/install/release-notes.html#changed-functionality), at least to me. A note about changes in when information is available in event progression would have helped me. {quote} Definitely, I'll add that note. Thanks. > http response mime types uninitialized in file_over_new_connection event > ------------------------------------------------------------------------ > > Key: BIT-1338 > URL: https://bro-tracker.atlassian.net/browse/BIT-1338 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Paul Pearce > Labels: mime > Fix For: 2.4 > > > http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master. > The following snippet shows the new behavior on one of the included bro test traces. > {code:bash} > $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > F > {code} > It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events. > {code:bash} > $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 12 07:54:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Mar 2015 09:54:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1338: --------------------------- Fix Version/s: 2.4 > http response mime types uninitialized in file_over_new_connection event > ------------------------------------------------------------------------ > > Key: BIT-1338 > URL: https://bro-tracker.atlassian.net/browse/BIT-1338 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Paul Pearce > Labels: mime > Fix For: 2.4 > > > http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master. > The following snippet shows the new behavior on one of the included bro test traces. > {code:bash} > $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > F > {code} > It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events. > {code:bash} > $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 12 09:04:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Mar 2015 11:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1338: --------------------------- Resolution: Fixed Status: Closed (was: Open) > http response mime types uninitialized in file_over_new_connection event > ------------------------------------------------------------------------ > > Key: BIT-1338 > URL: https://bro-tracker.atlassian.net/browse/BIT-1338 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Paul Pearce > Labels: mime > Fix For: 2.4 > > > http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master. > The following snippet shows the new behavior on one of the included bro test traces. > {code:bash} > $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > F > {code} > It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events. > {code:bash} > $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 12 13:18:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 12 Mar 2015 15:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1340) RDP analyzer (topic/seth/rdp) In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1340?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1340: ------------------------------ Assignee: Jon Siwek > RDP analyzer (topic/seth/rdp) > ----------------------------- > > Key: BIT-1340 > URL: https://bro-tracker.atlassian.net/browse/BIT-1340 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Jon Siwek > > This is Josh Liburdi's RDP analyzer which was cleaned up some and extended by myself and it's now prepared for merging into master. It's includes a small change by Johanna Amann to make it work with some odd X509 certificates that are transferred over RDP. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Fri Mar 13 00:00:30 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 13 Mar 2015 00:00:30 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503130700.t2D70UpW019862@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ---------- ---------- ------------- ---------- ------------------------------------------ BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-12 - Normal RDP analyzer (topic/seth/rdp) BIT-1332 [2] Bro Johanna Amann - 2015-03-09 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [3] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [4] Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [5] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [3] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [4] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat [5] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 From jira at bro-tracker.atlassian.net Fri Mar 13 04:57:00 2015 From: jira at bro-tracker.atlassian.net (Robert Udd (JIRA)) Date: Fri, 13 Mar 2015 06:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1334) ARP packets tagged as unknown In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Udd updated BIT-1334: ---------------------------- Resolution: Solved Status: Closed (was: Open) > ARP packets tagged as unknown > ----------------------------- > > Key: BIT-1334 > URL: https://bro-tracker.atlassian.net/browse/BIT-1334 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robert Udd > Labels: arp > Attachments: arp8.pcap > > > The ARP script fails to identify the supplied arp packets. Running the ARP script on the supplied pcap only gives unknown_packet_type in weird.log. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 04:57:00 2015 From: jira at bro-tracker.atlassian.net (Robert Udd (JIRA)) Date: Fri, 13 Mar 2015 06:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1334) ARP packets tagged as unknown In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19933#comment-19933 ] Robert Udd commented on BIT-1334: --------------------------------- Caused by the VLAN header. > ARP packets tagged as unknown > ----------------------------- > > Key: BIT-1334 > URL: https://bro-tracker.atlassian.net/browse/BIT-1334 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robert Udd > Labels: arp > Attachments: arp8.pcap > > > The ARP script fails to identify the supplied arp packets. Running the ARP script on the supplied pcap only gives unknown_packet_type in weird.log. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 07:50:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 09:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1340) RDP analyzer (topic/seth/rdp) In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1340?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1340: --------------------------- Fix Version/s: 2.4 > RDP analyzer (topic/seth/rdp) > ----------------------------- > > Key: BIT-1340 > URL: https://bro-tracker.atlassian.net/browse/BIT-1340 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Jon Siwek > Fix For: 2.4 > > > This is Josh Liburdi's RDP analyzer which was cleaned up some and extended by myself and it's now prepared for merging into master. It's includes a small change by Johanna Amann to make it work with some odd X509 certificates that are transferred over RDP. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 07:55:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 09:55:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19934#comment-19934 ] Jon Siwek commented on BIT-1339: -------------------------------- Seth, do you plan to do this for 2.4 ? > Remove src and dst from notice > ------------------------------ > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, > $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), > $sub=sub_msg, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, > $msg="An SQL injection attacker was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=SQL_Injection_Victim, > $msg="An SQL injection victim was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=Port_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, > $msg=fmt("%s seems to be running traceroute using %s", src, proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], > $identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 07:56:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 09:56:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1337: --------------------------- Fix Version/s: 2.4 > Bro worker crash - terminate after 'std::length_error' > ------------------------------------------------------ > > Key: BIT-1337 > URL: https://bro-tracker.atlassian.net/browse/BIT-1337 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Josh Liburdi > Fix For: 2.4 > > > Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: > terminate called after throwing an instance of 'std::length_error' > what(): basic_string::_S_create > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro "$@" -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 07:56:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 09:56:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1339: --------------------------- Fix Version/s: 2.4 > Remove src and dst from notice > ------------------------------ > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, > $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), > $sub=sub_msg, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, > $msg="An SQL injection attacker was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=SQL_Injection_Victim, > $msg="An SQL injection victim was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=Port_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, > $msg=fmt("%s seems to be running traceroute using %s", src, proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], > $identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 07:57:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 09:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1336) ElasticSearch indices in UTC In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1336: --------------------------- Fix Version/s: 2.4 > ElasticSearch indices in UTC > ---------------------------- > > Key: BIT-1336 > URL: https://bro-tracker.atlassian.net/browse/BIT-1336 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Priority: Trivial > Fix For: 2.4 > > > For improved compatibility with Kibana and other ElasticSearch frontends, the timestamps on the Bro indices should be changed to UTC. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 07:59:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 09:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1335: --------------------------- Fix Version/s: 2.4 > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 07:59:03 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 09:59:03 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1335: ------------------------------ Assignee: Jon Siwek > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 08:01:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 10:01:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19935#comment-19935 ] Jon Siwek commented on BIT-1335: -------------------------------- Should be easy, how to name extracted files, though? Just File ID + timestamp ? > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 08:02:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 10:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1333) Bro's ASCII logging facilities do not escape escape characters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1333: --------------------------- Fix Version/s: 2.4 > Bro's ASCII logging facilities do not escape escape characters > -------------------------------------------------------------- > > Key: BIT-1333 > URL: https://bro-tracker.atlassian.net/browse/BIT-1333 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Paul Pearce > Assignee: Seth Hall > Fix For: 2.4 > > > * Bro escapes non-printable ASCII characters with either \x?? or ^ depending on the character (https://www.bro.org/sphinx/scripts/base/bif/strings.bif.bro.html). > * Bro does not however escape \ or ^. > * This behavior makes recovering the original string impossible as you can not differentiate between an escaped sequence and a string containing those characters. > Examples: > $ bro -e 'event bro_init() { print "foo \xc2\xae bar \\xc2\\xae baz"; }' > foo \xc2\xae bar \xc2\xae baz > $ bro -e 'event bro_init() { print "foo\x00bar\\0baz"; }' > foo\0bar\0baz > $ bro -e 'event bro_init() { print "foo \16 bar ^N baz"; }' > foo ^N bar ^N baz > Additionally, it would be ideal if there was a way to standardize escaping to a single syntax (\x?? for all, for example). This would allow post-processing of the bro logs in languages like Python or Ruby trivially using existing decode/encode functionality. I'm happy to file a separate feature request for this behavior, if that is preferred. > I brought this up on the mailing list (http://mailman.icsi.berkeley.edu/pipermail/bro/2015-February/008174.html). It was suggested (off list) that I file a ticket as well. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 08:05:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 10:05:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1331: --------------------------- Fix Version/s: 2.4 > BroControl manager crashes when logs rotate > ------------------------------------------- > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Labels: broctl > Fix For: 2.4 > > > The BroControl manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 08:08:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 10:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19936#comment-19936 ] Jon Siwek commented on BIT-1331: -------------------------------- Have a stack trace for this? How frequently does it occur? > BroControl manager crashes when logs rotate > ------------------------------------------- > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Labels: broctl > Fix For: 2.4 > > > The BroControl manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 08:14:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 10:14:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1325: ------------------------------ Assignee: Johanna Amann > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Assignee: Johanna Amann > Labels: logging, sqlite > Fix For: 2.4 > > Attachments: bro_sqlite_busy_wait.patch > > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 08:14:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 10:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1325: --------------------------- Fix Version/s: 2.4 > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Labels: logging, sqlite > Fix For: 2.4 > > Attachments: bro_sqlite_busy_wait.patch > > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 08:20:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 10:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1325) multiple sqlite writers to same db file yields "database is locked" error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19937#comment-19937 ] Jon Siwek commented on BIT-1325: -------------------------------- Johanna, if this isn't something trivial to fix for 2.4, I think it's fine to push back for 2.5 -- busy-waiting does seem like a simple way to get it working but maybe want to hold off for a better approach as suggested. > multiple sqlite writers to same db file yields "database is locked" error > ------------------------------------------------------------------------- > > Key: BIT-1325 > URL: https://bro-tracker.atlassian.net/browse/BIT-1325 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: Tony Cebzanov > Assignee: Johanna Amann > Labels: logging, sqlite > Fix For: 2.4 > > Attachments: bro_sqlite_busy_wait.patch > > > I want to have multiple log streams logged to the same sqlite database, but when trying to log to sqlite using the following configuration: > {code} > local filter: Log::Filter = > [ > $name="sqlite_conn", > $path="analysis", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(Conn::LOG, filter); > local http_filter: Log::Filter = > [ > $name="sqlite_http", > $path="analysis", > $config=table(["tablename"] = "http"), > $writer=Log::WRITER_SQLITE > ]; > Log::add_filter(HTTP::LOG, http_filter); > {code} > I get the following error: > {code} > error: analysis/Log::WRITER_SQLITE: Error executing table creation statement: database is locked > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 09:38:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 11:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1324: --------------------------- Fix Version/s: 2.4 > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 09:38:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 11:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1324: ------------------------------ Assignee: Jon Siwek > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Jon Siwek > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 09:38:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 11:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19938#comment-19938 ] Jon Siwek commented on BIT-1324: -------------------------------- I also find it to be odd behavior; generally it may be hard for a user to understand how exactly the file name gets derived from their choice of module and {{Log::ID}} enum naming. We should make the common case simpler. E.g. provide a new function {code} global Log::create_stream_with_default_path: function(id: Log::ID, stream: Log::Stream, path: string) : bool; {code} Then just replace all current calls to {{Log::create_stream}} with that, which explicitly specifies the default path for each stream. It should also not set the {{path_func}} to {{default_path_func}} at all for the sake of saving cycles -- each write operation for a filter currently calls out to {{default_path_func}}, but only the first one does something useful if {{path}} isn't set (but it would be now). Wouldn't be hard to do for 2.4 if people like that idea. Thoughts? > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 09:42:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 11:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1316) New plugin component: threads In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1316: --------------------------- Fix Version/s: 2.5 > New plugin component: threads > ----------------------------- > > Key: BIT-1316 > URL: https://bro-tracker.atlassian.net/browse/BIT-1316 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Robin Sommer > Fix For: 2.5 > > > It would be nice to add another type of plugin components: threads. > A plugin could then define functionality that runs inside its own thread (e.g., talking to the rest of the world via sockets). We can provide it with an API to send evens to Bro; and maybe we can make bifs work transparently so that if a user calls one of the plugin's function in script-land, the arguments will be serialized and send over to the plugin thread. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 09:46:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 11:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1313: --------------------------- Fix Version/s: 2.4 > Add help and all options to -B > ------------------------------- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jdonnelly > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 10:45:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 12:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1311) GRE tunnels should be reported as Tunnel::GRE in tunnels.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1311?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1311: --------------------------- Fix Version/s: 2.4 > GRE tunnels should be reported as Tunnel::GRE in tunnels.log > ------------------------------------------------------------ > > Key: BIT-1311 > URL: https://bro-tracker.atlassian.net/browse/BIT-1311 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.4 > > > They are reported as Tunnel::IP right now and that doesn't feel right. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 10:59:00 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Fri, 13 Mar 2015 12:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1182) Input-framework thread spwan In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aashish Sharma updated BIT-1182: -------------------------------- Resolution: Fixed Status: Closed (was: Open) I tested out 30K+ adds/deletes with input framework. The problem was that I was inadvertently firing exec framework. Modified/fixed my script now. Closing this ticket - Events created with input-framework has near negligible overheads! > Input-framework thread spwan > ---------------------------- > > Key: BIT-1182 > URL: https://bro-tracker.atlassian.net/browse/BIT-1182 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Labels: input-framework > > Using the mode REREAD, I noticed that input-framework spawns a thread for every add/change/delete for the elements in the feed file. > this is a VERY desired feature and powerful capability and works quite well in general settings. > Since, all the changes in a file spawns a thread to process for: EVENT_NEW, EVENT_CHANGED, EVENT_REMOVED, If there are lets say 5000 Changes in the file, there would be 5000 threads spawned at the same time. this is still alright and system can handle load and processing is done in a few seconds. > However, if I include a when statement along with exec framework usage to execute an action in Input::EVENT_NEW, Input::EVENT_CHANGED or Input::EVENT_REMOVED - all threads spawned together freezes bro from processing any packets at all. > It would be nice if we can serialize this thread creation and spawn only a few at a time. This way we can spread out the increased load over next N mins instead of freezing bro to a standstill. > (As always, please let me know if you want code to be able to re-produce this issue). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 11:02:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 13:02:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1309) src/Conn.h : export orig_flow_label In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1309: --------------------------- Fix Version/s: 2.4 > src/Conn.h : export orig_flow_label > ----------------------------------- > > Key: BIT-1309 > URL: https://bro-tracker.atlassian.net/browse/BIT-1309 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: jdonnelly > Fix For: 2.4 > > Attachments: conn.patch > > > Return Conn()->GetOrigFlowLabel() -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 11:25:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Mar 2015 13:25:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19941#comment-19941 ] Seth Hall commented on BIT-1335: -------------------------------- Actually, I wouldn't even be opposed to changing the built in file naming to get rid of the protocol and just move to the suggestion you just made of uid and timestamp. > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 11:25:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Mar 2015 13:25:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19940#comment-19940 ] Seth Hall commented on BIT-1335: -------------------------------- We could always just do the single line script of... event bro_init() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 11:34:00 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Fri, 13 Mar 2015 13:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19942#comment-19942 ] Aashish Sharma commented on BIT-1335: ------------------------------------- I prefer keeping protocol + fid - Easy to sort extracted files in different buckets quickly when going through a big pcap. Generally there isn't big need to tie back a file with session since the extractions are "going forward" in workflow. However FID is sufficient to tie backwards with other logs. I am sure you have a better use case for uid+timestamp. I cannot quite think of one. (I take timestamp is for case where multiple files are part of same uid ?) > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 12:02:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 14:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19943#comment-19943 ] Jon Siwek commented on BIT-1335: -------------------------------- I was mostly suggesting File ID + timestamp because I didn't remember that a default file name is provided, but I was also thinking it helps protect against File ID collisions over an extended period of time from clobbering each other. I'll change the default naming to timestamp-protocol-FID and add the one-liner extract-all script. > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 12:27:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 14:27:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1335: --------------------------- Resolution: Fixed Status: Closed (was: Open) > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 12:27:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 14:27:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1311) GRE tunnels should be reported as Tunnel::GRE in tunnels.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1311?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1311: --------------------------- Resolution: Fixed Status: Closed (was: Open) > GRE tunnels should be reported as Tunnel::GRE in tunnels.log > ------------------------------------------------------------ > > Key: BIT-1311 > URL: https://bro-tracker.atlassian.net/browse/BIT-1311 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.4 > > > They are reported as Tunnel::IP right now and that doesn't feel right. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 12:27:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 14:27:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1309) src/Conn.h : export orig_flow_label In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1309: --------------------------- Resolution: Fixed Status: Closed (was: Open) > src/Conn.h : export orig_flow_label > ----------------------------------- > > Key: BIT-1309 > URL: https://bro-tracker.atlassian.net/browse/BIT-1309 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: jdonnelly > Fix For: 2.4 > > Attachments: conn.patch > > > Return Conn()->GetOrigFlowLabel() -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:01:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19944#comment-19944 ] Jon Siwek commented on BIT-1305: -------------------------------- topic/jsiwek/bit-1305 deprecates everything except &persistent and &synchronized. We should wait at least one version to deprecate those, especially since scripts that ship w/ Bro still use &synchronized -- i.e. we shouldn't issue deprecation warnings for stuff that ships w/ Bro by default. > Consider marking some attributes as deprecated > ---------------------------------------------- > > Key: BIT-1305 > URL: https://bro-tracker.atlassian.net/browse/BIT-1305 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Fix For: 2.4 > > > Likely candidates for deprecation: > &rotate_interval > &rotate_size > &encrypt > &mergeable > &synchronize > &persistent > &group > While the mechanism I added in BIT-757 can't be used to mark attributes as deprecated, I'm thinking it's not difficult to just hard code the scanner to emit a warning when encountering certain attributes. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:01:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:01:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1305: ------------------------------ Assignee: Robin Sommer > Consider marking some attributes as deprecated > ---------------------------------------------- > > Key: BIT-1305 > URL: https://bro-tracker.atlassian.net/browse/BIT-1305 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > Likely candidates for deprecation: > &rotate_interval > &rotate_size > &encrypt > &mergeable > &synchronize > &persistent > &group > While the mechanism I added in BIT-757 can't be used to mark attributes as deprecated, I'm thinking it's not difficult to just hard code the scanner to emit a warning when encountering certain attributes. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:01:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1305: --------------------------- Status: Merge Request (was: Open) > Consider marking some attributes as deprecated > ---------------------------------------------- > > Key: BIT-1305 > URL: https://bro-tracker.atlassian.net/browse/BIT-1305 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Fix For: 2.4 > > > Likely candidates for deprecation: > &rotate_interval > &rotate_size > &encrypt > &mergeable > &synchronize > &persistent > &group > While the mechanism I added in BIT-757 can't be used to mark attributes as deprecated, I'm thinking it's not difficult to just hard code the scanner to emit a warning when encountering certain attributes. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:16:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:16:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1303: --------------------------- Fix Version/s: (was: 2.4) 2.5 > pysubnettree tests should be changed to use btest > ------------------------------------------------- > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Reporter: Daniel Thayer > Fix For: 2.5 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:18:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19945#comment-19945 ] Jon Siwek commented on BIT-1303: -------------------------------- Daniel, I thought maybe you had a branch for this? If it's ready, flip the ticket back to a 2.4 merge request. > pysubnettree tests should be changed to use btest > ------------------------------------------------- > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Reporter: Daniel Thayer > Fix For: 2.5 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:20:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:20:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1301) Log::add_filter should have a transform func In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1301: --------------------------- Fix Version/s: 2.5 > Log::add_filter should have a transform func > -------------------------------------------- > > Key: BIT-1301 > URL: https://bro-tracker.atlassian.net/browse/BIT-1301 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Justin Azoff > Assignee: Justin Azoff > Labels: logging > Fix For: 2.5 > > > One should be able to do something like > {code} > Log::add_filter(HTTP::LOG, [ > $transform=function(rec: HTTP:Info): HTTP::Info { > #modify rec somehow > } > ]); > {code} > Not sure if it should modify the record in place, or return the modified version. > This could allow the user to do similar things to include/exclude, but on a more granular level. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:28:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1300) add cscope to Makefile In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1300?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1300: --------------------------- Resolution: Rejected Status: Closed (was: Open) Seems like it may be better to just put an alias/function in your shell's rc file for this. > add cscope to Makefile > ---------------------- > > Key: BIT-1300 > URL: https://bro-tracker.atlassian.net/browse/BIT-1300 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jdonnelly > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:34:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1283) Bro crashes when using &encrypt In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1283: --------------------------- Status: Closed (was: Reopened) It's fixed, but deprecated now. > Bro crashes when using &encrypt > ------------------------------- > > Key: BIT-1283 > URL: https://bro-tracker.atlassian.net/browse/BIT-1283 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Environment: bro version 2.3-263-debug > Reporter: AK > Fix For: 2.4 > > > Bro crashes when applying the &encrypt attribute when opening a file. > bro -Ci eth0 -e 'global f1: file = open("f.out") &encrypt;' -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:38:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1276) DEB package(s) won't install on Ubuntu 14.04 - LTS In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1276: --------------------------- Fix Version/s: 2.4 > DEB package(s) won't install on Ubuntu 14.04 - LTS > --------------------------------------------------- > > Key: BIT-1276 > URL: https://bro-tracker.atlassian.net/browse/BIT-1276 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: jdonnelly > Fix For: 2.4 > > > Starting with Ubtuntu 14.01 x64 installed > and using Bro-2.3.1-Linux-x86_64.deb > dpkg --install Bro-2.3.1-Linux-x86_64.deb > (Reading database ... 122099 files and directories currently installed.) > Preparing to unpack Bro-2.3.1-Linux-x86_64.deb ... > Unpacking bro (2.3.1) over (2.3.1) ... > dpkg: dependency problems prevent configuration of bro: > bro depends on libc6 (<< 2.12); however: > Version of libc6:amd64 on system is 2.19-0ubuntu6.3. > bro depends on libpython2.6 (>= 2.6); however: > Package libpython2.6 is not installed. > dpkg: error processing package bro (--install): > dependency problems - leaving unconfigured > Errors were encountered while processing > Method 2: > root at dyn-x64-01:~# gdebi Bro-*.deb > Reading package lists... Done > Building dependency tree > Reading state information... Done > Building data structures... Done > Building data structures... Done > This package is uninstallable > Dependency is not satisfiable: libc6 (< 2.12) > root at dyn-x64-01:~# > Is "git clone" from source the only reasonable way to install Bro ? > Thank you for Bro. > Jd -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:40:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1276) DEB package(s) won't install on Ubuntu 14.04 - LTS In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1276: --------------------------- Resolution: Fixed Status: Closed (was: Open) For future binary packages, the plan is to use the OpenSUSE Build Service to target a wider range of platforms more directly. > DEB package(s) won't install on Ubuntu 14.04 - LTS > --------------------------------------------------- > > Key: BIT-1276 > URL: https://bro-tracker.atlassian.net/browse/BIT-1276 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Reporter: jdonnelly > Fix For: 2.4 > > > Starting with Ubtuntu 14.01 x64 installed > and using Bro-2.3.1-Linux-x86_64.deb > dpkg --install Bro-2.3.1-Linux-x86_64.deb > (Reading database ... 122099 files and directories currently installed.) > Preparing to unpack Bro-2.3.1-Linux-x86_64.deb ... > Unpacking bro (2.3.1) over (2.3.1) ... > dpkg: dependency problems prevent configuration of bro: > bro depends on libc6 (<< 2.12); however: > Version of libc6:amd64 on system is 2.19-0ubuntu6.3. > bro depends on libpython2.6 (>= 2.6); however: > Package libpython2.6 is not installed. > dpkg: error processing package bro (--install): > dependency problems - leaving unconfigured > Errors were encountered while processing > Method 2: > root at dyn-x64-01:~# gdebi Bro-*.deb > Reading package lists... Done > Building dependency tree > Reading state information... Done > Building data structures... Done > Building data structures... Done > This package is uninstallable > Dependency is not satisfiable: libc6 (< 2.12) > root at dyn-x64-01:~# > Is "git clone" from source the only reasonable way to install Bro ? > Thank you for Bro. > Jd -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:47:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:47:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1275) README (or install) need better build instructions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1275: --------------------------- Fix Version/s: 2.4 > README (or install) need better build instructions > --------------------------------------------------- > > Key: BIT-1275 > URL: https://bro-tracker.atlassian.net/browse/BIT-1275 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Ubuntu 14.04 LTS > Reporter: jdonnelly > Fix For: 2.4 > > > The build instructions (specifically the required packages) from > https://www.bro.org/sphinx-git/install/install.html > should be added to the README file so the product can be built from source without have to consult (or search for on the web) how to cure the > ./configure errors. > Thank you, -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:47:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:47:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1275) README (or install) need better build instructions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1275: --------------------------- Resolution: Fixed Status: Closed (was: Open) > README (or install) need better build instructions > --------------------------------------------------- > > Key: BIT-1275 > URL: https://bro-tracker.atlassian.net/browse/BIT-1275 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Ubuntu 14.04 LTS > Reporter: jdonnelly > > The build instructions (specifically the required packages) from > https://www.bro.org/sphinx-git/install/install.html > should be added to the README file so the product can be built from source without have to consult (or search for on the web) how to cure the > ./configure errors. > Thank you, -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 13:58:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 15:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1257) Same file id generated for potentially different files In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1257: --------------------------- Fix Version/s: 2.4 > Same file id generated for potentially different files > ------------------------------------------------------ > > Key: BIT-1257 > URL: https://bro-tracker.atlassian.net/browse/BIT-1257 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Environment: CentOS 6 > Reporter: Jimmy Jones > Assignee: Seth Hall > Fix For: 2.4 > > Attachments: fa.bro, sample-samefileid.pcap > > > Attached sample contains two HTTP downloads of the same URL from the same client, but there are no guarantees that the files is actually the same (no Etags etc - in this case it actually is the same, but lets pretend they were different...). However the file analysis framework seems to give the same file ID in file_name and file_chunk for both downloads. > Think this is something to do with Range requests as doesn't happen if do "normal" HTTP requests. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:02:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1255) TCP reassembly issue In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1255: --------------------------- Fix Version/s: 2.4 > TCP reassembly issue > -------------------- > > Key: BIT-1255 > URL: https://bro-tracker.atlassian.net/browse/BIT-1255 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Environment: CentOS 6 > Reporter: Jimmy Jones > Fix For: 2.4 > > Attachments: out.pcap > > > Been testing bro with some messy (but valid) TCP streams, using docker and netem (happy to upload a gist if people are interested). > The attached file reassembles correctly in wireshark, but bro only gives the first 4069 bytes when extracted with the file analysis framework, and obviously the wrong hash (md5 is the URI). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:04:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1255) TCP reassembly issue In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1255: ------------------------------ Assignee: Jon Siwek > TCP reassembly issue > -------------------- > > Key: BIT-1255 > URL: https://bro-tracker.atlassian.net/browse/BIT-1255 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Environment: CentOS 6 > Reporter: Jimmy Jones > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: out.pcap > > > Been testing bro with some messy (but valid) TCP streams, using docker and netem (happy to upload a gist if people are interested). > The attached file reassembles correctly in wireshark, but bro only gives the first 4069 bytes when extracted with the file analysis framework, and obviously the wrong hash (md5 is the URI). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:20:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1239) Crash because StringVal ref_cnt greater than INT_MAX In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1239?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1239: --------------------------- Resolution: Fixed Status: Closed (was: Open) Don't recall any recent reports of ref counting problems, so think this was probably solved by the commit I mentioned. Re-open if not. > Crash because StringVal ref_cnt greater than INT_MAX > ---------------------------------------------------- > > Key: BIT-1239 > URL: https://bro-tracker.atlassian.net/browse/BIT-1239 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Reporter: Johanna Amann > Fix For: 2.4 > > > Several of the workers of our cluster recently crashed because of the compare in line 212 of Obj.h (function Ref, where o->ref_cnt is compared to INT_MAX). > Closer examination of the stack traces of a few systems reveals that it was the StringVal base_type which was ref'd more than INT_MAX times. > In the last few times, a user in our network performed tests generating a massive amount of connections, including test with just syn-packets. It is therefore probably a good guess that somewhere in the connection handling, a ref on a base_type is called without an corresponding unref. > Relevant part of a backtrace: > {code} > #0 0x000000080194cfcc in kill () from /lib/libc.so.7 > #1 0x000000080194bdcb in abort () from /lib/libc.so.7 > #2 0x00000000004ca550 in Reporter::InternalError (this=) > at /home/robin/bro/master/src/Reporter.cc:137 > #3 0x00000000004d1d79 in bad_ref (type=) > at /home/robin/bro/master/src/Obj.cc:253 > #4 0x00000000005273cd in base_type (tag=) at Obj.h:208 > #5 0x0000000000538d8b in StringVal (this=0x87abca240, length=66, > s=0x85b5e3290 "[...]") at Val.h:369 > {code} > stderr.log: > {code} > 1406688636.803846 processing suspended > 1406688636.803849 processing continued > 1406688642.801786 Failed to open GeoIP Cityv6 database: /usr/local/share/GeoIP/GeoIPCityv6.dat > 1406688642.801786 Failed to open GeoIPv6 Country database: /usr/local/share/GeoIP/GeoIPv6.dat > 1409680506.073977 internal error: bad reference count [1] > /xa/bro/share/broctl/scripts/run-bro: line 85: 98029 Abort trap: 6 (core dumped) nohup $mybro "$@" > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:24:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1228) broctl needs to keep track of desired state In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1228?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19950#comment-19950 ] Jon Siwek commented on BIT-1228: -------------------------------- Seems like this is done now? If so, please close the ticket. > broctl needs to keep track of desired state > ------------------------------------------- > > Key: BIT-1228 > URL: https://bro-tracker.atlassian.net/browse/BIT-1228 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > Fix For: 2.4 > > > On a multi-node cluster the following sequence of events can happen: > * A cluster node (node-2) has a power problem and is shut down > * broctl stop is ran on the manager > * broctl then fails to stop bro on node-2 > * node-2 reboots > * broctl cron restarts bro on node-2 because the last known state is up > The problem can happen in reverse as well, where broctl will not restart bro on a node that was down. > The problem arises because broctl stores the actual state of the nodes, but not the desired state. commands like stop and start need to set the desired start first, and then attempt to sync reality with that state information. broctl cron then just needs to attempt the similar sync. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:26:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1227) netstats should compute statistics In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1227: --------------------------- Fix Version/s: (was: 2.4) 2.5 > netstats should compute statistics > ---------------------------------- > > Key: BIT-1227 > URL: https://bro-tracker.atlassian.net/browse/BIT-1227 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro, BroControl > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Trivial > Fix For: 2.5 > > Attachments: signature.asc > > > Someone on irc had shared a really hackish script that parsed the output of broctl netstats to add drop percentages and totals. This is trivial to do inside of broctl. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:27:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1226) bad example in quickstart guide In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1226: ------------------------------ Assignee: Jon Siwek > bad example in quickstart guide > ------------------------------- > > Key: BIT-1226 > URL: https://bro-tracker.atlassian.net/browse/BIT-1226 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Reporter: Jon Siwek > Assignee: Jon Siwek > Labels: documentation > Fix For: 2.4 > > > The quickstart has a "deployment customization" involving watching for an SSH login to a specific set of hosts. The first problem is the code is wrong; an updated example is at https://gist.github.com/jsiwek/2a7692aa9f24e197ca9c. But there's other reasons why this example is not straightforward for new users. I think it should be replaced with a different example. Should add a unit test for it as well to make sure it doesn't become outdated. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:28:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1225) ReadFile API: topic/seth/readfile In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1225?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1225: --------------------------- Fix Version/s: (was: 2.4) 2.5 > ReadFile API: topic/seth/readfile > --------------------------------- > > Key: BIT-1225 > URL: https://bro-tracker.atlassian.net/browse/BIT-1225 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.5 > > > The ReadFile module provides a simplified API for reading files off of disk. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:29:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:29:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1221) DPD website docs out of date In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1221: ------------------------------ Assignee: Jon Siwek > DPD website docs out of date > ---------------------------- > > Key: BIT-1221 > URL: https://bro-tracker.atlassian.net/browse/BIT-1221 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Website > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > http://www.bro.org/development/howtos/dpd.html > Some parts of that document reference old code. At a glance, {{dpd_config}}, {{DPM}}, and the use of {{int}} as the type for sequence numbers are things that pop out at me. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:34:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1196) Add index of logs to documentation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1196?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1196: --------------------------- Resolution: Fixed Status: Closed (was: Open) https://www.bro.org/sphinx-git/script-reference/log-files.html > Add index of logs to documentation > ---------------------------------- > > Key: BIT-1196 > URL: https://bro-tracker.atlassian.net/browse/BIT-1196 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Robin Sommer > Labels: broxygen > Fix For: 2.4 > > > Our documentation should have an index of all logs files, with links to the corresponding field definitions. I think we should be able to auto-generate that. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:37:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:37:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1207) Add test to catch changes breaking local.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1207: ------------------------------ Assignee: Jon Siwek > Add test to catch changes breaking local.bro > -------------------------------------------- > > Key: BIT-1207 > URL: https://bro-tracker.atlassian.net/browse/BIT-1207 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Assignee: Jon Siwek > Fix For: 2.4 > > > We should get a better at tracking when a shipping local.bro breaks. > We could add a test that runs the local.bro of the past release. Once > something breaks, we'd update the test's copy of local.bro but then > also take that as a trigger to document the change. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:43:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:43:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-8) Handling optional fields In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-8?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-8: ------------------------ Resolution: Won't Fix Status: Closed (was: Open) > Handling optional fields > ------------------------ > > Key: BIT-8 > URL: https://bro-tracker.atlassian.net/browse/BIT-8 > Project: Bro Issue Tracker > Issue Type: Task > Components: Broccoli > Affects Versions: 1.5.2 > Reporter: Matthias Vallentin > Assignee: kreibich > > Optional fields in records are currently returned in a record with type BRO_TYPE_UNKNOWN. The Bro serialization protocol uses a NULL pointer instead. To streamline the two interfaces, it thus makes more sense to return a NULL pointer in > {noformat} > bro_rec_get_nth_val() > {noformat} > instead of an empty field instance. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 14:50:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 16:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-24) inconsistent behavior with respect to out-of-range vector references In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-24?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-24: ------------------------- Resolution: Fixed Fix Version/s: 2.2 Status: Closed (was: Open) > inconsistent behavior with respect to out-of-range vector references > -------------------------------------------------------------------- > > Key: BIT-24 > URL: https://bro-tracker.atlassian.net/browse/BIT-24 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Vern Paxson > Fix For: 2.2 > > > [Matthias & Christian|from] > This: > {noformat} > global foo: vector of count = { 42 }; > print foo[0]; > print foo[1]; > print foo[2]; > {noformat} > just prints 42 (index 1), with no warning that 0 and 2 don't exist. But this: > {noformat} > global foo: vector of count = { 42 }; > global f0: count; > global f1: count; > global f2: count; > f0 = foo[0]; f1 = foo[1]; f2 = foo[2]; > print f0; print f1; print f2; > {noformat} > yields > {noformat} > ... run-time error, value used but not set > 42 > ... run-time error, value used but not set > {noformat} > whereas this: > {noformat} > global foo: vector of count; > foo[0] = 42; > {noformat} > yields: > {noformat} > ... (foo[0]): error, index (0) must be positive > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 15:01:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 17:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-270) Sending addresses via pybroccoli doesn't work In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-270?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-270: -------------------------- Resolution: Fixed Status: Closed (was: Open) Don't think there's a problem currently -- we've got tests at least that use addrs just fine. > Sending addresses via pybroccoli doesn't work > --------------------------------------------- > > Key: BIT-270 > URL: https://bro-tracker.atlassian.net/browse/BIT-270 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broccoli > Affects Versions: 1.5.2 > Reporter: Robin Sommer > Assignee: kreibich > Labels: pybroccoli > Attachments: dns.py, test.bro, tm-wait-for.bro > > > When sending events with arguments of type "addr" from Bro, a receiving pybroccoli client hangs. Not clear whether it's a problem of Broccoli or pybroccolli, but most likely it's the latter. > Ask Robin for a set of scripts to reproduce the problem. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 15:15:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 17:15:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-287) BroControl should warn if changes aren't "install"ed In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-287: -------------------------- Fix Version/s: 2.4 > BroControl should warn if changes aren't "install"ed > ---------------------------------------------------- > > Key: BIT-287 > URL: https://bro-tracker.atlassian.net/browse/BIT-287 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Fix For: 2.4 > > > At times it can be difficult to remember to "install" after making changes in the site directory before restarting with BroControl. BroControl should check to see if there are any files that are updated in the site directory and put up a warning to the user if they are restarting or starting without installing. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 15:16:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 17:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-287) BroControl should warn if changes aren't "install"ed In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19953#comment-19953 ] Jon Siwek commented on BIT-287: ------------------------------- This may already be done or just obviated by BIT-1194. > BroControl should warn if changes aren't "install"ed > ---------------------------------------------------- > > Key: BIT-287 > URL: https://bro-tracker.atlassian.net/browse/BIT-287 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Fix For: 2.4 > > > At times it can be difficult to remember to "install" after making changes in the site directory before restarting with BroControl. BroControl should check to see if there are any files that are updated in the site directory and put up a warning to the user if they are restarting or starting without installing. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 15:23:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 17:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-318) Use inttypes.h instead of home-made ifdefs In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-318: -------------------------- Resolution: No longer applies Status: Closed (was: Open) > Use inttypes.h instead of home-made ifdefs > ------------------------------------------ > > Key: BIT-318 > URL: https://bro-tracker.atlassian.net/browse/BIT-318 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: gregor > Labels: inttypes > Fix For: 2.4 > > > * Use inttypes.h for fixed width integer types instead of using > bq. self-made #ifdefs. (E.g., uint64_t, int32_t). Cf. util.[ch] > * Replace old `{{uint32}}{{ et al. with standard }}{{uint32_t}}` et al. > inttypes.h is a C99 and POSIX standard. > Check for possible roadblock when doing so -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 15:26:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 17:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-437) Unify tables/set/vectors/records In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-437: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Unify tables/set/vectors/records > -------------------------------- > > Key: BIT-437 > URL: https://bro-tracker.atlassian.net/browse/BIT-437 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Robin Sommer > Labels: language > Fix For: 2.5 > > > Internally, tables/sets/vectors/records are all handled separately at many locations inside the interpreter (tables and sets sometimes are handled together, and sometimes aren't). I believe we should be able to unify much of that code in some form, like by moving more into a parent class {{CompositeType}}. > I'd like to see most of these {{if ( is-it-type-A ) ? if ( is-it-type-B ) ?}} go away. > That would also make it much easier to implement a real list type. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 13 15:27:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 13 Mar 2015 17:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-474) &raw_output turns null values into \0 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-474: -------------------------- Fix Version/s: (was: 2.4) 2.5 > &raw_output turns null values into \0 > ------------------------------------- > > Key: BIT-474 > URL: https://bro-tracker.atlassian.net/browse/BIT-474 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Jon Siwek > Labels: preview > Fix For: 2.5 > > > Files with the raw_output attribute shouldn't do any interpretation to the data. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Sat Mar 14 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 14 Mar 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503140700.t2E70P7b005270@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- ---------------------------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1332 [2] Bro Johanna Amann - 2015-03-09 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [3] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [4] BIT-1305 [5] Bro Jon Siwek Robin Sommer 2015-03-13 2.4 Normal Consider marking some attributes as deprecated Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [6] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [3] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [4] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat [5] BIT-1305 https://bro-tracker.atlassian.net/browse/BIT-1305 [6] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 From noreply at bro.org Sun Mar 15 00:00:31 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 15 Mar 2015 00:00:31 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503150700.t2F70VmP020502@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- ---------------------------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1332 [2] Bro Johanna Amann - 2015-03-09 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [3] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [4] BIT-1305 [5] Bro Jon Siwek Robin Sommer 2015-03-13 2.4 Normal Consider marking some attributes as deprecated Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [6] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- ---------------------------------------------- #27 [7] bro petiepooo [8] 2015-03-14 Add defensive check for localtime_r() call [9] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [3] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [4] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat [5] BIT-1305 https://bro-tracker.atlassian.net/browse/BIT-1305 [6] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [7] Pull Request #27 https://github.com/bro/bro/pull/27 [8] petiepooo https://github.com/petiepooo [9] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From noreply at bro.org Mon Mar 16 00:00:25 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 16 Mar 2015 00:00:25 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503160700.t2G70P3K010442@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- ---------------------------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1332 [2] Bro Johanna Amann - 2015-03-09 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [3] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [4] BIT-1305 [5] Bro Jon Siwek Robin Sommer 2015-03-13 2.4 Normal Consider marking some attributes as deprecated Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [6] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- ---------------------------------------------- #27 [7] bro petiepooo [8] 2015-03-14 Add defensive check for localtime_r() call [9] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [3] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [4] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat [5] BIT-1305 https://bro-tracker.atlassian.net/browse/BIT-1305 [6] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [7] Pull Request #27 https://github.com/bro/bro/pull/27 [8] petiepooo https://github.com/petiepooo [9] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From jsiwek at illinois.edu Mon Mar 16 07:56:05 2015 From: jsiwek at illinois.edu (Siwek, Jon) Date: Mon, 16 Mar 2015 14:56:05 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/more-file-type-ident-fixes: Lots of fixes for file type identification. (ee3e885) In-Reply-To: <201503140214.t2E2EuMY019791@bro-ids.icir.org> References: <201503140214.t2E2EuMY019791@bro-ids.icir.org> Message-ID: > On Mar 13, 2015, at 9:14 PM, Seth Hall wrote: > > - Plain text now identified with BOMs for UTF8,16,32 > (even though 16 and 32 wouldn't get identified as plain text, oh-well) Maybe it?s good/correct to identify UTF8,16,32 as associated w/ a main type of ?text?, but a bit ambiguous or superfluous to label them ?plain? ? what even is ?plain text? ? For any ?text?, you always need to know its character encoding to read it, right? I guess the name has to stay for historical/compatibility reasons, though. But as long as we're basing stuff from the heritage of ?MIME? types, should we extend the file signature syntax to allow specifying an extra/optional field? Then you can stick character encoding in there as separate component for ?text? types. - Jon From jira at bro-tracker.atlassian.net Mon Mar 16 09:12:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Mon, 16 Mar 2015 11:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1341: ---------------------------------- Summary: topic/dnthayer/fixes-for-2.4beta Key: BIT-1341 URL: https://bro-tracker.atlassian.net/browse/BIT-1341 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Fix For: 2.4 Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the following issues: -Improved test setup scripts to specify correct bro install prefix. -Fix bug where "./configure --conf-files-dir" did not work -Fix bug where "./configure --scriptdir" did not work -Print error messages without showing Python stack trace -Improved processing of node input args, to remove duplicates and sort -Improved sorting of the output by node type and name -Added the "deploy" command -Update docs for the deploy command -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 09:13:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Mon, 16 Mar 2015 11:13:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1341: ------------------------------- Status: Merge Request (was: Open) > topic/dnthayer/fixes-for-2.4beta > -------------------------------- > > Key: BIT-1341 > URL: https://bro-tracker.atlassian.net/browse/BIT-1341 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the following issues: > -Improved test setup scripts to specify correct bro install prefix. > -Fix bug where "./configure --conf-files-dir" did not work > -Fix bug where "./configure --scriptdir" did not work > -Print error messages without showing Python stack trace > -Improved processing of node input args, to remove duplicates and sort > -Improved sorting of the output by node type and name > -Added the "deploy" command > -Update docs for the deploy command -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 09:32:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 11:32:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1332: ------------------------------- Status: Open (was: Merge Request) > Please merge topic/johanna/cert-validation > ------------------------------------------ > > Key: BIT-1332 > URL: https://bro-tracker.atlassian.net/browse/BIT-1332 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: > {quote} > Update certificate validation script - new version will cache valid > intermediate chains that it encounters on the wire and use those to try > to validate chains that might be missing intermediate certificates. > This vastly improves the number of certificates that Bro can validate. > The only drawback is that now validation behavior is not entirely > predictable anymore - the certificate of a server can fail to validate > when Bro just started up (due to the intermediate missing), and succeed > later, when the intermediate can be found in the cache. > Has been tested on big-ish clusters and should not introduce any > performance problems. > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 09:33:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 11:33:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19954#comment-19954 ] Johanna Amann commented on BIT-1332: ------------------------------------ Sorry, I actually found one more side case I want to fix before merging this :) > Please merge topic/johanna/cert-validation > ------------------------------------------ > > Key: BIT-1332 > URL: https://bro-tracker.atlassian.net/browse/BIT-1332 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: > {quote} > Update certificate validation script - new version will cache valid > intermediate chains that it encounters on the wire and use those to try > to validate chains that might be missing intermediate certificates. > This vastly improves the number of certificates that Bro can validate. > The only drawback is that now validation behavior is not entirely > predictable anymore - the certificate of a server can fail to validate > when Bro just started up (due to the intermediate missing), and succeed > later, when the intermediate can be found in the cache. > Has been tested on big-ish clusters and should not introduce any > performance problems. > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 09:48:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 11:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1332: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/cert-validation > ------------------------------------------ > > Key: BIT-1332 > URL: https://bro-tracker.atlassian.net/browse/BIT-1332 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: > {quote} > Update certificate validation script - new version will cache valid > intermediate chains that it encounters on the wire and use those to try > to validate chains that might be missing intermediate certificates. > This vastly improves the number of certificates that Bro can validate. > The only drawback is that now validation behavior is not entirely > predictable anymore - the certificate of a server can fail to validate > when Bro just started up (due to the intermediate missing), and succeed > later, when the intermediate can be found in the cache. > Has been tested on big-ish clusters and should not introduce any > performance problems. > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 09:49:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 11:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19955#comment-19955 ] Johanna Amann commented on BIT-1332: ------------------------------------ Actually - merge this after all, the additional change I want to do is more complicated, might not make it into 2.4 and only adds additional functionality (not a bug fix). > Please merge topic/johanna/cert-validation > ------------------------------------------ > > Key: BIT-1332 > URL: https://bro-tracker.atlassian.net/browse/BIT-1332 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: > {quote} > Update certificate validation script - new version will cache valid > intermediate chains that it encounters on the wire and use those to try > to validate chains that might be missing intermediate certificates. > This vastly improves the number of certificates that Bro can validate. > The only drawback is that now validation behavior is not entirely > predictable anymore - the certificate of a server can fail to validate > when Bro just started up (due to the intermediate missing), and succeed > later, when the intermediate can be found in the cache. > Has been tested on big-ish clusters and should not introduce any > performance problems. > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:28:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:28:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-772) Problem with $path_func in Log filters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-772: -------------------------- Fix Version/s: (was: 2.4) > Problem with $path_func in Log filters > -------------------------------------- > > Key: BIT-772 > URL: https://bro-tracker.atlassian.net/browse/BIT-772 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Priority: High > > I finally wrote a generic path_func and it doesn't work. The 'path' variable that is passed into the $path_func field when it's called is not filled out. This should be an easy fix. > {noformat} > module Log; > export { > ## A generic log path function that can be used in any filter if the record associated > ## with the stream has a field named 'id' of type :bro:type:`conn_id` to split the log > ## records into different files names based on if the connection was originated locally > ## or not. > global directional_path_func: function(id: Log::ID, path: string, rec: record {id: conn_id;}): string; > } > function directional_path_func(id: Log::ID, path: string, rec: record { id: conn_id; }): string > { > local direction: string; > local orig_local = Site::is_local_addr(rec$id$orig_h); > local resp_local = Site::is_local_addr(rec$id$resp_h); > > if ( orig_local ) > direction = resp_local ? "localonly" : "outbound"; > else > direction = resp_local ? "inbound" : "remoteonly"; > > return fmt("%s_%s", path, direction); > } > event bro_init() > { > Log::remove_default_filter(DNS::LOG); > Log::add_filter(DNS::LOG, [$name = "directional_split", $path_func = directional_path_func]); > > Log::remove_default_filter(HTTP::LOG); > Log::add_filter(HTTP::LOG, [$name = "directional_split", $path_func = directional_path_func]); > > } > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:32:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:32:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-772) Problem with $path_func in Log filters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-772?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-772: -------------------------- Resolution: Invalid Status: Closed (was: Open) Don't see anything to fix here -- on the first call to a logging path function the path should only be set if the user specified one when adding the filter. > Problem with $path_func in Log filters > -------------------------------------- > > Key: BIT-772 > URL: https://bro-tracker.atlassian.net/browse/BIT-772 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Priority: High > > I finally wrote a generic path_func and it doesn't work. The 'path' variable that is passed into the $path_func field when it's called is not filled out. This should be an easy fix. > {noformat} > module Log; > export { > ## A generic log path function that can be used in any filter if the record associated > ## with the stream has a field named 'id' of type :bro:type:`conn_id` to split the log > ## records into different files names based on if the connection was originated locally > ## or not. > global directional_path_func: function(id: Log::ID, path: string, rec: record {id: conn_id;}): string; > } > function directional_path_func(id: Log::ID, path: string, rec: record { id: conn_id; }): string > { > local direction: string; > local orig_local = Site::is_local_addr(rec$id$orig_h); > local resp_local = Site::is_local_addr(rec$id$resp_h); > > if ( orig_local ) > direction = resp_local ? "localonly" : "outbound"; > else > direction = resp_local ? "inbound" : "remoteonly"; > > return fmt("%s_%s", path, direction); > } > event bro_init() > { > Log::remove_default_filter(DNS::LOG); > Log::add_filter(DNS::LOG, [$name = "directional_split", $path_func = directional_path_func]); > > Log::remove_default_filter(HTTP::LOG); > Log::add_filter(HTTP::LOG, [$name = "directional_split", $path_func = directional_path_func]); > > } > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:42:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:42:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1180: --------------------------- Priority: Normal (was: High) > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Johanna Amann > Labels: input-framework > Fix For: 2.5 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:42:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:42:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1180: --------------------------- Fix Version/s: (was: 2.4) 2.5 > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Johanna Amann > Priority: High > Labels: input-framework > Fix For: 2.5 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:48:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19957#comment-19957 ] Jon Siwek commented on BIT-1180: -------------------------------- Re-reading files on each change even if a previous read failed seems like a useful feature. But generally, I think users of the input framework should be expected to atomically change input files. > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Johanna Amann > Labels: input-framework > Fix For: 2.5 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:48:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-26) case insensitive regular expressions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-26?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-26: ------------------------- Fix Version/s: (was: 2.4) 2.5 > case insensitive regular expressions > ------------------------------------ > > Key: BIT-26 > URL: https://bro-tracker.atlassian.net/browse/BIT-26 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Vern Paxson > Fix For: 2.5 > > > There should be a way of annotating a regular expression (e.g., &case-insensitive) to mean that it should match the input regardless of case. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:49:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 12:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-772) Problem with $path_func in Log filters In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19958#comment-19958 ] Seth Hall commented on BIT-772: ------------------------------- I think there was something rather subtle that I wanted to fix here, but I don't remember what it was anymore so closing this is fine. > Problem with $path_func in Log filters > -------------------------------------- > > Key: BIT-772 > URL: https://bro-tracker.atlassian.net/browse/BIT-772 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Priority: High > > I finally wrote a generic path_func and it doesn't work. The 'path' variable that is passed into the $path_func field when it's called is not filled out. This should be an easy fix. > {noformat} > module Log; > export { > ## A generic log path function that can be used in any filter if the record associated > ## with the stream has a field named 'id' of type :bro:type:`conn_id` to split the log > ## records into different files names based on if the connection was originated locally > ## or not. > global directional_path_func: function(id: Log::ID, path: string, rec: record {id: conn_id;}): string; > } > function directional_path_func(id: Log::ID, path: string, rec: record { id: conn_id; }): string > { > local direction: string; > local orig_local = Site::is_local_addr(rec$id$orig_h); > local resp_local = Site::is_local_addr(rec$id$resp_h); > > if ( orig_local ) > direction = resp_local ? "localonly" : "outbound"; > else > direction = resp_local ? "inbound" : "remoteonly"; > > return fmt("%s_%s", path, direction); > } > event bro_init() > { > Log::remove_default_filter(DNS::LOG); > Log::add_filter(DNS::LOG, [$name = "directional_split", $path_func = directional_path_func]); > > Log::remove_default_filter(HTTP::LOG); > Log::add_filter(HTTP::LOG, [$name = "directional_split", $path_func = directional_path_func]); > > } > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:52:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-253) Can't bind to port 47760, Address already in use In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-253: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Can't bind to port 47760, Address already in use > ------------------------------------------------ > > Key: BIT-253 > URL: https://bro-tracker.atlassian.net/browse/BIT-253 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: tyler.schoenke > Assignee: Daniel Thayer > Fix For: 2.5 > > > I ran into some strange behavior with the cluster. I was still receiving email alerts, but the log files on the manager contained only headers with no log messages. The connection summary emails had the columns and summaries with all of the values being empty. > I ran a dumpcap on my manager's eth0 filtering my worker IP, and saw that the logs were being sent to the manager. I could start the cluster run broctl stats, and diag with no errors. I finally saw "Can't bind to port 47760, Address already in use" in the remote.log on the manager. After stopping the cluster and looking for LISTENing processes, saw that something was bound to that port. I checked for running bro processes and saw that some hadn't terminated when the cluster was stopped. After killing those, the cluster started working properly. > My enhancement request is to have something added to the cluster startup script that reports an error if the manager or workers encounter an error binding to a port. This error could either prevent the cluster from starting, or just print some message to let the user know there is a problem with port binding. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:52:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 12:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-287) BroControl should warn if changes aren't "install"ed In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-287: -------------------------- Resolution: Invalid Status: Closed (was: Open) > BroControl should warn if changes aren't "install"ed > ---------------------------------------------------- > > Key: BIT-287 > URL: https://bro-tracker.atlassian.net/browse/BIT-287 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Fix For: 2.4 > > > At times it can be difficult to remember to "install" after making changes in the site directory before restarting with BroControl. BroControl should check to see if there are any files that are updated in the site directory and put up a warning to the user if they are restarting or starting without installing. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:52:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 12:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-287) BroControl should warn if changes aren't "install"ed In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-287?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19959#comment-19959 ] Seth Hall commented on BIT-287: ------------------------------- Agreed, let's close this. > BroControl should warn if changes aren't "install"ed > ---------------------------------------------------- > > Key: BIT-287 > URL: https://bro-tracker.atlassian.net/browse/BIT-287 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Fix For: 2.4 > > > At times it can be difficult to remember to "install" after making changes in the site directory before restarting with BroControl. BroControl should check to see if there are any files that are updated in the site directory and put up a warning to the user if they are restarting or starting without installing. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 10:56:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 12:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1317) Integrate standard plugin into Bro's build and install process In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1317?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1317: --------------------------- Fix Version/s: (was: 2.4) 2.5 > Integrate standard plugin into Bro's build and install process > -------------------------------------------------------------- > > Key: BIT-1317 > URL: https://bro-tracker.atlassian.net/browse/BIT-1317 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Robin Sommer > Fix For: 2.5 > > > Right now, plugins in aux/plugins/* need to be build and installed manually. That's fine for those currently there (netmap, elastic search, data series), as they are quite specific. However, once we start moving more standard functionality over into plugins (say, GeoIP support), that will get more cumbersome, as now everybody wanting that stuff will need to do the additional step, which is easy to miss. > However, it's not clear to me right now what's a good way of integrating the plugins more tightly would be. We could turn a few (or all?) on by default and build them along with Bro if their dependencies are satisfied. But that's tough to implement, as the plugin build process is really completely separate from Bro's. So we would need to pass configure parameters over, run their builds, run their installs, run their tests, and catch any errors along the way. > I'm setting this to 2.4 in case we can still come up with a good strategy here. But more likely this is something to punt on right now, as we don't have a pressing use case anyways. There's also the related topic of a broader notion of modules that a future CPAN might manage, and how we combine all that. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:02:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:02:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19940#comment-19940 ] Seth Hall edited comment on BIT-1335 at 3/16/15 1:01 PM: --------------------------------------------------------- We could always just do the single line script of... event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } was (Author: seth): We could always just do the single line script of... event bro_init() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:03:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19940#comment-19940 ] Seth Hall edited comment on BIT-1335 at 3/16/15 1:02 PM: --------------------------------------------------------- We could always just do the single line script of... {{ event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } }} was (Author: seth): We could always just do the single line script of... event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:03:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:03:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19940#comment-19940 ] Seth Hall edited comment on BIT-1335 at 3/16/15 1:02 PM: --------------------------------------------------------- We could always just do the single line script of... {quote} event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } {quote} was (Author: seth): We could always just do the single line script of... {{ event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } }} > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:04:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:04:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19940#comment-19940 ] Seth Hall edited comment on BIT-1335 at 3/16/15 1:03 PM: --------------------------------------------------------- We could always just do the single line script of... {{event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); }}} was (Author: seth): We could always just do the single line script of... {quote} event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } {quote} > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:04:01 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:04:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1335) Extract all files policy script In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19940#comment-19940 ] Seth Hall edited comment on BIT-1335 at 3/16/15 1:03 PM: --------------------------------------------------------- We could always just do the single line script of... event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); } was (Author: seth): We could always just do the single line script of... {{event file_new() { Files::add_analyzer(f, Files::ANALYZER_EXTRACT); }}} > Extract all files policy script > ------------------------------- > > Key: BIT-1335 > URL: https://bro-tracker.atlassian.net/browse/BIT-1335 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Jon Siwek > Priority: Trivial > Fix For: 2.4 > > > We've mentioned a few times that it'd be nice to have an "extract all files" policy script that ships with Bro. Can we get this into 2.4? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:06:00 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Mon, 16 Mar 2015 13:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19960#comment-19960 ] Aashish Sharma commented on BIT-1180: ------------------------------------- > But generally, I think users of the input framework should be expected to atomically change input files Very correct! The case where this atomicity fails is: there are cases where due to some bug in input-file creation script or corner case in input data (a new tab or some weird char, or format issue etc) cause read to fail. I'd like to go correct the input file but then (a) basically bro needs to be restarted, or (b) otherwise the read has failed and if I am unaware of this silent failure, with impression that system is working as expected, while the blacklist IP's aren't getting dropped any more. Would be useful to attempt re-read after a duration or if another 'update/change' event kicks in on the input file. > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Johanna Amann > Labels: input-framework > Fix For: 2.5 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:10:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19961#comment-19961 ] Seth Hall commented on BIT-1324: -------------------------------- I think I like this idea, but I have a slightly modified request... Keep the create_stream function as it is... {code} global Log::create_stream: function(id: Log::ID, stream: Log::Stream) : bool; {code} But extend the definition of Log::Stream {code} type Log::Stream: record { path: string &optional; }; {code} How about that? > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Jon Siwek > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:11:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19961#comment-19961 ] Seth Hall edited comment on BIT-1324 at 3/16/15 1:10 PM: --------------------------------------------------------- I think I like this idea, but I have a slightly modified request... Keep the create_stream function as it is... {code} global Log::create_stream: function(id: Log::ID, stream: Log::Stream) : bool; {code} But extend the definition of Log::Stream {code} type Log::Stream: record { path: string &optional; }; {code} How about that? It'll keep existing code working (which I think you were aiming for?) and avoid us creating a new function in the Logging framework api. was (Author: seth): I think I like this idea, but I have a slightly modified request... Keep the create_stream function as it is... {code} global Log::create_stream: function(id: Log::ID, stream: Log::Stream) : bool; {code} But extend the definition of Log::Stream {code} type Log::Stream: record { path: string &optional; }; {code} How about that? > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Jon Siwek > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:12:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 16 Mar 2015 13:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19962#comment-19962 ] Seth Hall commented on BIT-1339: -------------------------------- Yes, that was my plan. > Remove src and dst from notice > ------------------------------ > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, > $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), > $sub=sub_msg, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, > $msg="An SQL injection attacker was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=SQL_Injection_Victim, > $msg="An SQL injection victim was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=Port_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, > $msg=fmt("%s seems to be running traceroute using %s", src, proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], > $identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:15:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1255) TCP reassembly issue In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19963#comment-19963 ] Jon Siwek commented on BIT-1255: -------------------------------- If anyone has arguments against increasing the default values of tcp_max_above_hole_without_any_acks and tcp_max_initial_window for 2.4 let me know, else I'll be doing the change. > TCP reassembly issue > -------------------- > > Key: BIT-1255 > URL: https://bro-tracker.atlassian.net/browse/BIT-1255 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Environment: CentOS 6 > Reporter: Jimmy Jones > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: out.pcap > > > Been testing bro with some messy (but valid) TCP streams, using docker and netem (happy to upload a gist if people are interested). > The attached file reassembles correctly in wireshark, but bro only gives the first 4069 bytes when extracted with the file analysis framework, and obviously the wrong hash (md5 is the URI). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:19:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1253) Bro 2.3 - 2.3.1 manager dieing on Bivio hardware In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19964#comment-19964 ] Jon Siwek commented on BIT-1253: -------------------------------- Maybe related to BIT-1331. > Bro 2.3 - 2.3.1 manager dieing on Bivio hardware > ------------------------------------------------ > > Key: BIT-1253 > URL: https://bro-tracker.atlassian.net/browse/BIT-1253 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro 2.3 and Bro 2.3.1 > bivio hardwareLinux CPU.2.6.31-45 has curl 7.36 gperftools 2.2 flex 2.5.39 bison 3.0.2 libpcap 1.1 swig 2.0.8 > Reporter: Larry Leviton > Assignee: Johanna Amann > Fix For: 2.4 > > > After starting bro up, the bro manager crashes in less than 60 seconds. > Thanks for any help you can give. > Sent stack trace to vendor (at bottom), and here was their response: > Comment(s): Hello Larry, > We have duplicated a crash in our lab setup that seems to be identical to that experienced by you. The code has changed quite a bit from 2.1 to 2.3.1, and we suspect a bug was introduced. > What is going on, seems to be that a writer thread is being terminated, and the destructor for the Ascii writer is called eventually. However, the destructor code does some checks and finds out that proper cleanup has not been done, so it aborts. This does not seem to be due to any library incompatibility, and looks more like maybe a race condition was introduced. > Since you knows the Bro developers, can you please ask them to take a look this and get back to us? We think it requires their expertise at this point. > Thank You, > Hassan. > > Bivio Case Information: > Bivio Case #: 4566243 > Date Created: 9/02/2014 08:02 AM PDT > Stack trace below: > GNU gdb (GDB) Fedora (6.8.50.20090302-40.fc11) Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "ppc-redhat-linux-gnu". > For bug reporting instructions, please see: > ... > backtrace > [New Thread 25501] > [New Thread 25328] > [New Thread 25378] > [New Thread 25379] > [New Thread 25380] > [New Thread 25381] > [New Thread 25382] > [New Thread 25383] > [New Thread 25384] > [New Thread 25385] > [New Thread 25386] > [New Thread 25389] > [New Thread 25442] > warning: Can't read pathname for load map: Input/output error. > Missing separate debuginfo for /usr/local/lib/libz.so.1 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a2/0a0d1fc0d48c2a303af1417ccc03308b9de04a > Missing separate debuginfo for /usr/local/lib/libtcmalloc.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/27/eaf56bc64810920d55b9530156c1e8ffbfd43e > Missing separate debuginfo for /usr/local/lib/libcurl.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a7/9a2cebb4abc156495ec0806b1c18015c8eba01 > Reading symbols from /usr/lib/libpcap.so.1...done. > Loaded symbols for /usr/lib/libpcap.so.1 Reading symbols from /usr/lib/libssl.so.10...done. > Loaded symbols for /usr/lib/libssl.so.10 Reading symbols from /usr/lib/libcrypto.so.10...done. > Loaded symbols for /usr/lib/libcrypto.so.10 Reading symbols from /usr/lib/libbind.so.4...done. > Loaded symbols for /usr/lib/libbind.so.4 Reading symbols from /usr/local/lib/libz.so.1...done. > Loaded symbols for /usr/local/lib/libz.so.1 Reading symbols from /usr/local/lib/libtcmalloc.so.4...done. > Loaded symbols for /usr/local/lib/libtcmalloc.so.4 Reading symbols from /usr/local/lib/libcurl.so.4...done. > Loaded symbols for /usr/local/lib/libcurl.so.4 Reading symbols from /lib/libpthread.so.0...done. > Loaded symbols for /lib/libpthread.so.0 > Reading symbols from /lib/libdl.so.2...done. > Loaded symbols for /lib/libdl.so.2 > Reading symbols from /usr/lib/libstdc++.so.6...done. > Loaded symbols for /usr/lib/libstdc++.so.6 Reading symbols from /lib/libm.so.6...done. > Loaded symbols for /lib/libm.so.6 > Reading symbols from /lib/libgcc_s.so.1...done. > Loaded symbols for /lib/libgcc_s.so.1 > Reading symbols from /lib/libc.so.6...done. > Loaded symbols for /lib/libc.so.6 > Reading symbols from /usr/lib/libzcp.so...done. > Loaded symbols for /usr/lib/libzcp.so > Reading symbols from /lib/libgssapi_krb5.so.2...done. > Loaded symbols for /lib/libgssapi_krb5.so.2 Reading symbols from /lib/libkrb5.so.3...done. > Loaded symbols for /lib/libkrb5.so.3 > Reading symbols from /lib/libcom_err.so.2...done. > Loaded symbols for /lib/libcom_err.so.2 > Reading symbols from /lib/libk5crypto.so.3...done. > Loaded symbols for /lib/libk5crypto.so.3 Reading symbols from /lib/libresolv.so.2...done. > Loaded symbols for /lib/libresolv.so.2 > Reading symbols from /lib/librt.so.1...done. > Loaded symbols for /lib/librt.so.1 > Reading symbols from /lib/ld.so.1...done. > Loaded symbols for /lib/ld.so.1 > Reading symbols from /lib/libbvsp.so...done. > Loaded symbols for /lib/libbvsp.so > Reading symbols from /lib/libbcon.so...done. > Loaded symbols for /lib/libbcon.so > Reading symbols from /lib/libkrb5support.so.0...done. > Loaded symbols for /lib/libkrb5support.so.0 Reading symbols from /lib/libkeyutils.so.1...done. > Loaded symbols for /lib/libkeyutils.so.1 Reading symbols from /usr/lib/libxml2.so.2...done. > Loaded symbols for /usr/lib/libxml2.so.2 Reading symbols from /lib/libhmlibs.so...done. > Loaded symbols for /lib/libhmlibs.so > Reading symbols from /lib/libhmolddb.so...done. > Loaded symbols for /lib/libhmolddb.so > Reading symbols from /lib/libcf.so...done. > Loaded symbols for /lib/libcf.so > Reading symbols from /lib/libbvsep.so...done. > Loaded symbols for /lib/libbvsep.so > Reading symbols from /usr/lib/libnrddi.so...done. > Loaded symbols for /usr/lib/libnrddi.so > Reading symbols from /lib/libselinux.so.1...done. > Loaded symbols for /lib/libselinux.so.1 > Core was generated by `/var/tmp/bro/spool/tmp/bro -U .status -p broctl -p broctl-live -p local -p mana'. > Program terminated with signal 6, Aborted. > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. > in ../nptl/sysdeps/unix/sysv/linux/raise.c > Missing separate debuginfos, use: debuginfo-install e2fsprogs-libs-1.41.9-2.fc11.ppc glibc-2.17-4.fc11.ppc keyutils-libs-1.2-5.fc11.ppc krb5-libs-1.9.3-1.fc11.ppc libbind-6.0-1.fc11.ppc libgcc-4.4.1-2.fc11.ppc libselinux-2.0.80-1.fc11.ppc libstdc++-4.4.1-2.fc11.ppc libxml2-2.7.6-1.fc11.ppc openssl-libs-1.0.1e-37.fc11.1.ppc > (gdb) backtrace > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > Current language: auto; currently minimal > (gdb) > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > (gdb) quit -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:19:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:19:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19965#comment-19965 ] Jon Siwek commented on BIT-1331: -------------------------------- Maybe related to BIT-1253. > BroControl manager crashes when logs rotate > ------------------------------------------- > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Labels: broctl > Fix For: 2.4 > > > The BroControl manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:35:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19966#comment-19966 ] Jon Siwek commented on BIT-1324: -------------------------------- Yeah, it works to have an optional path in the Stream record to be auto-inherited by any filters that get added. Making this change shouldn't be hard, but will wait a day or two to see if there's more feedback. > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Jon Siwek > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:43:03 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:43:03 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1229: --------------------------- Resolution: Fixed Status: Closed (was: Open) This got fixed to emit an error message and continue processing input. > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:47:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1194) broctl deploy command In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1194: --------------------------- Resolution: Fixed Status: Closed (was: Open) Will be fixed when BIT-1341 is merged. > broctl deploy command > --------------------- > > Key: BIT-1194 > URL: https://bro-tracker.atlassian.net/browse/BIT-1194 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > Fix For: 2.4 > > > (mostly notes for me right now) > Currently broctl makes it too easy for an end user to do the wrong thing when changing the bro config. > restart --clean is close, however, it does things in this order: > stop -> clean -> check -> install -> start > This is bad because in the event of a 'check' failure bro will not restart. > So, I think what needs to be done is 'restart --clean' should only do: > stop -> clean -> start > and a new command 'broctl deploy' should do > check -> install -> restart > 'broctl deploy --clean' can do > check -> stop -> clean -> install -> start > Also, I think the 'install' operation should always run 'check', is there any reason it shouldn't? Would someone every want to force install a broken config? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:48:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:48:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1179) HTTP analyzer too sensitive to content gaps, was: HTTP messages missing in files.log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1179?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1179: --------------------------- Fix Version/s: (was: 2.4) 2.5 > HTTP analyzer too sensitive to content gaps, was: HTTP messages missing in files.log > ------------------------------------------------------------------------------------ > > Key: BIT-1179 > URL: https://bro-tracker.atlassian.net/browse/BIT-1179 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Fix For: 2.5 > > > I have a trace with multiple HTTP requests inside a persistent HTTP session. for which only the first two appear in files.log, the remaining ones are missing. Looks like a bug. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 11:50:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 13:50:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1171) misc/app-stats/main.bro broken for a few sites In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1171: --------------------------- Fix Version/s: (was: 2.4) 2.5 > misc/app-stats/main.bro broken for a few sites > ---------------------------------------------- > > Key: BIT-1171 > URL: https://bro-tracker.atlassian.net/browse/BIT-1171 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Jon Siwek > Fix For: 2.5 > > > Currently the reporting of misc/app-stats/main.bro seems to be quite wrong for some of the sites it monitors. > At the very least the numbers for youtube and netflix are completely off, gmail also seems slightly unbelievable. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:01:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1073) Make the MIME analyzer a FAF analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1073: --------------------------- Fix Version/s: (was: 2.4) 2.5 > Make the MIME analyzer a FAF analyzer > ------------------------------------- > > Key: BIT-1073 > URL: https://bro-tracker.atlassian.net/browse/BIT-1073 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Labels: analyzer, file-analysis, mime > Fix For: 2.5 > > > We should convert the MIME analyzer to use FAF, allowing other components to reuse it. Specifically, I noted this in the process of bringing back the POP3 analyzer. Ideally, we can just feed the contents of the download emails via the RETR command into a FAF-based MIME analyzer. Then we wouldn't have to rebuild functionality that's close to the SMTP analyzer. > In summary, we should factor the MIME analysis into a separate analysis unit. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:05:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:05:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1036) add script based on BBN's Host Peering In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1036?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1036: --------------------------- Fix Version/s: (was: 2.4) 2.5 > add script based on BBN's Host Peering > -------------------------------------- > > Key: BIT-1036 > URL: https://bro-tracker.atlassian.net/browse/BIT-1036 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-Host-Peering.patch, signature.asc > > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:05:02 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:05:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1034) add scripts that provide simple correlation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1034?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1034: --------------------------- Fix Version/s: (was: 2.4) 2.5 > add scripts that provide simple correlation > ------------------------------------------- > > Key: BIT-1034 > URL: https://bro-tracker.atlassian.net/browse/BIT-1034 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-scripts-that-provide-simple-correlation.patch > > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:05:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:05:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1043) LRU Table implementation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1043: --------------------------- Fix Version/s: (was: 2.4) 2.5 > LRU Table implementation > ------------------------ > > Key: BIT-1043 > URL: https://bro-tracker.atlassian.net/browse/BIT-1043 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Jordi Ros-Giralt > Fix For: 2.5 > > > Attaching below the email description i exchanged with Seth and Robin describing this work. > ------ > Hi Seth and Robin, > We got the repo up, you can get to our branch as follows: > git clone --recursive https://github.com/giralt/bro.git > cd bro/ > git checkout lru-table > We would be happy to contribute this code to the Bro community. This is what it does: > - It implements LRU tables for Bro > - A Bro table can be enhanced with the LRU functionality with the following new table attributes: > &lru_table: enhance the table with LRU functionality > &size_limit=n: if adding an element to the table makes the size of the table larger than n, then drop the LRU element from that table before inserting the new element. n=0 means table size can be infinite (so don't drop elements from it) > &drop_func=callback_func: defines a programmable callback function that gets called automatically every time an element from the LRU table is dropped due to hitting the size_limit. The prototype of this callback must be as follows: > function callback_func(t: table[keytype] of valuetype, key: keytype, val: valuetype): count > - It adds the following bif functions: > function get_lru%(v: any%): any > function get_mru%(v: any%): any > function get_lru_key%(v: any%): any > function get_mru_key%(v: any%): any > - Example: > function freed(t: table[port] of string, key: port, val: string): count { print "Dropped"; } > local port_names: table[port] of string &lru &size_limit=2 &drop_func=freed; > In terms of applications, we are currently using this feature for the chimera-to-bro compiler we are working on: http://www.chimera-query.org/index.html > We thought that we could also use this feature to provide a sort of memory management facility for Bro. I had a talk with Seth some weeks ago about this. Something like the LRU implementation allows programmers to put bounds on the size of tables and prioritize which elements can be dropped first upon memory exhaustion scenarios. Perhaps an idea here would be to develop a garbage collector (could be done using Bro language itself, perhaps as a framework) which would be run upon hitting a certain memory usage watermark and which would mainly run through the set of tables marked as "garbage collectable" dropping LRU elements from them to help reduce/eliminate the risk of running out of memory. > Should this be something interesting, what are the steps we would need to do to open source the LRU code into Bro? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:05:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:05:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1047) Delete old scripts before installing new ones In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1047: --------------------------- Fix Version/s: (was: 2.4) 2.5 > Delete old scripts before installing new ones > --------------------------------------------- > > Key: BIT-1047 > URL: https://bro-tracker.atlassian.net/browse/BIT-1047 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: Robin Sommer > Fix For: 2.5 > > > People keep having problems when they install a new Bro version > over the installation of an old one because scripts that have disappeared in the new version will keep sticking around from the previous installation. > We should simply remove the old scripts/base and scripts/policy before installing anything new. People aren't supposed to edit in there so that should be safe. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1033) add script based on BBN's ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1033: --------------------------- Fix Version/s: (was: 2.4) 2.5 > add script based on BBN's ICMP analyzer > --------------------------------------- > > Key: BIT-1033 > URL: https://bro-tracker.atlassian.net/browse/BIT-1033 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-ICMP-analyzer.patch > > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1032) add script based on BBN's Host Characterization In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1032?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1032: --------------------------- Fix Version/s: (was: 2.4) 2.5 > add script based on BBN's Host Characterization > ----------------------------------------------- > > Key: BIT-1032 > URL: https://bro-tracker.atlassian.net/browse/BIT-1032 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-Host-Characterization.patch > > > BBN's RePS team wrote this script that might be useful to the Bro community if it were added to the bro-scripts repository. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1031) add script based on BBN's Flow Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1031: --------------------------- Fix Version/s: (was: 2.4) 2.5 > add script based on BBN's Flow Analyzer > --------------------------------------- > > Key: BIT-1031 > URL: https://bro-tracker.atlassian.net/browse/BIT-1031 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-Flow-Analyzer.patch > > > BBN's RePS team wrote this script that might be useful to the Bro community if it were added to the bro-scripts repository. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:08:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1026) runtime error with local set of record with optional fields In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1026?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1026: --------------------------- Fix Version/s: (was: 2.4) 2.5 > runtime error with local set of record with optional fields > ----------------------------------------------------------- > > Key: BIT-1026 > URL: https://bro-tracker.atlassian.net/browse/BIT-1026 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > > This code: > {noformat} > type Foo: record { > a: count &optional; > b: count &optional; > }; > event bro_init() { > local foos: set[Foo] = {}; > add foos[[$a=0]]; > print(foos); > } > {noformat} > Gives this output: > {noformat} > error in and /home/dmandelb/reps/test.bro, line 7: index type doesn't match table ([a=0, b=] and list of any) > { > } > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:09:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1025) internal error: over-ran key in CompositeHash::RecoverVals In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1025?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1025: --------------------------- Fix Version/s: (was: 2.4) 2.5 > internal error: over-ran key in CompositeHash::RecoverVals > ---------------------------------------------------------- > > Key: BIT-1025 > URL: https://bro-tracker.atlassian.net/browse/BIT-1025 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: bbn-correlator.tgz > > > {noformat} > $ bro bbn-correlator > internal error: over-ran key in CompositeHash::RecoverVals > Aborted > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:17:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1023) const vector can be modified In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1023?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1023: --------------------------- Fix Version/s: (was: 2.4) 2.5 > const vector can be modified > ---------------------------- > > Key: BIT-1023 > URL: https://bro-tracker.atlassian.net/browse/BIT-1023 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > > The following code should probably be an error: > {noformat} > const foo: vector of double = vector() &redef; > foo[|foo|] = 42.0; > print(foo); > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:21:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1015) weird.log contains binpac exceptions In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1015: --------------------------- Fix Version/s: (was: 2.4) 2.5 > weird.log contains binpac exceptions > ------------------------------------ > > Key: BIT-1015 > URL: https://bro-tracker.atlassian.net/browse/BIT-1015 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: kraigu > Fix For: 2.5 > > > Contained in weird.log. We're running a git version from 26 February. > {noformat} > 1370368807.759955 EEH6KdrWzNj 10.0.0.181 17926 76.192.60.215 514 binpac exception: string mismatch at /usr/local/src/bro-git/src/syslog-protocol.pac:8: \x0aexpected pattern: "[[:digit:]]+"\x0aactual data: "\x02\x0ch1\x80]T" - F worker-5 > 1370368811.151104 EEH6KdrWzNj 10.0.0.181 17926 76.192.60.215 514 binpac exception: string mismatch at /usr/local/src/bro-git/src/syslog-protocol.pac:8: \x0aexpected pattern: "[[:digit:]]+"\x0aactual data: "\x02\x0ch1\xb4\x1e\xca" - F worker-5 > 1370370685.869123 bgl21hARmjf 10.0.0.229 29263 190.23.207.127 514 binpac exception: string mismatch at /usr/local/src/bro-git/src/syslog-protocol.pac:8: \x0aexpected pattern: "[[:digit:]]+"\x0aactual data: "`\xdaf\xaa6!\xf3\x94\x11<,p\x9e9^\xdc\x8f\x88D\x906F\xf0&r\xd2\xc0\x8b\xc3\xff.-\x0f" - F worker-1 > 1370371495.244206 NcgBSHJfqP1 10.0.1.165 2471 201.145.199.174 514 binpac exception: string mismatch at /usr/local/src/bro-git/src/syslog-protocol.pac:8: \x0aexpected pattern: "[[:digit:]]+"\x0aactual data: "`\x88\x87sP\x8c\x92\xd6`\xce\xb1\xc8J{\xa9\x98%\xad79\xd8\xa2Bm\xa2\x02\xfa%\x1e0\x9c\x0e\x97" - F worker-6 > 1370371495.257415 NcgBSHJfqP1 10.0.1.165 2471 201.145.199.174 514 binpac exception: string mismatch at /usr/local/src/bro-git/src/syslog-protocol.pac:8: \x0aexpected pattern: "[[:digit:]]+"\x0aactual data: "a\x88\x87sP\x8c\x92\xd6`\xce\xb1\xc8J{\xa9\x98%\x02\xd5\x80\x97P5\x18@\xe3\xdej\x84\xe3\xa9"HK\xbd\x90E\x05\x9f@\x9f@\x01\x9a\xf5\xf8QW\xe1\x80\xc1`ym\x04\x8f\xea\xbd\xad\xc9\xfa:L\x0d \x0d " - F worker-6 > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:23:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1014) Weirds could be unique In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1014: --------------------------- Fix Version/s: (was: 2.4) 2.5 > Weirds could be unique > ---------------------- > > Key: BIT-1014 > URL: https://bro-tracker.atlassian.net/browse/BIT-1014 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: thorkill > Priority: Low > Fix For: 2.5 > > > It would be nice to have unique wireds for each "test" which generates it. > "An explanation what each of those 'weirds' would represent would be helpful" > Most iteresting for me are: fragment_protocol_inconsistency, fragment_size_inconsistency and truncated_IP. > This will give you an overview about current names: > {noformat} > grep Weird *.cc | cut -d'"' -f2 | sort | uniq -c | sort -n > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:26:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1012) RIP Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1012: --------------------------- Fix Version/s: (was: 2.4) 2.5 > RIP Analyzer > ------------ > > Key: BIT-1012 > URL: https://bro-tracker.atlassian.net/browse/BIT-1012 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Priority: Low > Fix For: 2.5 > > Attachments: 0001-RIP-analyzer.patch > > > I wrote some code lignes to see how binpac works, it is an RIPv2 Analyzer. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:26:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:26:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1003) Private record fields In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1003?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1003: --------------------------- Fix Version/s: (was: 2.4) 2.5 > Private record fields > --------------------- > > Key: BIT-1003 > URL: https://bro-tracker.atlassian.net/browse/BIT-1003 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Priority: Low > Fix For: 2.5 > > > I'm wondering if we could change record extension ("redef record XXX +=" ?) so that the new fields are only publicly visible if the extension is part of an export section; if not, only the defining namespace would be able to access them. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:28:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-994) segmentation fault with anonymous enum In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-994: -------------------------- Resolution: Fixed Status: Closed (was: Open) The test case now emits an "incorrect syntax" error instead of segfaulting. > segmentation fault with anonymous enum > -------------------------------------- > > Key: BIT-994 > URL: https://bro-tracker.atlassian.net/browse/BIT-994 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Priority: Low > Fix For: 2.4 > > > This code: > {noformat} > global x: enum {FOO, BAR} = FOO; > {noformat} > Causes a segmentation fault with this backtrace: > {noformat} > #0 0x082733be in ID::Name (this=0x0) at /home/dmandelb/bro/src/ID.h:23 > BIT-1 0x0826a19e in parser_new_enum () at parse.y:142 > BIT-2 0x0826e068 in yyparse () at parse.y:850 > BIT-3 0x08281a42 in main (argc=5, argv=0xbffff2b4) at /home/dmandelb/bro/src/main.cc:801 > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:34:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-991) Imap Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-991: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Imap Analyzer > ------------- > > Key: BIT-991 > URL: https://bro-tracker.atlassian.net/browse/BIT-991 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: nicolas > Assignee: Seth Hall > Priority: Low > Labels: Imap, analyzer > Fix For: 2.5 > > Attachments: 0001-IMAP-analyzer.patch > > > Here is an Imap Analyzer and a quick script sample. It is inspired of the POP3 Analyzer. > No problem to make some coding changes if you ask. > Nicolas -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:35:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:35:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-985: -------------------------- Fix Version/s: (was: 2.4) 2.5 > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > Attachments: PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:39:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-71) Forward declarations of events don't work inside a module namespace In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-71?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19970#comment-19970 ] Jon Siwek commented on BIT-71: ------------------------------ Other examples of the problem referenced in BIT-984. > Forward declarations of events don't work inside a module namespace > ------------------------------------------------------------------- > > Key: BIT-71 > URL: https://bro-tracker.atlassian.net/browse/BIT-71 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 1.5.2 > Reporter: Robin Sommer > > Forward declarations of events aren't correctly resolved when used inside a module namespace. The worst thing about this is that they fail silently: there's no error message, the handler is just not executed. > The example below never prints anything. Once the module statement is removed, everything works fine though. > {noformat} > module Foo; > global bar: event(); > event bar() > { > print "bar"; > } > event new_connection(c: connection) > { > event bar(); > } > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:39:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-984) inconsistent scoping rules with events In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-984: -------------------------- Fix Version/s: (was: 2.4) > inconsistent scoping rules with events > -------------------------------------- > > Key: BIT-984 > URL: https://bro-tracker.atlassian.net/browse/BIT-984 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Priority: Low > > This works as expected: > {noformat} > module Foo; > event foo() > { > print("foo!"); > } > event bro_init() > { > event foo(); > } > {noformat} > But this doesn't print anything: > {noformat} > module Foo; > global foo: event(); > event foo() > { > print("foo!"); > } > event bro_init() > { > event foo(); > } > {noformat} > This does though: > {noformat} > module Foo; > global foo: event(); > event foo() > { > print("foo!"); > } > event bro_init() > { > event Foo::foo(); > } > {noformat} > I think I understand how it works now, but the scoping rules seem a bit inconsistent for events versus other data types. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:40:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-984) inconsistent scoping rules with events In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-984: -------------------------- Resolution: Duplicate Status: Closed (was: Open) Duplicate of BIT-71. > inconsistent scoping rules with events > -------------------------------------- > > Key: BIT-984 > URL: https://bro-tracker.atlassian.net/browse/BIT-984 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Priority: Low > > This works as expected: > {noformat} > module Foo; > event foo() > { > print("foo!"); > } > event bro_init() > { > event foo(); > } > {noformat} > But this doesn't print anything: > {noformat} > module Foo; > global foo: event(); > event foo() > { > print("foo!"); > } > event bro_init() > { > event foo(); > } > {noformat} > This does though: > {noformat} > module Foo; > global foo: event(); > event foo() > { > print("foo!"); > } > event bro_init() > { > event Foo::foo(); > } > {noformat} > I think I understand how it works now, but the scoping rules seem a bit inconsistent for events versus other data types. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:41:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:41:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-71) Forward declarations of events don't work inside a module namespace In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-71?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-71: ------------------------- Fix Version/s: 2.5 > Forward declarations of events don't work inside a module namespace > ------------------------------------------------------------------- > > Key: BIT-71 > URL: https://bro-tracker.atlassian.net/browse/BIT-71 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 1.5.2 > Reporter: Robin Sommer > Fix For: 2.5 > > > Forward declarations of events aren't correctly resolved when used inside a module namespace. The worst thing about this is that they fail silently: there's no error message, the handler is just not executed. > The example below never prints anything. Once the module statement is removed, everything works fine though. > {noformat} > module Foo; > global bar: event(); > event bar() > { > print "bar"; > } > event new_connection(c: connection) > { > event bar(); > } > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 12:48:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 14:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-979) segmentation fault in Expr::Serialize In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-979: -------------------------- Resolution: Fixed Status: Closed (was: Open) This may work now (I only tested the example briefly). If not, it may not get much attention going forward anyway -- the plan is to eventually remove/replace &persistent and &synchronized. > segmentation fault in Expr::Serialize > ------------------------------------- > > Key: BIT-979 > URL: https://bro-tracker.atlassian.net/browse/BIT-979 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Priority: Low > Fix For: 2.4 > > Attachments: bbn-host-characterization.bro, test-traffic.pcap > > > {noformat} > $ gdb --args ~/opt/bro/bin/bro -C -r reps/reps/traffic-generator/test-traffic.pcap reps/bro-scripts/bbn-host-characterization.bro > GNU gdb (GDB) 7.0.1-debian > Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "i486-linux-gnu". > For bug reporting instructions, please see: > ... > Reading symbols from /home/dmandelb/opt/bro/bin/bro...done. > (gdb) r > Starting program: /home/dmandelb/opt/bro/bin/bro -C -r reps/reps/traffic-generator/test-traffic.pcap reps/bro-scripts/bbn-host-characterization.bro > [Thread debugging using libthread_db enabled] > [New Thread 0xb7b27b70 (LWP 3035)] > [New Thread 0xb71ffb70 (LWP 3036)] > [New Thread 0xb69feb70 (LWP 3037)] > [New Thread 0xb5fffb70 (LWP 3038)] > Program received signal SIGSEGV, Segmentation fault. > 0x00000000 in ?? () > (gdb) bt > #0 0x00000000 in ?? () > BIT-1 0x08301d14 in Expr::Serialize (this=0x8f69ce0, info=0xb60058d4) at /home/dmandelb/bro/src/Expr.cc:184 > BIT-2 0x08294b92 in Attributes::DoSerialize (this=0x8f69998, info=0xb60058d4) at /home/dmandelb/bro/src/Attr.cc:512 > BIT-3 0x083d4a63 in SerialObj::Serialize (this=0x8f69998, info=0xb60058d4) at /home/dmandelb/bro/src/SerialObj.cc:121 > BIT-4 0x08294950 in Attributes::Serialize (this=0x8f69998, info=0xb60058d4) at /home/dmandelb/bro/src/Attr.cc:487 > BIT-5 0x0835f111 in ID::DoSerialize (this=0x8f69790, info=0xb60058d4) at /home/dmandelb/bro/src/ID.cc:495 > BIT-6 0x083d4a63 in SerialObj::Serialize (this=0x8f69790, info=0xb60058d4) at /home/dmandelb/bro/src/SerialObj.cc:121 > BIT-7 0x0835e96e in ID::Serialize (this=0x8f69790, info=0xb60058d4) at /home/dmandelb/bro/src/ID.cc:311 > BIT-8 0x083d7af9 in Serializer::Serialize (this=0x85ce3f0, info=0xb60058d4, id=...) at /home/dmandelb/bro/src/Serializer.cc:111 > BIT-9 0x0839a133 in PersistenceSerializer::DoIDSerialization (this=0x85ce3f0, status=0xb60058d0, id=0x8f69790) at /home/dmandelb/bro/src/PersistenceSerializer.cc:498 > BIT-10 0x08399d06 in PersistenceSerializer::RunSerialization (this=0x85ce3f0, status=0xb60058d0) at /home/dmandelb/bro/src/PersistenceSerializer.cc:405 > BIT-11 0x083996ed in PersistenceSerializer::WriteState (this=0x85ce3f0, may_suspend=false) at /home/dmandelb/bro/src/PersistenceSerializer.cc:262 > BIT-12 0x08280a2e in done_with_network () at /home/dmandelb/bro/src/main.cc:258 > BIT-13 0x08282a2a in main (argc=5, argv=0xbffff2b4) at /home/dmandelb/bro/src/main.cc:1078 > (gdb) > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 13:17:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 15:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1077) fix policy/protocols/http/header-names.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19973#comment-19973 ] Jon Siwek commented on BIT-1077: -------------------------------- topic/jsiwek/bit-1077 > fix policy/protocols/http/header-names.bro > ------------------------------------------ > > Key: BIT-1077 > URL: https://bro-tracker.atlassian.net/browse/BIT-1077 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.4 > > > This script is wrong for the {{log_server_header_names}} case. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 13:17:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 15:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1077) fix policy/protocols/http/header-names.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1077: --------------------------- Status: Merge Request (was: Open) > fix policy/protocols/http/header-names.bro > ------------------------------------------ > > Key: BIT-1077 > URL: https://bro-tracker.atlassian.net/browse/BIT-1077 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Fix For: 2.4 > > > This script is wrong for the {{log_server_header_names}} case. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 13:26:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 15:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-978) delete seems to invalidate set iteration In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-978: ----------------------------- Assignee: Jon Siwek > delete seems to invalidate set iteration > ---------------------------------------- > > Key: BIT-978 > URL: https://bro-tracker.atlassian.net/browse/BIT-978 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Assignee: Jon Siwek > Priority: Low > Fix For: 2.4 > > Attachments: test.bro > > > Deleting an element of a set inside of a for loop iterating over the set seems to cause unpredictable behavior. I think this should either be documented as a known non-feature or fixed. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 13:33:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 15:33:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-977) retransmit in connection history In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-977: -------------------------- Fix Version/s: (was: 2.4) 2.5 > retransmit in connection history > -------------------------------- > > Key: BIT-977 > URL: https://bro-tracker.atlassian.net/browse/BIT-977 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > Fix For: 2.5 > > > In the connection record's $history field, it would be useful to include another character to indicate retransmits sent during the connection. I think that T and t for first orig and resp retransmit respectively would be appropriate. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 13:38:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 15:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-964) Memory issues resulting from missing DNS resolution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-964?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-964: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Memory issues resulting from missing DNS resolution > --------------------------------------------------- > > Key: BIT-964 > URL: https://bro-tracker.atlassian.net/browse/BIT-964 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > Fix For: 2.5 > > > If a box running Bro doesn't have correctly configured DNS it causes a backup of DNS resolution requests. It looks like the requests aren't timing out quickly enough. We probably need to deal with this one way or another since a failing DNS server should not result in Bro crashing. Maybe we could move more control of Bro's DNS resolution into scriptland? If we had a boolean value that we could flip on or off to enable/disable DNS resolution? Right now we only have the environment variable which is not flexible enough to deal with situations like this. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 13:38:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 15:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-966) logging and input framework config maps do not support values containing \0 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-966?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-966: -------------------------- Fix Version/s: (was: 2.4) 2.5 > logging and input framework config maps do not support values containing \0 > --------------------------------------------------------------------------- > > Key: BIT-966 > URL: https://bro-tracker.atlassian.net/browse/BIT-966 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Priority: Low > Labels: threading > Fix For: 2.5 > > > The config maps in the input and logging frameworks are defined as map, thus allowing no \0 in values, where they could arguably be useful. This is due to the fact that we do not have a thread-safe string class available at the moment. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 14:01:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 16:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-948) add bif for URI -> binary decoding In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-948?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-948: -------------------------- Fix Version/s: (was: 2.4) 2.5 > add bif for URI -> binary decoding > ---------------------------------- > > Key: BIT-948 > URL: https://bro-tracker.atlassian.net/browse/BIT-948 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Priority: Low > Fix For: 2.5 > > > The current URI_decode() bif returns non-ascii data in a x\nn format which is safe, but not useful in all situations (such as when you need the literal binary data). > thanks\! > scott -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 14:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 16:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-939: -------------------------- Fix Version/s: (was: 2.4) 2.5 > HTTP parser refact & redesign required > -------------------------------------- > > Key: BIT-939 > URL: https://bro-tracker.atlassian.net/browse/BIT-939 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: drmckay > Fix For: 2.5 > > > Hi, > In the HTTP parser implementation you following an old, obsoleted rfc from 1999. There is a newer version: http://tools.ietf.org/html/rfc3986 > Please, review and refact your code (unescapeURI() redesign also needed, to minimalize false positives). > Thanks. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 14:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 16:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-942) Generic log delaying mechanism for logging framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-942: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Generic log delaying mechanism for logging framework > ---------------------------------------------------- > > Key: BIT-942 > URL: https://bro-tracker.atlassian.net/browse/BIT-942 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Priority: Low > Fix For: 2.5 > > > We need to add a mechanism for delaying log writes within the logging framework for the case where some asynchronous lookup needs to happen in a non-base script. There are a few requirements: > \\- The mechanism needs to copy the log record so that future modifications of the record aren't impacted unless deliberately modifying the delayed record. > \\- Three functions in Log:: namespace to register and unregister delays for logs and one to get access to the delayed log by it's delay token. > \\- Additional configuration option in logging framework to configure a default logging delay. It's possible that we should set the default stream delay in the stream configuration record. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 15:04:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 17:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-931) Ascii writer does not escape empty sets / vectors In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-931?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-931: ----------------------------- Assignee: Seth Hall > Ascii writer does not escape empty sets / vectors > ------------------------------------------------- > > Key: BIT-931 > URL: https://bro-tracker.atlassian.net/browse/BIT-931 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Seth Hall > Fix For: 2.4 > > > The script > {noformat} > redef LogAscii::empty_field = "EMPTY"; > module SSH; > export { > redef enum Log::ID += { LOG }; > type Log: record { > ss: set[string]; > } &log; > } > event bro_init() > { > Log::create_stream(SSH::LOG, [$columns=Log]); > Log::write(SSH::LOG, [ > $ss=set("EMPTY") > ]); > } > {noformat} > Outputs the line > {noformat} > EMPTY > {noformat} > to a log-file. This makes it impossible to distinguish a line containing EMPTY from a line containing an empty set. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 15:05:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 16 Mar 2015 17:05:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-931) Ascii writer does not escape empty sets / vectors In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19974#comment-19974 ] Jon Siwek commented on BIT-931: ------------------------------- Seth, do you want to try fixing this in conjunction w/ BIT-1333 ? I think all that's needed is to modify the ASCII formatter to add an escape sequence for empty_field the same way it currently does for set_separator ? > Ascii writer does not escape empty sets / vectors > ------------------------------------------------- > > Key: BIT-931 > URL: https://bro-tracker.atlassian.net/browse/BIT-931 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Seth Hall > Fix For: 2.4 > > > The script > {noformat} > redef LogAscii::empty_field = "EMPTY"; > module SSH; > export { > redef enum Log::ID += { LOG }; > type Log: record { > ss: set[string]; > } &log; > } > event bro_init() > { > Log::create_stream(SSH::LOG, [$columns=Log]); > Log::write(SSH::LOG, [ > $ss=set("EMPTY") > ]); > } > {noformat} > Outputs the line > {noformat} > EMPTY > {noformat} > to a log-file. This makes it impossible to distinguish a line containing EMPTY from a line containing an empty set. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 15:39:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 17:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1229: ------------------------------- Status: Reopened (was: Closed) > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 15:39:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 17:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19975#comment-19975 ] Johanna Amann commented on BIT-1229: ------------------------------------ This actually still crashes Bro (just tested it with 2.3-530). > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 15:40:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 17:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19975#comment-19975 ] Johanna Amann edited comment on BIT-1229 at 3/16/15 5:39 PM: ------------------------------------------------------------- This actually still crashes Bro (just tested it with 2.3-530). It will however probably not make 2.4 - it is not completely trivial to fix and requires some bigger refactoring of the input manager :/ was (Author: johanna): This actually still crashes Bro (just tested it with 2.3-530). > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.5 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Mon Mar 16 15:40:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 16 Mar 2015 17:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1229: ------------------------------- Fix Version/s: (was: 2.4) 2.5 > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.5 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From robin at icir.org Mon Mar 16 16:00:38 2015 From: robin at icir.org (Robin Sommer) Date: Mon, 16 Mar 2015 16:00:38 -0700 Subject: [Bro-Dev] New merge masters Message-ID: <20150316230038.GT55548@icir.org> Folks, per recent discussions, let's put a round of "merge master promotions" in place: - Daniel and Justin become maintainers for BroControl and its submodules. - Johanna becomes a maintainer for Bro and submodules. Daniel/Johanna/Justin: There are some guidelines on how to do merges at https://www.bro.org/development/howtos/process.html#for-maintainers For reference, here's what our web page says about maintainers: Generally, all maintainers may merge any merge requests and fastpath commits. There?s no ?must? however, everybody?s free to skip changes where they don?t feel sufficiently familiar with the corresponding code. For changes authored by maintainers themselves, we generally stick to the ?two people rule?: maintainers do not merge their own patches, another maintainer has to do that. The exception is small straight-forward stuff, like simple bug fixes and cleanup. A good rule of thumb: if it?s a fastpath-suitable patch, direct commit into master without review is fine; if it?s a topic branch, consider filing a merge request for your fellow maintainers. However final decision is left to the discretion of the maintainer authoring the change. Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Tue Mar 17 00:00:48 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 17 Mar 2015 00:00:48 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503170700.t2H70mlC025211@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- ---------------------------------------------- BIT-1341 [1] BroControl Daniel Thayer - 2015-03-16 2.4 Normal topic/dnthayer/fixes-for-2.4beta [2] BIT-1340 [3] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1332 [4] Bro Johanna Amann - 2015-03-16 2.4 Normal Please merge topic/johanna/cert-validation BIT-1330 [5] pysubnettree Jon Siwek - 2015-03-09 2.4 Normal topic/python3-compat [6] BIT-1305 [7] Bro Jon Siwek Robin Sommer 2015-03-13 2.4 Normal Consider marking some attributes as deprecated BIT-1077 [8] Bro Jon Siwek - 2015-03-16 2.4 Normal fix policy/protocols/http/header-names.bro Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [9] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- ----------------------------------------------- #27 [10] bro petiepooo [11] 2015-03-14 Add defensive check for localtime_r() call [12] [1] BIT-1341 https://bro-tracker.atlassian.net/browse/BIT-1341 [2] fixes-for-2.4beta https://github.com/bro/brocontrol/tree/topic/dnthayer/fixes-for-2.4beta [3] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [4] BIT-1332 https://bro-tracker.atlassian.net/browse/BIT-1332 [5] BIT-1330 https://bro-tracker.atlassian.net/browse/BIT-1330 [6] python3-compat https://github.com/bro/pysubnettree/tree/topic/python3-compat [7] BIT-1305 https://bro-tracker.atlassian.net/browse/BIT-1305 [8] BIT-1077 https://bro-tracker.atlassian.net/browse/BIT-1077 [9] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [10] Pull Request #27 https://github.com/bro/bro/pull/27 [11] petiepooo https://github.com/petiepooo [12] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From jira at bro-tracker.atlassian.net Tue Mar 17 07:23:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:23:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19976#comment-19976 ] Jon Siwek commented on BIT-1229: -------------------------------- Thanks for checking, I noticed a commit referenced this ticket, but didn't check if it was merged. It looks like that's branch topic/johanna/ticket-1229: https://github.com/bro/bro/commit/057b0ecfcc4eedc8b144ef46c83a5a5a144b2f04 Is that just a fix attempt to abandon or accidentally didn't get merged? > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.5 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:24:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-926) Changing mail destinations In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-926: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Changing mail destinations > -------------------------- > > Key: BIT-926 > URL: https://bro-tracker.atlassian.net/browse/BIT-926 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Fix For: 2.5 > > > On Dec 17, 2012, at 7:52 PM, Robin Sommer wrote: > > So, yeah, that looks like we need third category, but maybe we one for > > the summaries. How about this: > > > > \\- Bro Notice::ACTION_EMAIL \-> MailTo > > \\- Bro Notice::ACTION_ALARM \-> MailSummariesTo > > \\- broctl summarize-connections \-> MailSummariesTo > > \\- broctl crash reports \-> MailAdminTo > > \\- broctl cron output \-> MailAdminTo > > > > MailSummariesTo and MailAdminTo would default to MailTo. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:47:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 17 Mar 2015 09:47:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1331: ------------------------------- Labels: (was: broctl) Component/s: (was: BroControl) Bro > BroControl manager crashes when logs rotate > ------------------------------------------- > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Fix For: 2.4 > > > The BroControl manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:47:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:47:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-903) -b turns off -f In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-903?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-903: -------------------------- Fix Version/s: (was: 2.4) 2.5 > -b turns off -f > --------------- > > Key: BIT-903 > URL: https://bro-tracker.atlassian.net/browse/BIT-903 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Vern Paxson > Fix For: 2.5 > > Attachments: signature.asc, single-tcp-conn-est.trace > > > Running with \-b (bare bones) disables processing by \-f. Boy did this take me a long time to figure out :-(. > Reproduce using the appended trace. Invoking with *-e 'event connection_established(c:connection) \{ print "yep"; }*' will print "yep". Invoking with that plus *-f 'not tcp*' won't print anything. But invoking with *-f 'not tcp' \-b* _does_ print "yep". -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:47:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-916) stftime crash In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-916?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-916: -------------------------- Resolution: Cannot Reproduce Fix Version/s: (was: 2.4) Status: Closed (was: Open) I'm not sure this is still an issue; haven't seen any further reports. If anyone is aware of this still occurring, re-open the ticket. > stftime crash > ------------- > > Key: BIT-916 > URL: https://bro-tracker.atlassian.net/browse/BIT-916 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > > From file... > {noformat} > filename = 0x2777820 "/usr/local/bro/share/bro/base/frameworks/notice/./actions/pp-alarms.bro", first_line = 195, last_line = 195, first_column = 0, last_column = 0, > {noformat} > Here's the backtrace... > {noformat} > #0 0x00007f9929298ca5 in ?? () from /lib/libc.so.6 > BIT-1 0x00007f992929ad56 in strftime_l () from /lib/libc.so.6 > BIT-2 0x00000000005b0f7c in do_fmt (fmt=@0x7fff87c77388, v=0x1c84a7c0, d=0x7fff87c77330) at bro.bif:148 > BIT-3 0x00000000005b11c6 in next_fmt (frame=, BiF_ARGS=0x26772da0) at bro.bif:292 > BIT-4 BifFunc::bro_fmt (frame=, BiF_ARGS=0x26772da0) at bro.bif:1694 > BIT-5 0x00000000005bad0f in BuiltinFunc::Call (this=0x23ea480, args=0x26772da0, parent=0x15eccaf0) at /root/src/bro-2.1/src/Func.cc:485 > BIT-6 0x00000000005a55ae in CallExpr::Eval (this=0x279a3c0, f=0x15eccaf0) at /root/src/bro-2.1/src/Expr.cc:4512 > BIT-7 0x000000000059496a in AssignExpr::Eval (this=0x2798600, f=0x15eccaf0) at /root/src/bro-2.1/src/Expr.cc:2598 > BIT-8 0x0000000000660ba0 in ExprStmt::Exec (this=0x279a320, f=0x0, flow=@0x6e92c5) at /root/src/bro-2.1/src/Stmt.cc:369 > BIT-9 0x00000000006599b1 in StmtList::Exec (this=0x2792ba0, f=0x15eccaf0, flow=@0x7fff87c7771c) at /root/src/bro-2.1/src/Stmt.cc:1404 > BIT-10 0x00000000005bba09 in BroFunc::Call (this=0x279e620, args=, parent=) at /root/src/bro-2.1/src/Func.cc:335 > BIT-11 0x00000000005a55ae in CallExpr::Eval (this=0x27894b0, f=0x21b64af0) at /root/src/bro-2.1/src/Expr.cc:4512 > BIT-12 0x0000000000660ba0 in ExprStmt::Exec (this=0x2789460, f=0x0, flow=@0x6e92c5) at /root/src/bro-2.1/src/Stmt.cc:369 > BIT-13 0x00000000006599b1 in StmtList::Exec (this=0x26a4ae0, f=0x21b64af0, flow=@0x7fff87c7794c) at /root/src/bro-2.1/src/Stmt.cc:1404 > BIT-14 0x00000000005bba09 in BroFunc::Call (this=0x25a1540, args=, parent=) at /root/src/bro-2.1/src/Func.cc:335 > BIT-15 0x000000000056fb8b in EventHandler::Call (this=0x25a4c40, vl=0x18517a00, no_remote=) at /root/src/bro-2.1/src/EventHandler.cc:72 > BIT-16 0x000000000056f2ba in Event::Dispatch (this=0x981640) at /root/src/bro-2.1/src/Event.h:46 > BIT-17 EventMgr::Dispatch (this=0x981640) at /root/src/bro-2.1/src/Event.cc:105 > BIT-18 0x000000000056f428 in EventMgr::Drain (this=0x981640) at /root/src/bro-2.1/src/Event.cc:117 > BIT-19 0x0000000000604ebf in net_packet_dispatch (t=, hdr=0x22ed440, pkt=0x7f99247c494e
, hdr_size=14, src_ps=0x22ed400, > pkt_elem=0x0) at /root/src/bro-2.1/src/Net.cc:354 > BIT-20 0x00000000006158a8 in PktSrc::Process (this=0x22ed400) at /root/src/bro-2.1/src/PktSrc.cc:284 > BIT-21 0x000000000060521b in net_run () at /root/src/bro-2.1/src/Net.cc:446 > BIT-22 0x000000000052662f in main (argc=53607040, argv=) at /root/src/bro-2.1/src/main.cc:1073 > Justin Azoff @ 4:12 > (gdb) print fmt > $4 = (const char *&) @0x7fff87c77388: 0x277cdb5 "D %s %s" > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:48:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-898) Confusion over the accept_input field in communication code In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-898: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Confusion over the accept_input field in communication code > ----------------------------------------------------------- > > Key: BIT-898 > URL: https://bro-tracker.atlassian.net/browse/BIT-898 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.5 > > > The communication framework configuration include a field named accept_input which isn't named well and seems to be over used. The result of it is that state is synchronized between the manager and workers which shouldn't be happening. This will require some discussion before removing the functionality though because pushing data from the manager to workers can be useful on clusters where data is read with the input framework and needs to be distributed to the workers. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:48:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-893) calling event handler via local variable doesn't work In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-893?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-893: -------------------------- Fix Version/s: (was: 2.4) 2.5 > calling event handler via local variable doesn't work > ----------------------------------------------------- > > Key: BIT-893 > URL: https://bro-tracker.atlassian.net/browse/BIT-893 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Daniel Thayer > Fix For: 2.5 > > > Calling an event handler (using the "event" statement) > does not seem to work when the event handler being called > is actually a local variable assigned to an existing > event handler. > There is a test case for this in the file > bro/testing/btest/language/event.bro: > event e4(num: count) \{...} > event bro_init() > \{ > [...] > # Test assigning an event variable to an event > local e5: event(num: count); > e5 = e4; > event e5(6); # TODO: this does not do anything > } -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:49:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-883) Event for large number of extension headers In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-883: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Event for large number of extension headers > ------------------------------------------- > > Key: BIT-883 > URL: https://bro-tracker.atlassian.net/browse/BIT-883 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: sheharbano.k > Fix For: 2.5 > > > We may want to generate an event for when the number of extension headers in a packet exceed a threshold T. Within a single packet, extension headers can be chained on and on. However, we are limited by path MTU. In this case fragmentation comes to our rescue. So the number of extension headers that can be stuffed inside the same packet is limited by the fragmentation offset which is a 13 bytes field in the fragment extension header. This number is still very big. I think we should perform this check in the core because counting the number of extension headers for every single IPv6 packet is expensive at the scripting layer. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:50:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 17 Mar 2015 09:50:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1228) broctl needs to keep track of desired state In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1228?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1228: ------------------------------- Resolution: Fixed Status: Closed (was: Open) This functionality is now in git master. > broctl needs to keep track of desired state > ------------------------------------------- > > Key: BIT-1228 > URL: https://bro-tracker.atlassian.net/browse/BIT-1228 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > Fix For: 2.4 > > > On a multi-node cluster the following sequence of events can happen: > * A cluster node (node-2) has a power problem and is shut down > * broctl stop is ran on the manager > * broctl then fails to stop bro on node-2 > * node-2 reboots > * broctl cron restarts bro on node-2 because the last known state is up > The problem can happen in reverse as well, where broctl will not restart bro on a node that was down. > The problem arises because broctl stores the actual state of the nodes, but not the desired state. commands like stop and start need to set the desired start first, and then attempt to sync reality with that state information. broctl cron then just needs to attempt the similar sync. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:50:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:50:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-881) Event for incorrect option type in IPv6 hop-by-hop and dest extension header In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-881: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Event for incorrect option type in IPv6 hop-by-hop and dest extension header > ----------------------------------------------------------------------------- > > Key: BIT-881 > URL: https://bro-tracker.atlassian.net/browse/BIT-881 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: sheharbano.k > Fix For: 2.5 > > > We should have an event for incorrect option type in IPv6 hop-by-hop and dest extension header. Note that incorrect here means an option type that is not defined by IANA (http://www.iana.org/assignments/ipv6-parameters/ipv6-parameters.xml#ipv6-parameters-2) -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:50:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:50:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-882) Requests related to IPv6 routing extension header In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-882: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Requests related to IPv6 routing extension header > ------------------------------------------------- > > Key: BIT-882 > URL: https://bro-tracker.atlassian.net/browse/BIT-882 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: sheharbano.k > Fix For: 2.5 > > > 1). Generate event for RType=0 in IPv6 routing extension headers. RType=0 is deprecated and poses DoS risk (http://tools.ietf.org/html/rfc5095) > 2) In Wireshark, i can see the Type-specific Data field of the routing header as addresses. Bro should be able to parse addresses in the type specific data field of the routing extension header, which it doesn't as of now. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:51:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:51:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-879) Bro cannot analyze some IPv6 related protocols In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-879: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Bro cannot analyze some IPv6 related protocols > ---------------------------------------------- > > Key: BIT-879 > URL: https://bro-tracker.atlassian.net/browse/BIT-879 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: sheharbano.k > Fix For: 2.5 > > > Bro can not analyze the following IPv6 related protocols: > Node Information Query (rfc 4620) > Inverse Neighbour Solicitation (rfc 3122) > Mobile Prefix Solicitation (rfc 3775) > Certificate Path Solicitation (rfc 3971) -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:52:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-875) Modbus REF parameter In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-875: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Modbus REF parameter > -------------------- > > Key: BIT-875 > URL: https://bro-tracker.atlassian.net/browse/BIT-875 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: dina > Labels: Modbus, REF, analyser,, offset > Fix For: 2.5 > > > By Modbus specification, different FC implicitly use different parts of the PLC memory. Looking on the wire only, we do not see this. I think it would be useful to include this knowledge about where is the specific data from a packet supposed to be written in logs immediately. > For example, fc=3,6,16 work with PLC memory addresses that are >40000, fc=4 work with values 30000-40000. On the wire we only see the REF parameter which is typically 0-10000 (so its a 'local' offset), thus we do not see the memory offset there. This part is implemented in the client by adding different offsets to the REF value in each packet. (e.g., if fc=3,6,16 use offset 40000 so real_ref=40000+ref). I used these offsets to make logs in the .bro script in my branch. > This division of 10000 addresses is sth I see as a practice on forums and some unofficial manuals, but its not defined in the specification. I assume that, based on PLC capacity, there could be different kind of division between different parts of the memory map. > I suggest that we make a configuration file that defines the division of PLC memory space and which offsets do specific FCs use. As default, we can put this division which i see as common practice. In specific cases, users can change that config file to do proper remapping. > Seth, you can find a a bit more about this division (and exact offsets per each FC) here: http://www.simplymodbus.ca/faq.htm -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:53:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-874) Handling Modbus exception FC In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-874?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-874: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Handling Modbus exception FC > ---------------------------- > > Key: BIT-874 > URL: https://bro-tracker.atlassian.net/browse/BIT-874 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: dina > Labels: ,, Modbus, analyser,, exception, fc > Fix For: 2.5 > > > event modbus_exception is a general exception and the 'fc' that is returned here is 'original_request_fc'+128. This means if I send a request with Fc=3 and something goes bad,I will get this exception with fc=131. I thought it would be useful to immediately subtract this value and show in the log exact Fc where the exception was triggered. A small function for this I put before in modbus/utils.bro (on my branch), but its not in the topic/robin/modbus-merge branch. > I suggest to implement this functionality. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:53:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 17 Mar 2015 09:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-837) broctl load order incorrect In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-837: ------------------------------ Resolution: Fixed Status: Closed (was: Open) I think this issue has already been addressed by documentation improvements that explain the load order. > broctl load order incorrect > --------------------------- > > Key: BIT-837 > URL: https://bro-tracker.atlassian.net/browse/BIT-837 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Daniel Thayer > Fix For: 2.4 > > > Right now broctl script loading looks like this... > {noformat} > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto > {noformat} > It needs to load the local.bro script last so that any setting can be changed by settings in local.bro. I think the load order should look like this... > {noformat} > -U .status -p broctl -p broctl-live -p local -p manager broctl base/frameworks/cluster broctl/auto local.bro local-manager.bro > {noformat} > It would be interesting to find out if the "base/frameworks/cluster" load needs to be in there too. It may make more sense to just load that in the broctl module that is loaded first if the cluster is enabled. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:53:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-871) Email is silently suppressed when reading tracefiles In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-871?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-871: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Email is silently suppressed when reading tracefiles > ---------------------------------------------------- > > Key: BIT-871 > URL: https://bro-tracker.atlassian.net/browse/BIT-871 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > If someone tries to send an email with the notice framework and they are reading tracefiles, the notice will be silently suppressed (beginning of Notice::email_notice_to function). We should output a reporter warning to at least let them know that sending email while reading tracefiles is unsupported. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:56:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-849) SMTP analyzer and reporter warnings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-849: ----------------------------- Assignee: Jon Siwek > SMTP analyzer and reporter warnings > ----------------------------------- > > Key: BIT-849 > URL: https://bro-tracker.atlassian.net/browse/BIT-849 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Jon Siwek > Labels: analyzer > Fix For: 2.4 > > > There are some warnings in the SMTP analyzer (ultimately from using the MIME analyzer) that go to reporter but they are wildly unhelpful in reporter.log. Here's an example line from reporter.log: > {noformat} > 1342043855.564338 Reporter::WARNING nested mail transaction (empty) - > {noformat} > Doing protocol violations on the smtp analyzer wouldn't quite be the right thing either because the dpd framework might remove the smtp analyzer from the connection. Part of the problem may stem from the fact that MIME analyzer isn't a true analyzer (doesn't descend from Analyzer). There is some obvious analyzer restructuring that needs to happen here but that can wait for the larger analyzer work that is coming up. > Does anyone have thoughts about what we could do with this message now to make it more useful? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:57:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-831) Interpreter exceptions cause memory leaks (was "Memory leak in print") In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-831?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-831: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Interpreter exceptions cause memory leaks (was "Memory leak in print") > ---------------------------------------------------------------------- > > Key: BIT-831 > URL: https://bro-tracker.atlassian.net/browse/BIT-831 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > Attachments: bug.bro, leak.pdf > > > The following bro script apparently triggers a memory-leak in the print statement. > {noformat} > event HTTP::log_http(rec: HTTP::Info) > { > print fmt("%s %s", rec$md5, rec); > } > {noformat} > To reproduce run bro using 2009-M57-day11-18.trace. pprof output is attached. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:57:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-815) IPv6 atomic fragment optimizations In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-815: -------------------------- Fix Version/s: (was: 2.4) 2.5 > IPv6 atomic fragment optimizations > ---------------------------------- > > Key: BIT-815 > URL: https://bro-tracker.atlassian.net/browse/BIT-815 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Labels: ipv6 > Fix For: 2.5 > > Attachments: ipv6-nested-atomic-frags.pcap > > > The draft at http://tools.ietf.org/html/draft-ietf-6man-ipv6-atomic-fragments-00 should be revisited if it gets published. According to section 3, atomic fragment headers can just be ignored and "reassembly" skipped. That also should improve the case where a packet has multiple atomic fragment headers (see attached pcap), because currently Bro doesn't recursively reassemble the inner atomic fragments, it just stops processing the packet and gives the "unknown_protocol_44" weird to indicate there was packet with multiple fragment headers. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 07:57:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 09:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-849) SMTP analyzer and reporter warnings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19980#comment-19980 ] Jon Siwek commented on BIT-849: ------------------------------- To me, it seems like these reporter warnings should just be made weirds instead. > SMTP analyzer and reporter warnings > ----------------------------------- > > Key: BIT-849 > URL: https://bro-tracker.atlassian.net/browse/BIT-849 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Jon Siwek > Labels: analyzer > Fix For: 2.4 > > > There are some warnings in the SMTP analyzer (ultimately from using the MIME analyzer) that go to reporter but they are wildly unhelpful in reporter.log. Here's an example line from reporter.log: > {noformat} > 1342043855.564338 Reporter::WARNING nested mail transaction (empty) - > {noformat} > Doing protocol violations on the smtp analyzer wouldn't quite be the right thing either because the dpd framework might remove the smtp analyzer from the connection. Part of the problem may stem from the fact that MIME analyzer isn't a true analyzer (doesn't descend from Analyzer). There is some obvious analyzer restructuring that needs to happen here but that can wait for the larger analyzer work that is coming up. > Does anyone have thoughts about what we could do with this message now to make it more useful? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:00:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 17 Mar 2015 10:00:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-665) broctl and check/install/(re)start dance refinement In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-665?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-665: ------------------------------ Resolution: Fixed Fix Version/s: 2.4 Status: Closed (was: Open) I think this issue has been addressed by the "deploy" command (and it works on a fresh install w/o needing to do "install" first), better error messages, and updates to the broctl docs. > broctl and check/install/(re)start dance refinement > --------------------------------------------------- > > Key: BIT-665 > URL: https://bro-tracker.atlassian.net/browse/BIT-665 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Seth Hall > Fix For: 2.4 > > > It would make broctl more easily documented and understood if broctl automatically ran the install command at start up if the broctl.dat file doesn't exist. Right now there is a special case for check/install/restart since if it's the first time someone has run broctl, they need to do install/check/start. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:05:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 10:05:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19982#comment-19982 ] Johanna Amann commented on BIT-1229: ------------------------------------ The fix does not fix the problem completely. I basically figured out after committing it that it fixes a specific problem, but not the underlying issue (which can still be triggered by a slight variation of the testcase) and that I have to do it a different and much more invasive way instead. Because of that, no merge request was ever filed. > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.5 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:12:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19983#comment-19983 ] Jon Siwek commented on BIT-788: ------------------------------- Patch also seems fine to me, except in the condition where the analyzer is told to flip roles, maybe the values of "is_query" and "msg.is_query" should also flip. > Good analysis of unidirectional DNS flows > ----------------------------------------- > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: juliensentier > Fix For: 2.4 > > Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:16:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-768) Inline monitoring of modified scripts. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-768?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-768: -------------------------- Resolution: Fixed Status: Closed (was: Open) Don't think there's anything left to do here. > Inline monitoring of modified scripts. > -------------------------------------- > > Key: BIT-768 > URL: https://bro-tracker.atlassian.net/browse/BIT-768 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Daniel Thayer > Fix For: 2.4 > > > We need to train users to do check, install, restart through broctl better. I'd like to reduce the barrier to entry a bit more and if broctl can coach new users through the process better and remind existing users of the process it would be great. > Here are my suggestions for what I think needs to be done: > \\- Track hashes for all copied scripts (maybe in broctl.dat?) and watch for changes to notify the user. I think it would be ok to only notify the user when they are in broctl but I can see that people may want that to also check and occasionally email from broctl cron (let's save emailing for later though, inline notification in broctl may be enough). > \\- Track hashes for scripts that have been "checked" because then we can coach people about what step in the process they are at. If someone has already run "check" on the current scripts we can recommend that they need to > \\- Create variables to turn off various suggestions. I think the various suggestions would be "need to check scripts", "need to install scripts", and "ready to restart" or something along those lines. I'm not even sure I like this idea though. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:17:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-748) Allow creation of blank patterns In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-748?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-748: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Allow creation of blank patterns > -------------------------------- > > Key: BIT-748 > URL: https://bro-tracker.atlassian.net/browse/BIT-748 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Seth Hall > Fix For: 2.5 > > > Right now, it's not possible to create blank patterns of // but it would be helpful in cases where patterns are used as configuration variables but there is no default. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:23:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-742) Maintain constant order for hostname notice email extension In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-742?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-742: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Maintain constant order for hostname notice email extension > ----------------------------------------------------------- > > Key: BIT-742 > URL: https://bro-tracker.atlassian.net/browse/BIT-742 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Fix For: 2.5 > > > The orig and resp field names will be ordered differently at times which is confusing when reading emails. Figure out a way to maintain constant ordering. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:24:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-735) Clean up and merge the TCPStats analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-735?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-735: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Clean up and merge the TCPStats analyzer > ---------------------------------------- > > Key: BIT-735 > URL: https://bro-tracker.atlassian.net/browse/BIT-735 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Seth Hall > Fix For: 2.5 > > > Katrina wants to get her TCPStats analyzer merged. Let's aim for getting it cleaned up and ready for the 2.1 release. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:35:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:35:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-698) HTTP vs MIME events In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-698: -------------------------- Description: The way the `{{mime_*}} and {{http_entity_*}} events are structure is a mess: \\- First, I think we should have only a single set of events for all MIME data. \\- the }}{{mime_*}}{{ events don't come with }}{{is_orig}}{{. \\- }}{{http_header}}{{ vs. }}{{mime_one_header}}{{ \\- }}{{http_entity_data}}{{ delivers segments of size }}{{http_entity_data_delivery_size}}{{ while }}{{mime_entity_data}}{{ delivers complete entities (and }}{{mime_segment_data}}` delivers segments?) \\- There are further inconsistencies I didn't record. was: The way the `{{mime_*}}{{ and }}{{http_entity_*}}{{ events are structure is a mess: \\- First, I think we should have only a single set of events for all MIME data. \\- the }}{{mime_*}}{{ events don't come with }}{{is_orig}}{{. \\- }}{{http_header}}{{ vs. }}{{mime_one_header}}{{ \\- }}{{http_entity_data}}{{ delivers segments of size }}{{http_entity_data_delivery_size}}{{ while }}{{mime_entity_data}}{{ delivers complete entities (and }}{{mime_segment_data}}` delivers segments?) \\- There are further inconsistencies I didn't record. > HTTP vs MIME events > ------------------- > > Key: BIT-698 > URL: https://bro-tracker.atlassian.net/browse/BIT-698 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Labels: analyzer, cleanup > Fix For: 2.4 > > > The way the `{{mime_*}} and {{http_entity_*}} events are structure is a mess: > \\- First, I think we should have only a single set of events for all MIME data. > \\- the }}{{mime_*}}{{ events don't come with }}{{is_orig}}{{. > \\- }}{{http_header}}{{ vs. }}{{mime_one_header}}{{ > \\- }}{{http_entity_data}}{{ delivers segments of size }}{{http_entity_data_delivery_size}}{{ while }}{{mime_entity_data}}{{ delivers complete entities (and }}{{mime_segment_data}}` delivers segments?) > \\- There are further inconsistencies I didn't record. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:37:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:37:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-698) HTTP vs MIME events In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-698: -------------------------- Fix Version/s: (was: 2.4) 2.5 > HTTP vs MIME events > ------------------- > > Key: BIT-698 > URL: https://bro-tracker.atlassian.net/browse/BIT-698 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Labels: analyzer, cleanup > Fix For: 2.5 > > > The way the {{mime_}} and {{http_entity_}} events are structure is a mess: > - First, I think we should have only a single set of events for all MIME data. > - the {{mime_}} events don't come with {{is_orig}}. > - {{http_header}} vs. {{mime_one_header}} > - {{http_entity_data}} delivers segments of size {{http_entity_data_delivery_size}} while {{mime_entity_data}} delivers complete entities (and {{mime_segment_data}} delivers segments?) > - There are further inconsistencies I didn't record. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:37:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:37:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-698) HTTP vs MIME events In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-698: -------------------------- Description: The way the {{mime_}} and {{http_entity_}} events are structure is a mess: - First, I think we should have only a single set of events for all MIME data. - the {{mime_}} events don't come with {{is_orig}}. - {{http_header}} vs. {{mime_one_header}} - {{http_entity_data}} delivers segments of size {{http_entity_data_delivery_size}} while {{mime_entity_data}} delivers complete entities (and {{mime_segment_data}} delivers segments?) - There are further inconsistencies I didn't record. was: The way the `{{mime_*}} and {{http_entity_*}} events are structure is a mess: \\- First, I think we should have only a single set of events for all MIME data. \\- the }}{{mime_*}}{{ events don't come with }}{{is_orig}}{{. \\- }}{{http_header}}{{ vs. }}{{mime_one_header}}{{ \\- }}{{http_entity_data}}{{ delivers segments of size }}{{http_entity_data_delivery_size}}{{ while }}{{mime_entity_data}}{{ delivers complete entities (and }}{{mime_segment_data}}` delivers segments?) \\- There are further inconsistencies I didn't record. > HTTP vs MIME events > ------------------- > > Key: BIT-698 > URL: https://bro-tracker.atlassian.net/browse/BIT-698 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Labels: analyzer, cleanup > Fix For: 2.5 > > > The way the {{mime_}} and {{http_entity_}} events are structure is a mess: > - First, I think we should have only a single set of events for all MIME data. > - the {{mime_}} events don't come with {{is_orig}}. > - {{http_header}} vs. {{mime_one_header}} > - {{http_entity_data}} delivers segments of size {{http_entity_data_delivery_size}} while {{mime_entity_data}} delivers complete entities (and {{mime_segment_data}} delivers segments?) > - There are further inconsistencies I didn't record. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:38:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-697) Equivalent of capture-events.bro in 2.x In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-697?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-697: -------------------------- Fix Version/s: (was: 2.4) > Equivalent of capture-events.bro in 2.x > --------------------------------------- > > Key: BIT-697 > URL: https://bro-tracker.atlassian.net/browse/BIT-697 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > > How should we handle the functionality provided by the 1.5 script {{capture-events.bro}} in 2.x? It currently does not exist. Since it's implementation only consists of this one-liner > {noformat} > event bro_init() > { > capture_events("events.bst"); > } > {noformat} > I think we make that a redefinable script variable rather than shipping a separate script. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:40:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-688) [Fwd] Re: content_gap vs. ack_above_hole In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-688: -------------------------- Fix Version/s: (was: 2.4) 2.5 > [Fwd] Re: [Bro-Dev] content_gap vs. ack_above_hole > -------------------------------------------------- > > Key: BIT-688 > URL: https://bro-tracker.atlassian.net/browse/BIT-688 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Labels: cleanup > Fix For: 2.5 > > > From: Vern Paxson > Subject: Re: [Bro-Dev] content_gap vs. ack_above_hole > > Can somebody remind me what exactly the difference between these two > > is (and/or why we have both?). > Yeah, my fault :-P. As best as I can tell (from revisiting the code), > content-gap is a superset of ack-above-hole. Content gaps can also occur > in situations where we're not expecting to see ACKs (for example, due to > split routing, or because we're not processing traffic from the receiver). > I think merging the two into a single content_gap event would make sense. > Vern -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:53:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:53:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-683) Some BiFs should return a vector instead of a set/table In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-683: -------------------------- Resolution: Fixed Status: Closed (was: Open) The "split" family of functions now return vectors based at index 0, see BIT-757. Don't quite understand the comment about changing the "find_all" function, now that "split_string" returns a vector, "find_all" returning a set is serving a different use-case -- the one where you care about inspecting membership instead of ordering. Open another ticket if there's still something left to do regarding "find_all". > Some BiFs should return a vector instead of a set/table > ------------------------------------------------------- > > Key: BIT-683 > URL: https://bro-tracker.atlassian.net/browse/BIT-683 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Labels: language > Fix For: 2.4 > > > The following functions should have a {{vector}} as yield value rather than a set/table: > {noformat} > split.*(...) > find_all(...) > {noformat} > Moreover, {{split}} & friends have the yield value {{table[count] of string}} which starts at index 1. This is counterintuitive, as regular vectors start with a index at 0. I suggest replacing the yield value with {{vector of string}}. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 08:54:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 10:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-678) Fix and test Bro's debugger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-678: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Fix and test Bro's debugger > --------------------------- > > Key: BIT-678 > URL: https://bro-tracker.atlassian.net/browse/BIT-678 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Fix For: 2.5 > > > Vern commented a while back that the debugger is currently broken in Bro. Let's get it working again and tested. If someone feels like fixing this up for the 2.1 release we can certainly bump it forward but I'm going to target it at 2.2 for now. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:00:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:00:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-672: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Bring POP3 back into the distribution > ------------------------------------- > > Key: BIT-672 > URL: https://bro-tracker.atlassian.net/browse/BIT-672 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Assignee: Seth Hall > Fix For: 2.5 > > > The current master has no longer support for POP3. It lingers around but we need to bring it back into the distribution. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:03:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:03:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19986#comment-19986 ] Jon Siwek commented on BIT-672: ------------------------------- What's the status here, the analyzer exists w/ a signature to activate it, but there's no scripts for it? Is there plans to add scripts? Close the ticket if not. > Bring POP3 back into the distribution > ------------------------------------- > > Key: BIT-672 > URL: https://bro-tracker.atlassian.net/browse/BIT-672 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Assignee: Seth Hall > Fix For: 2.5 > > > The current master has no longer support for POP3. It lingers around but we need to bring it back into the distribution. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:04:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 11:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1332: --------------------------------- Assignee: Robin Sommer > Please merge topic/johanna/cert-validation > ------------------------------------------ > > Key: BIT-1332 > URL: https://bro-tracker.atlassian.net/browse/BIT-1332 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.4 > > > Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: > {quote} > Update certificate validation script - new version will cache valid > intermediate chains that it encounters on the wire and use those to try > to validate chains that might be missing intermediate certificates. > This vastly improves the number of certificates that Bro can validate. > The only drawback is that now validation behavior is not entirely > predictable anymore - the certificate of a server can fail to validate > when Bro just started up (due to the intermediate missing), and succeed > later, when the intermediate can be found in the cache. > Has been tested on big-ish clusters and should not introduce any > performance problems. > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:12:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 11:12:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1077) fix policy/protocols/http/header-names.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1077: --------------------------------- Assignee: Robin Sommer > fix policy/protocols/http/header-names.bro > ------------------------------------------ > > Key: BIT-1077 > URL: https://bro-tracker.atlassian.net/browse/BIT-1077 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > This script is wrong for the {{log_server_header_names}} case. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:12:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-671) Test Bro core and script layer simultaneously In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-671: -------------------------- Resolution: Rejected Fix Version/s: (was: 2.4) Status: Closed (was: Open) I think this approach may complicate the unit test framework more than it's worth -- there's already a not-negligible maintenance cost of Bro's unit testing that will continue to grow as we add tests and I think they currently do well enough at detecting potential problems. > Test Bro core and script layer simultaneously > --------------------------------------------- > > Key: BIT-671 > URL: https://bro-tracker.atlassian.net/browse/BIT-671 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BTest > Affects Versions: git/master > Reporter: Matthias Vallentin > > If we record all events during testing, say by adding {{events.bst}} to each Bro run, we can simultaneously test the core. Moreover, we instantly know whether a bug manifests at script land or at the core. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:13:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:13:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-647) Extend HTTP analyzer to support multiply encoded content. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-647?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-647: ----------------------------- Assignee: (was: Jon Siwek) > Extend HTTP analyzer to support multiply encoded content. > --------------------------------------------------------- > > Key: BIT-647 > URL: https://bro-tracker.atlassian.net/browse/BIT-647 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Attachments: http-sdch-gzip.trace > > > When Chrome and other SDCH supporting http clients request content from SDCH compatible HTTP servers the response includes a header that looks like this: > {noformat} > Content-Encoding: sdch,gzip > {noformat} > Bro's HTTP analyzer doesn't currently do substring matches on the content-encoding header so the resulting sdch/gzip content is identified as gzip only. Two things need to happen here: > 1. Support substring matches on the content-encoding header to identify that the content is gzip encoded. > 2. Support some notion of the SDCH protocol. > I think that point 1 should be done for the 2.0 release but point 2 can wait until later when we have a better notion of what SDCH support would entail. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:13:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:13:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-647) Extend HTTP analyzer to support multiply encoded content. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-647?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-647: -------------------------- Fix Version/s: (was: 2.4) > Extend HTTP analyzer to support multiply encoded content. > --------------------------------------------------------- > > Key: BIT-647 > URL: https://bro-tracker.atlassian.net/browse/BIT-647 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Attachments: http-sdch-gzip.trace > > > When Chrome and other SDCH supporting http clients request content from SDCH compatible HTTP servers the response includes a header that looks like this: > {noformat} > Content-Encoding: sdch,gzip > {noformat} > Bro's HTTP analyzer doesn't currently do substring matches on the content-encoding header so the resulting sdch/gzip content is identified as gzip only. Two things need to happen here: > 1. Support substring matches on the content-encoding header to identify that the content is gzip encoded. > 2. Support some notion of the SDCH protocol. > I think that point 1 should be done for the 2.0 release but point 2 can wait until later when we have a better notion of what SDCH support would entail. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:19:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 11:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19988#comment-19988 ] Robin Sommer commented on BIT-1305: ----------------------------------- I'll remove &mergeable from the list, as that goes with &synchronized. > Consider marking some attributes as deprecated > ---------------------------------------------- > > Key: BIT-1305 > URL: https://bro-tracker.atlassian.net/browse/BIT-1305 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > Likely candidates for deprecation: > &rotate_interval > &rotate_size > &encrypt > &mergeable > &synchronize > &persistent > &group > While the mechanism I added in BIT-757 can't be used to mark attributes as deprecated, I'm thinking it's not difficult to just hard code the scanner to emit a warning when encountering certain attributes. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:22:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:22:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-646) Cleanup interpreter error handling. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-646: -------------------------- Resolution: Fixed Status: Closed (was: Open) Not sure how useful keeping this open is, so closing, but feel free to re-open if anyone feels it needs a more thorough audit. > Cleanup interpreter error handling. > ----------------------------------- > > Key: BIT-646 > URL: https://bro-tracker.atlassian.net/browse/BIT-646 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Robin Sommer > Labels: language > Fix For: 2.4 > > > From 15ab2874369b5d7a3e6a14df24b141fa759999bb (which has been merged into master): > {noformat} > Currently, a lot of interpreter runtime errors, such as an access to > an unset optional record field, cause Bro to abort with an internal > error. This is an experimental branch that turns such errors into > non-fatal runtime errors by internally raising exceptions. These are > caught upstream and processing continues afterwards. > > For now, not many errors actually raise exceptions (the example above > does though). We'll need to go through them eventually and adapt the > current Internal() calls (and potentially others). More generally, at > some point we should cleanup the interpreter error handling (unifying > errors reported at parse- and runtime; and switching to exceptions for > all Expr/Stmt/Vals). But that's a larger change and left for later. > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:24:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Tue, 17 Mar 2015 11:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-678) Fix and test Bro's debugger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19990#comment-19990 ] grigorescu commented on BIT-678: -------------------------------- Do we know what the issues are? I was able to use the debugger seemingly just fine recently. > Fix and test Bro's debugger > --------------------------- > > Key: BIT-678 > URL: https://bro-tracker.atlassian.net/browse/BIT-678 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Fix For: 2.5 > > > Vern commented a while back that the debugger is currently broken in Bro. Let's get it working again and tested. If someone feels like fixing this up for the 2.1 release we can certainly bump it forward but I'm going to target it at 2.2 for now. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:24:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-634) CouchDB writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-634?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-634: -------------------------- Fix Version/s: (was: 2.4) 2.5 > CouchDB writer > -------------- > > Key: BIT-634 > URL: https://bro-tracker.atlassian.net/browse/BIT-634 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jeff.baumes > Fix For: 2.5 > > Attachments: 0001-Adding-couchdb-writer.patch > > > Attached is a git patch for logging information to CouchDB. It has a new dependence on libcurl which it searches for with a find_package CMake command, and JsonCpp (MIT license), whose code is included directly in the source tree. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:26:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-631) Special message for broctl locking when done by cron In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19991#comment-19991 ] Jon Siwek commented on BIT-631: ------------------------------- Daniel or Justin, any improvements made in this area that mean we can close the ticket? If not, just re-schedule Fix Version for 2.5. > Special message for broctl locking when done by cron > ---------------------------------------------------- > > Key: BIT-631 > URL: https://bro-tracker.atlassian.net/browse/BIT-631 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Reporter: Seth Hall > Fix For: 2.4 > > > If the broctl lock is being held by the cron command it would be nice if the message that indicates a lock is already held would indicate if it is the cron command. If multiple people are working with broctl the person that gets a lock doesn't know if it's because of another user or because they happened to be trying to do something while the cron command is running. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:27:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-610) topic/seth/syslog-analyzer-updates - Updates for syslog analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-610: -------------------------- Fix Version/s: (was: 2.4) 2.5 > topic/seth/syslog-analyzer-updates - Updates for syslog analyzer > ---------------------------------------------------------------- > > Key: BIT-610 > URL: https://bro-tracker.atlassian.net/browse/BIT-610 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Seth Hall > Labels: analyzer > Fix For: 2.5 > > > \\- Supports "Octet Stuffing" mode for Syslog over TCP (untested\!). If > someone has a tracefile with TCP syslog, I'd appreciate getting a > few packets. > > \\- DPD support for syslog. Calls ProtocolConfirmation when detected and > includes signatures for UDP and TCP syslog. > > \\- Removing newlines and nulls from EOL when syslog implementation has > included those in the actual message. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:27:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-560) Child analyzer Init() problem In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-560?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-560: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Child analyzer Init() problem > ----------------------------- > > Key: BIT-560 > URL: https://bro-tracker.atlassian.net/browse/BIT-560 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: gregor > Assignee: Robin Sommer > Fix For: 2.5 > > > {noformat} > #!rst > I think there is an inherent problem in the way analyzers and child analyzers are initialized. If analyzers are added by BuildInitialAnalyzerTree() they are not initialized at first but in a batch by calling:: > > root->Init(); > root->InitChildren(); > If an analyzer wants to add a child in its Init(), the parent doesn't know whether it needs to init this child or not. If the parent was added by ``BuildInitialAnalyzerTree()``, it *must not* ``Init()`` the child, because ``BuildInitialAnalyzerTree()`` will do it. OTOH, if the parent was added dynamically, e.g., by DPD signatures, then it *must* ``Init()`` the child. > What was the reason for ``BuildInitialAnalyzerTree()`` to defer initialization of the tree until the end of the function? Initializing when they are added would solve the problem but I guess there was a good reason to do it this way. > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:28:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 11:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1330) topic/python3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1330: --------------------------------- Assignee: Robin Sommer > topic/python3-compat > -------------------- > > Key: BIT-1330 > URL: https://bro-tracker.atlassian.net/browse/BIT-1330 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: pysubnettree > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > Updates to pysubnettree for Python 3 compatibility: have to now consider that bytes are a distinct type from strings and allow the API to accept either. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:30:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:30:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-519) policy/protocols/http/headers.bro only logs client headers In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-519: -------------------------- Resolution: Fixed Status: Closed (was: Reopened) This should be done (and working when BIT-1077 is merged). > policy/protocols/http/headers.bro only logs client headers > ---------------------------------------------------------- > > Key: BIT-519 > URL: https://bro-tracker.atlassian.net/browse/BIT-519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Vern Paxson > Assignee: Seth Hall > Fix For: 2.4 > > > In Bro 1.5, policy/http-header.bro logs both client and server headers. The new http/headers.bro only logs client headers, which breaks some forms of analysis. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:30:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 11:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1341: --------------------------------- Assignee: Robin Sommer > topic/dnthayer/fixes-for-2.4beta > -------------------------------- > > Key: BIT-1341 > URL: https://bro-tracker.atlassian.net/browse/BIT-1341 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Robin Sommer > Fix For: 2.4 > > > Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the following issues: > -Improved test setup scripts to specify correct bro install prefix. > -Fix bug where "./configure --conf-files-dir" did not work > -Fix bug where "./configure --scriptdir" did not work > -Print error messages without showing Python stack trace > -Improved processing of node input args, to remove duplicates and sort > -Improved sorting of the output by node type and name > -Added the "deploy" command > -Update docs for the deploy command -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:43:04 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 11:43:04 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19993#comment-19993 ] Johanna Amann commented on BIT-672: ----------------------------------- As far as I remember, the general feeling was not to bring back pop3 by default, but to leave it to sites if they want to activate it by default, because the analyzer is of doubtable quality (it is one of the hand-written ones that does not use binpac at all). So - I would just close the ticket. > Bring POP3 back into the distribution > ------------------------------------- > > Key: BIT-672 > URL: https://bro-tracker.atlassian.net/browse/BIT-672 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Assignee: Seth Hall > Fix For: 2.5 > > > The current master has no longer support for POP3. It lingers around but we need to bring it back into the distribution. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 09:59:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 11:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-678) Fix and test Bro's debugger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19994#comment-19994 ] Jon Siwek commented on BIT-678: ------------------------------- I don't recall anything specific that's broken about the script debugger. I did a couple minor improvements to it a couple years back, but was also generally able to use it at least for simple tasks. Regardless, I guess the ticket should remain open w/ emphasis on creating regression tests for the debugger -- I don't think many people use it so would be easy at the moment to break it completely and not be aware of it. > Fix and test Bro's debugger > --------------------------- > > Key: BIT-678 > URL: https://bro-tracker.atlassian.net/browse/BIT-678 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Fix For: 2.5 > > > Vern commented a while back that the debugger is currently broken in Bro. Let's get it working again and tested. If someone feels like fixing this up for the 2.1 release we can certainly bump it forward but I'm going to target it at 2.2 for now. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:02:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-465) Fix up the MIME analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19995#comment-19995 ] Jon Siwek commented on BIT-465: ------------------------------- Related to BIT-698 (maybe some duplicates, didn't check closely). > Fix up the MIME analyzer > ------------------------ > > Key: BIT-465 > URL: https://bro-tracker.atlassian.net/browse/BIT-465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Labels: analyzer > Fix For: 2.5 > > > The mime analyzer has a lot of inconsistency issues and is broken in a few places. > * mime_all_headers loops and could potentially be a bad idea. More prone to DoS as well. Delete it? > * mime_all_data is probably also a bad idea. Especially for large files. Delete it? > * mime_entity_data seems very similar to mime_all_data and is not chunked as the similarity to the http_entity_data would imply. The current mime_entity_data should be removed and the current mime_all_data should be renamed to mime_entity_data. > * mime_next_entity is never generated by the core or policy scripts and should either be fixed or deleted. > * mime_one_header should probably be renamed to mime_header for consistency. > * I have no clue what mime_event is for. Is it necessary? > * mime_content_hash gives a non printable hash value and it could be removed since hash generation is done in the script now and eventually will be done in the file analyzer. > * The wrong ifdef is used in the source: #ifdef DEBUG_BRO used instead of #ifdef DEBUG > * mime_end_entity is generated generated multiple times in some cases when it shouldn't be. It's something to keep an eye out for, I never dug into it enough to find out what caused it. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:02:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-465) Fix up the MIME analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-465?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-465: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Fix up the MIME analyzer > ------------------------ > > Key: BIT-465 > URL: https://bro-tracker.atlassian.net/browse/BIT-465 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Labels: analyzer > Fix For: 2.5 > > > The mime analyzer has a lot of inconsistency issues and is broken in a few places. > * mime_all_headers loops and could potentially be a bad idea. More prone to DoS as well. Delete it? > * mime_all_data is probably also a bad idea. Especially for large files. Delete it? > * mime_entity_data seems very similar to mime_all_data and is not chunked as the similarity to the http_entity_data would imply. The current mime_entity_data should be removed and the current mime_all_data should be renamed to mime_entity_data. > * mime_next_entity is never generated by the core or policy scripts and should either be fixed or deleted. > * mime_one_header should probably be renamed to mime_header for consistency. > * I have no clue what mime_event is for. Is it necessary? > * mime_content_hash gives a non printable hash value and it could be removed since hash generation is done in the script now and eventually will be done in the file analyzer. > * The wrong ifdef is used in the source: #ifdef DEBUG_BRO used instead of #ifdef DEBUG > * mime_end_entity is generated generated multiple times in some cases when it shouldn't be. It's something to keep an eye out for, I never dug into it enough to find out what caused it. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:04:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-423) Additional dynamic init time pattern construction In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-423: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Additional dynamic init time pattern construction > ------------------------------------------------- > > Key: BIT-423 > URL: https://bro-tracker.atlassian.net/browse/BIT-423 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Labels: language > Fix For: 2.5 > > > The pattern building BiF are now working, but I think that pattern construction operators need to be supported with variables too. > {noformat} > const a = /abc/; > const b = /def/; > const c = a | b; > {noformat} > This doesn't seem to work currently. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-423) Additional dynamic init time pattern construction In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-423: -------------------------- Resolution: Duplicate Fix Version/s: (was: 2.5) Status: Closed (was: Open) Duplicate of BIT-410 > Additional dynamic init time pattern construction > ------------------------------------------------- > > Key: BIT-423 > URL: https://bro-tracker.atlassian.net/browse/BIT-423 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Labels: language > > The pattern building BiF are now working, but I think that pattern construction operators need to be supported with variables too. > {noformat} > const a = /abc/; > const b = /def/; > const c = a | b; > {noformat} > This doesn't seem to work currently. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:06:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-410) Extension to init time pattern construction In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-410: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Extension to init time pattern construction > ------------------------------------------- > > Key: BIT-410 > URL: https://bro-tracker.atlassian.net/browse/BIT-410 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Labels: language > Fix For: 2.5 > > > I'd like to be able to do this... > {noformat} > const pattern_a = /A/; > const pattern_b = /B/; > const pattern_ab = pattern_a | pattern_b; > {noformat} > This doesn't currently work. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:08:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-351) Incorrect bounds checking with truncated TCP options In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-351: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Incorrect bounds checking with truncated TCP options > ---------------------------------------------------- > > Key: BIT-351 > URL: https://bro-tracker.atlassian.net/browse/BIT-351 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: gregor > Fix For: 2.5 > > > {noformat} > #!rst > (from an e-mail I sent a while ago) > (setting milestone to 1.6. Can probably be pushed back) > Hi, > there is a potential problem in Bro when it receives a packet with > truncated TCP options (i.e., the packet isn't long enough to accommodate > all options). > This can happen: > a) in the ConnCompressor: it calls ParseTCPOptions without checking > whether the packet is long enough to contain all options. > ConnCompressor needs to parse the TCP options to know the window > scaling factor. > b) in TCP.cc, when caplen < len and len is long enough for the TCP > options but caplen is not. > ExtractTCPHeader() ensures that the len is long enough to contain the > options and that caplen is long enough to contain a struct tcphdr (but > doesn't check for options). Presumably this is done to enable parsing of > header only traces that truncate options. > Nevertheless, the TCP Analyzer correctly checks caplen before > ParseTCPOptions(). > But there are also situations when options are parsed without checking > for caplen: > * BuildSYNVal(), which is called on every SYN to get the window > scaling options. > * BuildOSVal(), which is only called when the OS_version_found event > has a handler > * TCP TraceRewriter (presumably we can ignore this, as we were going > to remove it anyway) > So, question is: what's the best way to tackle this? One option is to > not parse packets that are truncated. But that's probably not a good > idea wrt header traces. > The other option is to check for the caplen whenever we parse options. > That might be cumbersome as this information needs to be passed to many > functions, e.g. in TCP_Analyzer: ProcessFlags -> ProcessSYN -> > BuildSYNPacketVal. > (In any case, truncated packets mean that we can't learn the window > scaling....) > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:22:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:22:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-342: ----------------------------- Assignee: Jon Siwek > Add payload to ICMP analyzer > ---------------------------- > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:25:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:25:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19997#comment-19997 ] Jon Siwek commented on BIT-342: ------------------------------- I'll just add a new {{icmp_sent_payload}} event for this to address the overhead concern. > Add payload to ICMP analyzer > ---------------------------- > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:29:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:29:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-340) Cleanup: unify where global consts are defined (access from policy layer and event engine) In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-340?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-340: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Cleanup: unify where global consts are defined (access from policy layer and event engine) > ------------------------------------------------------------------------------------------ > > Key: BIT-340 > URL: https://bro-tracker.atlassian.net/browse/BIT-340 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: gregor > Priority: Low > Labels: cleanup > Fix For: 2.5 > > > {noformat} > #!rst > Global ``const``'s that are accessible from the policy layer and event engine (e.g., to configure features) are currently defined in different ways: > 1. in ``bro.init`` and ``NetVar.{cc|h}`` > 2. in a specific .bro policy script and ``NetVar.{cc|h}`` > 3. in ``const.bif`` > According to our discussion on bro-dev, we should change it to only use ``const.bif``. > For case 2. we should add a ``redef`` in the .bro policy scripts, so that users looking at the script see that the const exists (TODO: how to best auto-doucment these). > Setting milestone to 1.6 as it seems this can be done together with the general policy script overhaul, but can also be pushed backed. > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:36:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:36:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-334) Portmapper.bro documentation and script interaction In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-334?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-334: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Portmapper.bro documentation and script interaction > --------------------------------------------------- > > Key: BIT-334 > URL: https://bro-tracker.atlassian.net/browse/BIT-334 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: gregor > Fix For: 2.5 > > Attachments: portmapper-logging.txt > > > Hi, > just adding this ticket so the the information doesn't get lost. Notes on how portmapper.bro does its logging and interaction with other scripts. Hopefully helpful for the script documentation / cleanup push. > See also: http://bro.icir.org/devel/rpc-portmap-nfs-notes.html -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:36:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:36:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-329) Optimizing detect-protocols-http.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-329: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Optimizing detect-protocols-http.bro > ------------------------------------ > > Key: BIT-329 > URL: https://bro-tracker.atlassian.net/browse/BIT-329 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > This script does a for loop over a 7 element table for every http_header and http_request event. In my opinion, I'd say that the benefit does not outweigh the cost and it should be removed from the default local.bro scripts. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:36:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:36:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-327) Binding attributes to values/variables In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-327: -------------------------- Fix Version/s: (was: 2.4) 2.5 > Binding attributes to values/variables > -------------------------------------- > > Key: BIT-327 > URL: https://bro-tracker.atlassian.net/browse/BIT-327 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Fix For: 2.5 > > > From Vern: > In abstract terms, we need to marry two notions: per-variable > attributes (those introduced when defining the variable) and > per-value attributes (those introduced when creating a value). > These both exist under-the-hood, but the rules for propagating > them are ad hoc. > I'm attaching the follow-up email thread with further thoughts on > streamlining this. > Robin > [^"None"] > Did we ever reach resolution regarding the appended thread (from, um, > a year ago\!), or at least put something in the Tracker so we don't lose > sight of it? > Vern > [^"None-1"] > On Tue, Nov 03, 2009 at 17:25 \-0800, you wrote: > > In abstract terms, we need to marry two notions: per-variable attributes > > (those introduced when defining the variable) and per-value attributes > > (those introduced when creating a value). These both exist under-the-hood, > > but the rules for propagating them are ad hoc. > This is something I've wondered about a few times already what the > right thing to do is. The keyword at the moment is indeed "ad-hoc": > I remember that a number of times I've been running into problems > with propagating (or not propagating) attributes, and while I was > always able to fix the immediate problem in some way, we don't have > a clear system at the moment when that happens and when not. > That said, I'm not really sure that this should ideally look like. > Intuitively, I'd actually say attributes belong to values, not > variables, because transfer-on-assignment can lead to subtle effects > (values are passed around, and what if the receiving function > happens to assign the value to the wrong variable?. Also what if you > assign a value with attribute X to a variable without X; shouldn't > the value then be *deleted* for consistency reasons?). > If we accept for a moment that attributes belong only to values, > then we can think about how to set them. A global definition such as > const log_file = open_log_file("foo") &rotate_interval > > can be interpreted as assigning the attribute to the value returned > from the function (more generaly to whatever what the assigned > expression yields). > We can use the "add foo &raw_output" syntax you suggested for adding > attributes to the value of foo dynamically. > A declaration such as > const foo = F &redef; > > can be interpreted as "we can rebind foo if it's current value has > the &redef attribute". > I haven't thought this through actually but I guess my question is > whether we need per-variable attributes at all? > Robin > [^"None-2"] > On Nov 4, 2009, at 7:54 PM, Robin Sommer wrote: > >That said, I'm not really sure that this should ideally look like. > >Intuitively, I'd actually say attributes belong to values, not > >variables, because transfer-on-assignment can lead to subtle effects > >(values are passed around, and what if the receiving function > >happens to assign the value to the wrong variable?. Also what if you > >assign a value with attribute X to a variable without X; shouldn't > >the value then be *deleted* for consistency reasons?). > Attributes being attached to value really seems to make sense. > >If we accept for a moment that attributes belong only to values, > >then we can think about how to set them. A global definition such as > > > > const log_file = open_log_file("foo") &rotate_interval > It works in this case, but this has typically been where trouble was encountered. What about cases where there isn't a value assigned yet? Something like... > const bad_addrs_with_description: table[addr] of string &redef &write_expire=10mins; > There isn't a value yet, but it has an attribute applied to it. Would that style still be supported? It would seem to conflict with having only value attributes. > Even for my database backed variable stuff I'm working on, it created a stumbling block. What I'm doing internally is creating a copy of the value including attributes to a separate internal value when a query is being run. That value is then filled from the database and the script level variable is rebound to my newly filled internal value and the old value is deleted. I think that would be the right way to do it in this case even if only value attributes exist because it's an internal detail and the new value is being created internally, but it's certainly confusing sometimes. > bq. .Seth > [^"None-3"] > On Wed, Nov 04, 2009 at 20:26 \-0500, you wrote: > > const bad_addrs_with_description: table[addr] of string &redef > > &write_expire=10mins; > > > > There isn't a value yet, but it has an attribute applied to it. > Actually there is: it's assigned an empty table. So, yes that would > still work. > What would be different however is a later assignment (redef for > const [1]), which would ignore the &write_expire of the original > definition and instead use the attributes from the assigned value. > Robin > [1] A "=" redef, not a "+=" redef which works on the original value. > [^"None-4"] > On Nov 10, 2009, at 12:32 AM, Robin Sommer wrote: > >What would be different however is a later assignment (redef for > >const [1]), which would ignore the &write_expire of the original > >definition and instead use the attributes from the assigned value. > > > >[1] A "=" redef, not a "+=" redef which works on the original value. > Ah, ok. This is all coming together for me now. :) > Another question I have is if the change was made to allow attribute additions and deletions at runtime, does it sort of violate the concept of const? const seems to tie together the value and variable together and make them unchangeable at runtime but it's a little confusing conceptually if you're able to still change the attributes of a const at runtime. > Am I thinking about that right? > bq. .Seth > [^"None-5"] > On Fri, Nov 13, 2009 at 13:24 \-0500, you wrote: > > Another question I have is if the change was made to allow attribute > > additions and deletions at runtime, does it sort of violate the concept > > of const? > That's a good point, yes. Perhaps "const foo = xxx" should actually > mean that the value xxx gets an (internal) attribute &const so that > it's not changeable? And then assigning to a global with a current > value that has the &const attribute would be prohibited as well. > Does that make sense? > Robin -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:43:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:43:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1328) BroControl displays backtrace for all failed / mistyped commands In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1328: --------------------------- Resolution: Fixed Status: Closed (was: Open) Seems like this will be fixed when BIT-1341 is merged, please re-open if that's not the case. > BroControl displays backtrace for all failed / mistyped commands > ---------------------------------------------------------------- > > Key: BIT-1328 > URL: https://bro-tracker.atlassian.net/browse/BIT-1328 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > BroControl shows a backtrace for failing commands, instead of just an error message. > Example: > {code} > [BroControl] > status sdd > Traceback (most recent call last): > File "/xa/bro/master/lib/broctl/BroControl/brocmd.py", line 49, in cmdloop > success = self.onecmd(line) > File "/usr/local/lib/python2.7/cmd.py", line 221, in onecmd > return func(arg) > File "/xa/bro/master/bin/broctl", line 190, in do_status > results = self.broctl.status(node_list=args) > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 36, in wrapper > return func(self, *args, **kwargs) > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 231, in status > nodes = self.node_args(node_list) > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 98, in node_args > raise InvalidNodeError("unknown node '%s'" % arg) > InvalidNodeError: unknown node 'sdd' > [BroControl] > > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:44:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:44:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1327) broctl status output is not sorted correctly In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1327?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1327: --------------------------- Resolution: Fixed Status: Closed (was: Open) Seems like this is addressed once BIT-1341 is merged. > broctl status output is not sorted correctly > -------------------------------------------- > > Key: BIT-1327 > URL: https://bro-tracker.atlassian.net/browse/BIT-1327 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > With the current version of BroControl, broctl status is no longer sorted in the traditional order that we had in old versions (master, proxy, workers). Instead, the order seems to be more-or-less-random, but static (it does not change inbetween runs). > I think we should revert this to the old behavior - having sorted output is nice and makes it more convenient to see what is going on. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:49:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20000#comment-20000 ] Jon Siwek commented on BIT-947: ------------------------------- Vlad, any SSH changes you have coming that address this ticket? > Incorrect size calculation for SSH failed/successful heuristic > -------------------------------------------------------------- > > Key: BIT-947 > URL: https://bro-tracker.atlassian.net/browse/BIT-947 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Priority: Low > Fix For: 2.4 > > > We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a "successful" connection. > With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:53:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-944) @bro-meta index in ES writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20001#comment-20001 ] Jon Siwek commented on BIT-944: ------------------------------- Vlad or Seth, up to you whether to re-schedule this ticket for 2.5. > @bro-meta index in ES writer > ---------------------------- > > Key: BIT-944 > URL: https://bro-tracker.atlassian.net/browse/BIT-944 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > Fix For: 2.4 > > > The elasticsearch writer isn't creating/modifying the required (for Brownian) @bro-meta index when using the ReLog script to import old logs because rotation is disabled when importing logs. For now the right answer is to probably just leave off out the start and end fields and write to the index in the UpdateIndex method if rotation is disabled. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 10:54:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 12:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-788: ----------------------------- Assignee: Jon Siwek > Good analysis of unidirectional DNS flows > ----------------------------------------- > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: juliensentier > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:03:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:03:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1274) Moving GeoIP Code to Plugin In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1274?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1274: --------------------------- Fix Version/s: 2.5 > Moving GeoIP Code to Plugin > --------------------------- > > Key: BIT-1274 > URL: https://bro-tracker.atlassian.net/browse/BIT-1274 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: AK > Fix For: 2.5 > > Attachments: ak.patch > > > I've started moving the GeoIP code to a plugin. The branch of Bro I'm working from is here: https://github.com/anthonykasza/bro/tree/topic/akasza/geoplugin. > The source for the plugin is here: https://github.com/anthonykasza/Bro_GeoIP. > Any pointers would be appreciated. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:03:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1306: --------------------------- Fix Version/s: 2.4 > bro process would get stuck/freeze with myricom drivers > ------------------------------------------------------- > > Key: BIT-1306 > URL: https://bro-tracker.atlassian.net/browse/BIT-1306 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: OS: FreeBSD 9.3-RELEASE-p5 OS > bro version 2.3-328 > git log -1 --format="%H" > 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f > Reporter: Aashish Sharma > Labels: bro-git, myricom > Fix For: 2.4 > > > When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. > System has to be ultimately rebooted to remove stuck bro process. > On running myri_start_stop I see: > # /usr/local/opt/snf/sbin/myri_start_stop stop > Removing myri_snf.ko > kldunload: can't unload file: Device busy > It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes > More details: > The bro process is stuck in RNE state > R Marks a runnable process. > N The process has reduced CPU scheduling priority (see setpriority(2)). > E The process is trying to exit. > Here is an example: > ### stuck process: > [bro at 01 ~]$ ps auxwww | fgrep 1616 > bro 1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto > ####when checking for process in proc: > [bro at c ~]$ ls -l /proc/1616 > ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:04:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1265) Single sided HTTP POST split In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1265: --------------------------- Fix Version/s: 2.5 > Single sided HTTP POST split > ---------------------------- > > Key: BIT-1265 > URL: https://bro-tracker.atlassian.net/browse/BIT-1265 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: CentOS 6 > Reporter: Jimmy Jones > Fix For: 2.5 > > Attachments: sample-upload2-all.pcap, sample-upload2-req.pcap > > > Attached two pcap samples, one is a single sided version of the other, an HTTP POST. > When I process the single sided version (sample-upload2-req) conn.log shows two sessions (the HTTP POST tcp connection that has been split) and http.log shows a partial upload. However processing the original sample (sample-upload2-all) everything is as expected - one connection in conn.log and a complete http.log > Are there any parameters I can tweak to make this work? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:08:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:08:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1263: --------------------------- Fix Version/s: 2.4 > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Assignee: hui > Priority: Low > Labels: analyzer, modbus > Fix For: 2.4 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:10:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20002#comment-20002 ] Jon Siwek commented on BIT-1263: -------------------------------- Seems like this is nearly done, but just didn't get merged due to lack of test case? Can we get that for 2.4 ? > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Assignee: hui > Priority: Low > Labels: analyzer, modbus > Fix For: 2.4 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:12:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1237) Bro script declaration ordering In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1237: --------------------------- Description: During one of the scripting exercises I noticed odd behavior with items declared in the global scope: {code} ############################# error.bro not working: ------------------------------------------------ local test_var = "test_var"; function test_1() { print "test_1"; } print test_var; test_1(); >>> Output: error in ./test.bro, line 3: syntax error, at or near "test_1" ############################# working.bro working: ------------------------------------------------ function test_1() { print "test_1"; } local test_var = "test_var"; print test_var; test_1(); >>> Output: test_var test_1 ############################# {code} To declare a function, bro 2.3 forced me to do it at the top of the file. On the exercise with the redef of the grid ftp size variable I noticed the same issue with redef, it required me to put the redef at the very top of the file. Robin asked me to open a ticket and mentioned this was low priority. was: During one of the scripting exercises I noticed odd behavior with items declared in the global scope: ############################# error.bro not working: ------------------------------------------------ local test_var = "test_var"; function test_1() { print "test_1"; } print test_var; test_1(); >>> Output: error in ./test.bro, line 3: syntax error, at or near "test_1" ############################# working.bro working: ------------------------------------------------ function test_1() { print "test_1"; } local test_var = "test_var"; print test_var; test_1(); >>> Output: test_var test_1 ############################# To declare a function, bro 2.3 forced me to do it at the top of the file. On the exercise with the redef of the grid ftp size variable I noticed the same issue with redef, it required me to put the redef at the very top of the file. Robin asked me to open a ticket and mentioned this was low priority. > Bro script declaration ordering > ------------------------------- > > Key: BIT-1237 > URL: https://bro-tracker.atlassian.net/browse/BIT-1237 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro con training VM > Reporter: Peter Kaloroumakis > Priority: Trivial > Labels: BroScript > > During one of the scripting exercises I noticed odd behavior with items declared in the global scope: > {code} > ############################# error.bro > not working: > ------------------------------------------------ > local test_var = "test_var"; > function test_1() > { > print "test_1"; > } > print test_var; > test_1(); > >>> Output: > error in ./test.bro, line 3: syntax error, at or near "test_1" > ############################# working.bro > working: > ------------------------------------------------ > function test_1() > { > print "test_1"; > } > local test_var = "test_var"; > print test_var; > test_1(); > >>> Output: > test_var > test_1 > ############################# > {code} > To declare a function, bro 2.3 forced me to do it at the top of the file. On the exercise with the redef of the grid ftp size variable I noticed the same issue with redef, it required me to put the redef at the very top of the file. > Robin asked me to open a ticket and mentioned this was low priority. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:20:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1199: --------------------------- Fix Version/s: 2.4 > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Priority: Low > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:20:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:20:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1199: ------------------------------ Assignee: Johanna Amann > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:23:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20003#comment-20003 ] Jon Siwek commented on BIT-1199: -------------------------------- Johanna, though it may not be trivial to continue processing input on errors like these as mentioned in BIT-1229, is it easy to improve the error message to include file name and line number info as suggested by this ticket? > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:25:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:25:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1198) Input framework's READER_ASCII can't handle DOS files In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1198?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1198: --------------------------- Fix Version/s: 2.5 > Input framework's READER_ASCII can't handle DOS files > ----------------------------------------------------- > > Key: BIT-1198 > URL: https://bro-tracker.atlassian.net/browse/BIT-1198 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Priority: Low > Fix For: 2.5 > > Attachments: test.intel > > > DOS files use CR+LF for newlines, while Linux uses only LF. I've heard of a number of cases where people generate files designed to be read with the input framework on Windows (e.g. exporting from Excel). It'd be nice if we could support that. > Trying to load the attached sample file results in: > {code} > error: test.intel/Input::READER_ASCII: Did not find requested field meta.source in input data file test.intel. > error: test.intel/Input::READER_ASCII: Init: cannot open test.intel; headers are incorrect > error: test.intel/Input::READER_ASCII: Init failed > error: test.intel/Input::READER_ASCII: terminating thread > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:27:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1181) Input-framework errors should be fatal (or Notice_Alarm) instead of silent reporter::error failures In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1181: --------------------------- Fix Version/s: 2.5 > Input-framework errors should be fatal (or Notice_Alarm) instead of silent reporter::error failures > --------------------------------------------------------------------------------------------------- > > Key: BIT-1181 > URL: https://bro-tracker.atlassian.net/browse/BIT-1181 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Johanna Amann > Labels: input-framework > Fix For: 2.5 > > > I noticed many times that if there is a problem in a feed file (syntax, or some other issue) and input-framework is unable to read the file, it generates a Reporter::Error. This is a silent failure condition ie bro continues to operate as normal and the error is logged into reporter log. > Ideally above is the right thing to do. However, This failure results in no data in the tables getting updated any more while I continue to operate under-impression that Bro is working fine (unless I have explicitly been looking at reporter log for this issue , which now I do). > If input-framework is unable to read/digest data from a feed, I believe that should be a (configurable) fatal error or something which at least triggers an alarm/alert/email. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 13:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20004#comment-20004 ] Johanna Amann commented on BIT-1199: ------------------------------------ I will take a look. It might be possible to output the file name and the offending entry - line numbers are sadly not available in the core. > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 13:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1199: ------------------------------- Priority: Normal (was: Low) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:30:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1154) Formatters restructed in: topic/seth/json-formatter In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1154: --------------------------- Fix Version/s: 2.4 > Formatters restructed in: topic/seth/json-formatter > --------------------------------------------------- > > Key: BIT-1154 > URL: https://bro-tracker.atlassian.net/browse/BIT-1154 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Seth Hall > Fix For: 2.4 > > > topic/seth/json-formatter has an abstraction for Formatters and I created a formatters directory under threading. There is also a new JSON formatter and support in the Ascii and ElasticSearch writers for the JSON formatter. > I went ahead and threw in per-filter configuration options for the Ascii writer for all of the options that were exposed globally too. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:46:00 2015 From: jira at bro-tracker.atlassian.net (Paul Pearce (JIRA)) Date: Tue, 17 Mar 2015 13:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1338) http response mime types uninitialized in file_over_new_connection event In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20005#comment-20005 ] Paul Pearce commented on BIT-1338: ---------------------------------- bq. The "conns" field of fa_file should hold all the connection records over which the file was transferred, if any. Does that help simplify your analysis Hmm. Yes this does help. I believe it will yield subtly different semantics on files that span multiple connections, but that is not a problem for me. Thanks. > http response mime types uninitialized in file_over_new_connection event > ------------------------------------------------------------------------ > > Key: BIT-1338 > URL: https://bro-tracker.atlassian.net/browse/BIT-1338 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Paul Pearce > Labels: mime > Fix For: 2.4 > > > http resp_mime_types (accessed via: connection$http$resp_mime_types) are no longer initialized during the file_over_new_connection event. This is new behavior between Bro v2.3 and git/master. > The following snippet shows the new behavior on one of the included bro test traces. > {code:bash} > $ bro_v23 -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event file_over_new_connection(f: fa_file, c:connection, is_orig:bool){ print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > F > {code} > It's worth pointing out that ultimately the resp_mime_types field does get set for subsequent events. > {code:bash} > $ bro_v23 -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > $ bro_git -e 'event http_message_done (c: connection, is_orig: bool, stat: http_message_stat){ if (!is_orig) print c$http?$resp_mime_types; }' -r bro/testing/btest/Traces/http/get.trace > T > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 11:58:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 13:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-667) Non-deterministic behavior when deleting current set element during iteration In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-667?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-667: -------------------------- Resolution: Duplicate Fix Version/s: 2.4 Status: Closed (was: Open) As part of BIT-978, I'll be adding documentation to the for-each loop that explains you can't modify a container's membership while iterating over it. (There is code that in Bro's core that would allow this, "MakeRobustCookie", but I assume it's not used for performance reasons). > Non-deterministic behavior when deleting current set element during iteration > ----------------------------------------------------------------------------- > > Key: BIT-667 > URL: https://bro-tracker.atlassian.net/browse/BIT-667 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: david.bianco > Fix For: 2.4 > > Attachments: part3.bro > > > As we discussed during the Bro Workshop at NCSA, the attached code shows some non-deterministic results while deleting the current element while iterating through a set. Most of the time, it works. Some times, it doesn't. > Have a look at subexercise 3's output. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 12:13:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 14:13:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-528) Python 3 compatibility In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-528: -------------------------- Resolution: Fixed Fix Version/s: 2.4 Status: Closed (was: Open) I think Bro 2.4 is now Python 3 compatible. Daniel, was there any remaining pieces? > Python 3 compatibility > ---------------------- > > Key: BIT-528 > URL: https://bro-tracker.atlassian.net/browse/BIT-528 > Project: Bro Issue Tracker > Issue Type: Task > Components: BroControl > Reporter: Robin Sommer > Fix For: 2.4 > > > We should make sure that BroControl (and other Pytjon pieces we ship > run fine with Python 3.x). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 12:32:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Tue, 17 Mar 2015 14:32:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20008#comment-20008 ] Aaron Eppert commented on BIT-1331: ----------------------------------- Encountering the same problem in a clustered configuration with only a single worker and proxy at the moment. Confirming the same error and the linked BIT-1253 ticket. > BroControl manager crashes when logs rotate > ------------------------------------------- > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Fix For: 2.4 > > > The BroControl manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:07:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Tue, 17 Mar 2015 15:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20008#comment-20008 ] Aaron Eppert edited comment on BIT-1331 at 3/17/15 3:06 PM: ------------------------------------------------------------ Encountering the same problem in a clustered configuration with only a single worker and proxy at the moment. Confirming the same error and the linked BIT-1253 ticket. Also getting this: fatal error in : val::CONVERTER (string/port) (80/tcp) was (Author: aeppert): Encountering the same problem in a clustered configuration with only a single worker and proxy at the moment. Confirming the same error and the linked BIT-1253 ticket. > BroControl manager crashes when logs rotate > ------------------------------------------- > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Fix For: 2.4 > > > The BroControl manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:21:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 15:21:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1229: --------------------------- Status: Reopened (was: Closed) Resolution: (was: Fixed) > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.5 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:21:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 15:21:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1229: --------------------------- Status: Closed (was: Reopened) > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.5 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:40:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 15:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1253) Bro 2.3 - 2.3.1 manager dieing on Bivio hardware In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1253: --------------------------- Status: Closed (was: Reopened) > Bro 2.3 - 2.3.1 manager dieing on Bivio hardware > ------------------------------------------------ > > Key: BIT-1253 > URL: https://bro-tracker.atlassian.net/browse/BIT-1253 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro 2.3 and Bro 2.3.1 > bivio hardwareLinux CPU.2.6.31-45 has curl 7.36 gperftools 2.2 flex 2.5.39 bison 3.0.2 libpcap 1.1 swig 2.0.8 > Reporter: Larry Leviton > Assignee: Johanna Amann > Fix For: 2.4 > > > After starting bro up, the bro manager crashes in less than 60 seconds. > Thanks for any help you can give. > Sent stack trace to vendor (at bottom), and here was their response: > Comment(s): Hello Larry, > We have duplicated a crash in our lab setup that seems to be identical to that experienced by you. The code has changed quite a bit from 2.1 to 2.3.1, and we suspect a bug was introduced. > What is going on, seems to be that a writer thread is being terminated, and the destructor for the Ascii writer is called eventually. However, the destructor code does some checks and finds out that proper cleanup has not been done, so it aborts. This does not seem to be due to any library incompatibility, and looks more like maybe a race condition was introduced. > Since you knows the Bro developers, can you please ask them to take a look this and get back to us? We think it requires their expertise at this point. > Thank You, > Hassan. > > Bivio Case Information: > Bivio Case #: 4566243 > Date Created: 9/02/2014 08:02 AM PDT > Stack trace below: > GNU gdb (GDB) Fedora (6.8.50.20090302-40.fc11) Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "ppc-redhat-linux-gnu". > For bug reporting instructions, please see: > ... > backtrace > [New Thread 25501] > [New Thread 25328] > [New Thread 25378] > [New Thread 25379] > [New Thread 25380] > [New Thread 25381] > [New Thread 25382] > [New Thread 25383] > [New Thread 25384] > [New Thread 25385] > [New Thread 25386] > [New Thread 25389] > [New Thread 25442] > warning: Can't read pathname for load map: Input/output error. > Missing separate debuginfo for /usr/local/lib/libz.so.1 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a2/0a0d1fc0d48c2a303af1417ccc03308b9de04a > Missing separate debuginfo for /usr/local/lib/libtcmalloc.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/27/eaf56bc64810920d55b9530156c1e8ffbfd43e > Missing separate debuginfo for /usr/local/lib/libcurl.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a7/9a2cebb4abc156495ec0806b1c18015c8eba01 > Reading symbols from /usr/lib/libpcap.so.1...done. > Loaded symbols for /usr/lib/libpcap.so.1 Reading symbols from /usr/lib/libssl.so.10...done. > Loaded symbols for /usr/lib/libssl.so.10 Reading symbols from /usr/lib/libcrypto.so.10...done. > Loaded symbols for /usr/lib/libcrypto.so.10 Reading symbols from /usr/lib/libbind.so.4...done. > Loaded symbols for /usr/lib/libbind.so.4 Reading symbols from /usr/local/lib/libz.so.1...done. > Loaded symbols for /usr/local/lib/libz.so.1 Reading symbols from /usr/local/lib/libtcmalloc.so.4...done. > Loaded symbols for /usr/local/lib/libtcmalloc.so.4 Reading symbols from /usr/local/lib/libcurl.so.4...done. > Loaded symbols for /usr/local/lib/libcurl.so.4 Reading symbols from /lib/libpthread.so.0...done. > Loaded symbols for /lib/libpthread.so.0 > Reading symbols from /lib/libdl.so.2...done. > Loaded symbols for /lib/libdl.so.2 > Reading symbols from /usr/lib/libstdc++.so.6...done. > Loaded symbols for /usr/lib/libstdc++.so.6 Reading symbols from /lib/libm.so.6...done. > Loaded symbols for /lib/libm.so.6 > Reading symbols from /lib/libgcc_s.so.1...done. > Loaded symbols for /lib/libgcc_s.so.1 > Reading symbols from /lib/libc.so.6...done. > Loaded symbols for /lib/libc.so.6 > Reading symbols from /usr/lib/libzcp.so...done. > Loaded symbols for /usr/lib/libzcp.so > Reading symbols from /lib/libgssapi_krb5.so.2...done. > Loaded symbols for /lib/libgssapi_krb5.so.2 Reading symbols from /lib/libkrb5.so.3...done. > Loaded symbols for /lib/libkrb5.so.3 > Reading symbols from /lib/libcom_err.so.2...done. > Loaded symbols for /lib/libcom_err.so.2 > Reading symbols from /lib/libk5crypto.so.3...done. > Loaded symbols for /lib/libk5crypto.so.3 Reading symbols from /lib/libresolv.so.2...done. > Loaded symbols for /lib/libresolv.so.2 > Reading symbols from /lib/librt.so.1...done. > Loaded symbols for /lib/librt.so.1 > Reading symbols from /lib/ld.so.1...done. > Loaded symbols for /lib/ld.so.1 > Reading symbols from /lib/libbvsp.so...done. > Loaded symbols for /lib/libbvsp.so > Reading symbols from /lib/libbcon.so...done. > Loaded symbols for /lib/libbcon.so > Reading symbols from /lib/libkrb5support.so.0...done. > Loaded symbols for /lib/libkrb5support.so.0 Reading symbols from /lib/libkeyutils.so.1...done. > Loaded symbols for /lib/libkeyutils.so.1 Reading symbols from /usr/lib/libxml2.so.2...done. > Loaded symbols for /usr/lib/libxml2.so.2 Reading symbols from /lib/libhmlibs.so...done. > Loaded symbols for /lib/libhmlibs.so > Reading symbols from /lib/libhmolddb.so...done. > Loaded symbols for /lib/libhmolddb.so > Reading symbols from /lib/libcf.so...done. > Loaded symbols for /lib/libcf.so > Reading symbols from /lib/libbvsep.so...done. > Loaded symbols for /lib/libbvsep.so > Reading symbols from /usr/lib/libnrddi.so...done. > Loaded symbols for /usr/lib/libnrddi.so > Reading symbols from /lib/libselinux.so.1...done. > Loaded symbols for /lib/libselinux.so.1 > Core was generated by `/var/tmp/bro/spool/tmp/bro -U .status -p broctl -p broctl-live -p local -p mana'. > Program terminated with signal 6, Aborted. > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. > in ../nptl/sysdeps/unix/sysv/linux/raise.c > Missing separate debuginfos, use: debuginfo-install e2fsprogs-libs-1.41.9-2.fc11.ppc glibc-2.17-4.fc11.ppc keyutils-libs-1.2-5.fc11.ppc krb5-libs-1.9.3-1.fc11.ppc libbind-6.0-1.fc11.ppc libgcc-4.4.1-2.fc11.ppc libselinux-2.0.80-1.fc11.ppc libstdc++-4.4.1-2.fc11.ppc libxml2-2.7.6-1.fc11.ppc openssl-libs-1.0.1e-37.fc11.1.ppc > (gdb) backtrace > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > Current language: auto; currently minimal > (gdb) > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > (gdb) quit -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:40:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 15:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1253) Bro 2.3 - 2.3.1 manager dieing on Bivio hardware In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1253: --------------------------- Status: Reopened (was: Closed) Resolution: (was: Fixed) > Bro 2.3 - 2.3.1 manager dieing on Bivio hardware > ------------------------------------------------ > > Key: BIT-1253 > URL: https://bro-tracker.atlassian.net/browse/BIT-1253 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro 2.3 and Bro 2.3.1 > bivio hardwareLinux CPU.2.6.31-45 has curl 7.36 gperftools 2.2 flex 2.5.39 bison 3.0.2 libpcap 1.1 swig 2.0.8 > Reporter: Larry Leviton > Assignee: Johanna Amann > Fix For: 2.4 > > > After starting bro up, the bro manager crashes in less than 60 seconds. > Thanks for any help you can give. > Sent stack trace to vendor (at bottom), and here was their response: > Comment(s): Hello Larry, > We have duplicated a crash in our lab setup that seems to be identical to that experienced by you. The code has changed quite a bit from 2.1 to 2.3.1, and we suspect a bug was introduced. > What is going on, seems to be that a writer thread is being terminated, and the destructor for the Ascii writer is called eventually. However, the destructor code does some checks and finds out that proper cleanup has not been done, so it aborts. This does not seem to be due to any library incompatibility, and looks more like maybe a race condition was introduced. > Since you knows the Bro developers, can you please ask them to take a look this and get back to us? We think it requires their expertise at this point. > Thank You, > Hassan. > > Bivio Case Information: > Bivio Case #: 4566243 > Date Created: 9/02/2014 08:02 AM PDT > Stack trace below: > GNU gdb (GDB) Fedora (6.8.50.20090302-40.fc11) Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "ppc-redhat-linux-gnu". > For bug reporting instructions, please see: > ... > backtrace > [New Thread 25501] > [New Thread 25328] > [New Thread 25378] > [New Thread 25379] > [New Thread 25380] > [New Thread 25381] > [New Thread 25382] > [New Thread 25383] > [New Thread 25384] > [New Thread 25385] > [New Thread 25386] > [New Thread 25389] > [New Thread 25442] > warning: Can't read pathname for load map: Input/output error. > Missing separate debuginfo for /usr/local/lib/libz.so.1 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a2/0a0d1fc0d48c2a303af1417ccc03308b9de04a > Missing separate debuginfo for /usr/local/lib/libtcmalloc.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/27/eaf56bc64810920d55b9530156c1e8ffbfd43e > Missing separate debuginfo for /usr/local/lib/libcurl.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a7/9a2cebb4abc156495ec0806b1c18015c8eba01 > Reading symbols from /usr/lib/libpcap.so.1...done. > Loaded symbols for /usr/lib/libpcap.so.1 Reading symbols from /usr/lib/libssl.so.10...done. > Loaded symbols for /usr/lib/libssl.so.10 Reading symbols from /usr/lib/libcrypto.so.10...done. > Loaded symbols for /usr/lib/libcrypto.so.10 Reading symbols from /usr/lib/libbind.so.4...done. > Loaded symbols for /usr/lib/libbind.so.4 Reading symbols from /usr/local/lib/libz.so.1...done. > Loaded symbols for /usr/local/lib/libz.so.1 Reading symbols from /usr/local/lib/libtcmalloc.so.4...done. > Loaded symbols for /usr/local/lib/libtcmalloc.so.4 Reading symbols from /usr/local/lib/libcurl.so.4...done. > Loaded symbols for /usr/local/lib/libcurl.so.4 Reading symbols from /lib/libpthread.so.0...done. > Loaded symbols for /lib/libpthread.so.0 > Reading symbols from /lib/libdl.so.2...done. > Loaded symbols for /lib/libdl.so.2 > Reading symbols from /usr/lib/libstdc++.so.6...done. > Loaded symbols for /usr/lib/libstdc++.so.6 Reading symbols from /lib/libm.so.6...done. > Loaded symbols for /lib/libm.so.6 > Reading symbols from /lib/libgcc_s.so.1...done. > Loaded symbols for /lib/libgcc_s.so.1 > Reading symbols from /lib/libc.so.6...done. > Loaded symbols for /lib/libc.so.6 > Reading symbols from /usr/lib/libzcp.so...done. > Loaded symbols for /usr/lib/libzcp.so > Reading symbols from /lib/libgssapi_krb5.so.2...done. > Loaded symbols for /lib/libgssapi_krb5.so.2 Reading symbols from /lib/libkrb5.so.3...done. > Loaded symbols for /lib/libkrb5.so.3 > Reading symbols from /lib/libcom_err.so.2...done. > Loaded symbols for /lib/libcom_err.so.2 > Reading symbols from /lib/libk5crypto.so.3...done. > Loaded symbols for /lib/libk5crypto.so.3 Reading symbols from /lib/libresolv.so.2...done. > Loaded symbols for /lib/libresolv.so.2 > Reading symbols from /lib/librt.so.1...done. > Loaded symbols for /lib/librt.so.1 > Reading symbols from /lib/ld.so.1...done. > Loaded symbols for /lib/ld.so.1 > Reading symbols from /lib/libbvsp.so...done. > Loaded symbols for /lib/libbvsp.so > Reading symbols from /lib/libbcon.so...done. > Loaded symbols for /lib/libbcon.so > Reading symbols from /lib/libkrb5support.so.0...done. > Loaded symbols for /lib/libkrb5support.so.0 Reading symbols from /lib/libkeyutils.so.1...done. > Loaded symbols for /lib/libkeyutils.so.1 Reading symbols from /usr/lib/libxml2.so.2...done. > Loaded symbols for /usr/lib/libxml2.so.2 Reading symbols from /lib/libhmlibs.so...done. > Loaded symbols for /lib/libhmlibs.so > Reading symbols from /lib/libhmolddb.so...done. > Loaded symbols for /lib/libhmolddb.so > Reading symbols from /lib/libcf.so...done. > Loaded symbols for /lib/libcf.so > Reading symbols from /lib/libbvsep.so...done. > Loaded symbols for /lib/libbvsep.so > Reading symbols from /usr/lib/libnrddi.so...done. > Loaded symbols for /usr/lib/libnrddi.so > Reading symbols from /lib/libselinux.so.1...done. > Loaded symbols for /lib/libselinux.so.1 > Core was generated by `/var/tmp/bro/spool/tmp/bro -U .status -p broctl -p broctl-live -p local -p mana'. > Program terminated with signal 6, Aborted. > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. > in ../nptl/sysdeps/unix/sysv/linux/raise.c > Missing separate debuginfos, use: debuginfo-install e2fsprogs-libs-1.41.9-2.fc11.ppc glibc-2.17-4.fc11.ppc keyutils-libs-1.2-5.fc11.ppc krb5-libs-1.9.3-1.fc11.ppc libbind-6.0-1.fc11.ppc libgcc-4.4.1-2.fc11.ppc libselinux-2.0.80-1.fc11.ppc libstdc++-4.4.1-2.fc11.ppc libxml2-2.7.6-1.fc11.ppc openssl-libs-1.0.1e-37.fc11.1.ppc > (gdb) backtrace > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > Current language: auto; currently minimal > (gdb) > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > (gdb) quit -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:48:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 15:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1199: ---------------------------------- Assignee: (was: Johanna Amann) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:48:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 15:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1199: ------------------------------- Status: Merge Request (was: Open) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:48:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 15:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20009#comment-20009 ] Johanna Amann commented on BIT-1199: ------------------------------------ Addressed in topic/johanna/bit-1199 - error messages now contain the stream name: {quote} internal error: Value not 'NoSuch::Notice' for stream 'ignored_notices' is not a valid enum. {quote} > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:57:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 15:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1253) Bro 2.3 - 2.3.1 manager dieing on Bivio hardware In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1253: ------------------------------- Resolution: Cannot Reproduce Status: Closed (was: Reopened) I will just close this because we have not gotten any more feedback / information on it and it is currently not actionable. If you ever have more information on this, please feel free to re-open the ticket. > Bro 2.3 - 2.3.1 manager dieing on Bivio hardware > ------------------------------------------------ > > Key: BIT-1253 > URL: https://bro-tracker.atlassian.net/browse/BIT-1253 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Bro 2.3 and Bro 2.3.1 > bivio hardwareLinux CPU.2.6.31-45 has curl 7.36 gperftools 2.2 flex 2.5.39 bison 3.0.2 libpcap 1.1 swig 2.0.8 > Reporter: Larry Leviton > Assignee: Johanna Amann > Fix For: 2.4 > > > After starting bro up, the bro manager crashes in less than 60 seconds. > Thanks for any help you can give. > Sent stack trace to vendor (at bottom), and here was their response: > Comment(s): Hello Larry, > We have duplicated a crash in our lab setup that seems to be identical to that experienced by you. The code has changed quite a bit from 2.1 to 2.3.1, and we suspect a bug was introduced. > What is going on, seems to be that a writer thread is being terminated, and the destructor for the Ascii writer is called eventually. However, the destructor code does some checks and finds out that proper cleanup has not been done, so it aborts. This does not seem to be due to any library incompatibility, and looks more like maybe a race condition was introduced. > Since you knows the Bro developers, can you please ask them to take a look this and get back to us? We think it requires their expertise at this point. > Thank You, > Hassan. > > Bivio Case Information: > Bivio Case #: 4566243 > Date Created: 9/02/2014 08:02 AM PDT > Stack trace below: > GNU gdb (GDB) Fedora (6.8.50.20090302-40.fc11) Copyright (C) 2009 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "ppc-redhat-linux-gnu". > For bug reporting instructions, please see: > ... > backtrace > [New Thread 25501] > [New Thread 25328] > [New Thread 25378] > [New Thread 25379] > [New Thread 25380] > [New Thread 25381] > [New Thread 25382] > [New Thread 25383] > [New Thread 25384] > [New Thread 25385] > [New Thread 25386] > [New Thread 25389] > [New Thread 25442] > warning: Can't read pathname for load map: Input/output error. > Missing separate debuginfo for /usr/local/lib/libz.so.1 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a2/0a0d1fc0d48c2a303af1417ccc03308b9de04a > Missing separate debuginfo for /usr/local/lib/libtcmalloc.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/27/eaf56bc64810920d55b9530156c1e8ffbfd43e > Missing separate debuginfo for /usr/local/lib/libcurl.so.4 > Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/a7/9a2cebb4abc156495ec0806b1c18015c8eba01 > Reading symbols from /usr/lib/libpcap.so.1...done. > Loaded symbols for /usr/lib/libpcap.so.1 Reading symbols from /usr/lib/libssl.so.10...done. > Loaded symbols for /usr/lib/libssl.so.10 Reading symbols from /usr/lib/libcrypto.so.10...done. > Loaded symbols for /usr/lib/libcrypto.so.10 Reading symbols from /usr/lib/libbind.so.4...done. > Loaded symbols for /usr/lib/libbind.so.4 Reading symbols from /usr/local/lib/libz.so.1...done. > Loaded symbols for /usr/local/lib/libz.so.1 Reading symbols from /usr/local/lib/libtcmalloc.so.4...done. > Loaded symbols for /usr/local/lib/libtcmalloc.so.4 Reading symbols from /usr/local/lib/libcurl.so.4...done. > Loaded symbols for /usr/local/lib/libcurl.so.4 Reading symbols from /lib/libpthread.so.0...done. > Loaded symbols for /lib/libpthread.so.0 > Reading symbols from /lib/libdl.so.2...done. > Loaded symbols for /lib/libdl.so.2 > Reading symbols from /usr/lib/libstdc++.so.6...done. > Loaded symbols for /usr/lib/libstdc++.so.6 Reading symbols from /lib/libm.so.6...done. > Loaded symbols for /lib/libm.so.6 > Reading symbols from /lib/libgcc_s.so.1...done. > Loaded symbols for /lib/libgcc_s.so.1 > Reading symbols from /lib/libc.so.6...done. > Loaded symbols for /lib/libc.so.6 > Reading symbols from /usr/lib/libzcp.so...done. > Loaded symbols for /usr/lib/libzcp.so > Reading symbols from /lib/libgssapi_krb5.so.2...done. > Loaded symbols for /lib/libgssapi_krb5.so.2 Reading symbols from /lib/libkrb5.so.3...done. > Loaded symbols for /lib/libkrb5.so.3 > Reading symbols from /lib/libcom_err.so.2...done. > Loaded symbols for /lib/libcom_err.so.2 > Reading symbols from /lib/libk5crypto.so.3...done. > Loaded symbols for /lib/libk5crypto.so.3 Reading symbols from /lib/libresolv.so.2...done. > Loaded symbols for /lib/libresolv.so.2 > Reading symbols from /lib/librt.so.1...done. > Loaded symbols for /lib/librt.so.1 > Reading symbols from /lib/ld.so.1...done. > Loaded symbols for /lib/ld.so.1 > Reading symbols from /lib/libbvsp.so...done. > Loaded symbols for /lib/libbvsp.so > Reading symbols from /lib/libbcon.so...done. > Loaded symbols for /lib/libbcon.so > Reading symbols from /lib/libkrb5support.so.0...done. > Loaded symbols for /lib/libkrb5support.so.0 Reading symbols from /lib/libkeyutils.so.1...done. > Loaded symbols for /lib/libkeyutils.so.1 Reading symbols from /usr/lib/libxml2.so.2...done. > Loaded symbols for /usr/lib/libxml2.so.2 Reading symbols from /lib/libhmlibs.so...done. > Loaded symbols for /lib/libhmlibs.so > Reading symbols from /lib/libhmolddb.so...done. > Loaded symbols for /lib/libhmolddb.so > Reading symbols from /lib/libcf.so...done. > Loaded symbols for /lib/libcf.so > Reading symbols from /lib/libbvsep.so...done. > Loaded symbols for /lib/libbvsep.so > Reading symbols from /usr/lib/libnrddi.so...done. > Loaded symbols for /usr/lib/libnrddi.so > Reading symbols from /lib/libselinux.so.1...done. > Loaded symbols for /lib/libselinux.so.1 > Core was generated by `/var/tmp/bro/spool/tmp/bro -U .status -p broctl -p broctl-live -p local -p mana'. > Program terminated with signal 6, Aborted. > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. > in ../nptl/sysdeps/unix/sysv/linux/raise.c > Missing separate debuginfos, use: debuginfo-install e2fsprogs-libs-1.41.9-2.fc11.ppc glibc-2.17-4.fc11.ppc keyutils-libs-1.2-5.fc11.ppc krb5-libs-1.9.3-1.fc11.ppc libbind-6.0-1.fc11.ppc libgcc-4.4.1-2.fc11.ppc libselinux-2.0.80-1.fc11.ppc libstdc++-4.4.1-2.fc11.ppc libxml2-2.7.6-1.fc11.ppc openssl-libs-1.0.1e-37.fc11.1.ppc > (gdb) backtrace > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > Current language: auto; currently minimal > (gdb) > #0 0x0f6cf01c in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 > #1 0x0f6d0de0 in *__GI_abort () at abort.c:90 > #2 0x1024be70 in logging::writer::Ascii::~Ascii (this=0x11a87200, __in_chrg=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/logging/writers/Ascii.cc:186 > #3 0x10236b70 in threading::Manager::Process (this=0x10dae180) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/threading/Manager.cc:171 > #4 0x101a5400 in net_run () at /bivio/scsi/b/levitonl/bro-2.3.1/src/Net.cc:389 > #5 0x100f7554 in main (argc=, argv=) > at /bivio/scsi/b/levitonl/bro-2.3.1/src/main.cc:1165 > (gdb) quit -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:59:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 15:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-985: ------------------------------ Fix Version/s: (was: 2.5) 2.4 > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 13:59:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 15:59:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20011#comment-20011 ] Johanna Amann commented on BIT-985: ----------------------------------- This is such a small thing that I might try to really still do it for 2.4. > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 14:06:00 2015 From: jira at bro-tracker.atlassian.net (scampbell (JIRA)) Date: Tue, 17 Mar 2015 16:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20012#comment-20012 ] scampbell commented on BIT-985: ------------------------------- I have a significantly improved patch from the one that I previously attached. That one leaked memory rather enthusiastically will send over in a moment. > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 14:07:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 17 Mar 2015 16:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1171) misc/app-stats/main.bro broken for a few sites In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1171: ------------------------------ Assignee: (was: Jon Siwek) > misc/app-stats/main.bro broken for a few sites > ---------------------------------------------- > > Key: BIT-1171 > URL: https://bro-tracker.atlassian.net/browse/BIT-1171 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Currently the reporting of misc/app-stats/main.bro seems to be quite wrong for some of the sites it monitors. > At the very least the numbers for youtube and netflix are completely off, gmail also seems slightly unbelievable. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 14:33:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 16:33:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1199: --------------------------------- Assignee: Robin Sommer > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 14:59:00 2015 From: jira at bro-tracker.atlassian.net (scampbell (JIRA)) Date: Tue, 17 Mar 2015 16:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] scampbell updated BIT-985: -------------------------- Attachment: input.diff > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: input.diff, PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 15:15:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 17:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1199: --------------------------------- Assignee: Johanna Amann (was: Robin Sommer) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 15:16:03 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 17:16:03 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1229: ------------------------------- Fix Version/s: (was: 2.5) 2.4 > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 15:16:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 17:16:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20013#comment-20013 ] Johanna Amann commented on BIT-1229: ------------------------------------ Just talked to Robin about this - there is probably a different way to solve this problem which will make it into 2.4 after all. > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 15:37:00 2015 From: jira at bro-tracker.atlassian.net (Matthias Vallentin (JIRA)) Date: Tue, 17 Mar 2015 17:37:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-672) Bring POP3 back into the distribution In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20014#comment-20014 ] Matthias Vallentin commented on BIT-672: ---------------------------------------- We had student refactoring the code, but his changes never got merged: https://github.com/albert-magyar/bro/tree/topic/pop3. He refactored the scripts and I find their quality is good enough for us to ship them with the distribution, albeit disabled. > Bring POP3 back into the distribution > ------------------------------------- > > Key: BIT-672 > URL: https://bro-tracker.atlassian.net/browse/BIT-672 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Assignee: Seth Hall > Fix For: 2.5 > > > The current master has no longer support for POP3. It lingers around but we need to bring it back into the distribution. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 15:45:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 17:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20015#comment-20015 ] Johanna Amann commented on BIT-985: ----------------------------------- Thanks for the new patch. Cursory looking at it, it seems that this patch changes a lot of functionality in the Raw reader that seems to have nothing to do with skipping parts of the input file. Can you perhaps just sketch what else this patch changes? It seems to change something about how the buffering is done in the raw reader, but I am not quite sure what all this does on a first glance. > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: input.diff, PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:00:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 18:00:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1305) Consider marking some attributes as deprecated In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1305: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Consider marking some attributes as deprecated > ---------------------------------------------- > > Key: BIT-1305 > URL: https://bro-tracker.atlassian.net/browse/BIT-1305 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > Likely candidates for deprecation: > &rotate_interval > &rotate_size > &encrypt > &mergeable > &synchronize > &persistent > &group > While the mechanism I added in BIT-757 can't be used to mark attributes as deprecated, I'm thinking it's not difficult to just hard code the scanner to emit a warning when encountering certain attributes. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:00:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 18:00:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1077) fix policy/protocols/http/header-names.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1077?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1077: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > fix policy/protocols/http/header-names.bro > ------------------------------------------ > > Key: BIT-1077 > URL: https://bro-tracker.atlassian.net/browse/BIT-1077 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > This script is wrong for the {{log_server_header_names}} case. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:00:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 18:00:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1341) topic/dnthayer/fixes-for-2.4beta In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1341?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1341: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/fixes-for-2.4beta > -------------------------------- > > Key: BIT-1341 > URL: https://bro-tracker.atlassian.net/browse/BIT-1341 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Assignee: Robin Sommer > Fix For: 2.4 > > > Branch topic/dnthayer/fixes-for-2.4beta in the broctl repo addresses the following issues: > -Improved test setup scripts to specify correct bro install prefix. > -Fix bug where "./configure --conf-files-dir" did not work > -Fix bug where "./configure --scriptdir" did not work > -Print error messages without showing Python stack trace > -Improved processing of node input args, to remove duplicates and sort > -Improved sorting of the output by node type and name > -Added the "deploy" command > -Update docs for the deploy command -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:00:03 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 18:00:03 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1330) topic/python3-compat In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1330: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/python3-compat > -------------------- > > Key: BIT-1330 > URL: https://bro-tracker.atlassian.net/browse/BIT-1330 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: pysubnettree > Reporter: Jon Siwek > Assignee: Robin Sommer > Fix For: 2.4 > > > Updates to pysubnettree for Python 3 compatibility: have to now consider that bytes are a distinct type from strings and allow the API to accept either. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:00:02 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 18:00:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1332) Please merge topic/johanna/cert-validation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1332: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/johanna/cert-validation > ------------------------------------------ > > Key: BIT-1332 > URL: https://bro-tracker.atlassian.net/browse/BIT-1332 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Fix For: 2.4 > > > Please merge topic/johanna/cert-validation. This is an update to the script used to validate certificates in SSL/TLS connections. Description from main commit: > {quote} > Update certificate validation script - new version will cache valid > intermediate chains that it encounters on the wire and use those to try > to validate chains that might be missing intermediate certificates. > This vastly improves the number of certificates that Bro can validate. > The only drawback is that now validation behavior is not entirely > predictable anymore - the certificate of a server can fail to validate > when Bro just started up (due to the intermediate missing), and succeed > later, when the intermediate can be found in the cache. > Has been tested on big-ish clusters and should not introduce any > performance problems. > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:01:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 18:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1342) Occasional test failures In-Reply-To: References: Message-ID: Robin Sommer created BIT-1342: --------------------------------- Summary: Occasional test failures Key: BIT-1342 URL: https://bro-tracker.atlassian.net/browse/BIT-1342 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Robin Sommer Fix For: 2.4 Two tests in current master fail for me occasionally (usually when I run the full broctl test-suite but not when I rerun just these failing tests). Diag output below. {code} command.start-stop-standalone ... failed % 'btest-diff stop.out' failed unexpectedly (exit code 1) % cat .diag == File =============================== stopping bro ... Exception in thread Thread-1 (most likely raised during interpreter shutdown): Traceback (most recent call last): File "/usr/lib64/python2.7/threading.py", line 811, in __bootstrap_inner File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", line File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", line File "/usr/lib64/python2.7/Queue.py", line 177, in get File "/usr/lib64/python2.7/threading.py", line 354, in wait : 'NoneType' object is not callable == Diff =============================== --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out 2013-06-01 00:29:07.0000 +++ stop.out 2015-03-17 22:50:01.857838625 +0000 @@ -1 +1,9 @@ stopping bro ... +Exception in thread Thread-1 (most likely raised during interpreter shutdown): +Traceback (most recent call last): + File "/usr/lib64/python2.7/threading.py", line 811, in __bootstrap_inner + File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", l + File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", l + File "/usr/lib64/python2.7/Queue.py", line 177, in get + File "/usr/lib64/python2.7/threading.py", line 354, in wait +: 'NoneType' object is not callable ======================================= [...] command.start-cluster-slowstart ... failed % 'btest-diff status2.out' failed unexpectedly (exit code 1) % cat .diag == File =============================== Getting process status ... Getting peer status ... Name Type Host Status Pid Peers Started manager manager localhost stopped proxy-1 proxy localhost stopped worker-1 worker localhost stopped worker-2 worker localhost stopped == Diff =============================== --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out 2015-03-04 20:16 +++ status2.out 2015-03-17 22:50:26.578618684 +0000 @@ -3,5 +3,5 @@ Name Type Host Status Pid Peers Started manager manager localhost stopped proxy-1 proxy localhost stopped -worker-1 worker localhost crashed +worker-1 worker localhost stopped worker-2 worker localhost stopped ======================================= {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:01:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Mar 2015 18:01:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1199: ------------------------------ Status: Open (was: Merge Request) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:23:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 17 Mar 2015 18:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1303: ------------------------------- Fix Version/s: (was: 2.5) 2.4 The branch topic/dnthayer/ticket1303 in pysubnettree repo contains these changes. > pysubnettree tests should be changed to use btest > ------------------------------------------------- > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Reporter: Daniel Thayer > Fix For: 2.4 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:24:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 17 Mar 2015 18:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1303: ------------------------------- Status: Merge Request (was: Open) > pysubnettree tests should be changed to use btest > ------------------------------------------------- > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Reporter: Daniel Thayer > Fix For: 2.4 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 16:39:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Tue, 17 Mar 2015 18:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) BroControl manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20008#comment-20008 ] Aaron Eppert edited comment on BIT-1331 at 3/17/15 6:38 PM: ------------------------------------------------------------ Encountering the same problem in a clustered configuration with only a single worker and proxy at the moment. Confirming the same error and the linked BIT-1253 ticket. More data: {noformat} Bro 2.3-451-debug Linux 2.6.32-504.8.1.el6.x86_64 ==== reporter.log {"ts":0.0,"level":"Reporter::ERROR","message":"no such index (Cluster::nodes[Intel::p$descr])","location":"/usr/local/bro/share/bro/base/frameworks/intel/./cluster.bro, line 37"} {"ts":1426622062.691619,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} {"ts":1426622062.691619,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426622072.075103,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} {"ts":1426622072.075103,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 6 bits of 0","location":""} {"ts":0.0,"level":"Reporter::ERROR","message":"no such index (Cluster::nodes[Intel::p$descr])","location":"/usr/local/bro/share/bro/base/frameworks/intel/./cluster.bro, line 37"} {"ts":1426622135.535154,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} {"ts":1426622140.709589,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} {"ts":1426622140.709589,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 6 bits of 0","location":""} {"ts":0.0,"level":"Reporter::ERROR","message":"no such index (Cluster::nodes[Intel::p$descr])","location":"/usr/local/bro/share/bro/base/frameworks/intel/./cluster.bro, line 37"} ==== stderr.log warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-detections/credit-card-exposure/./main.bro, line 83: deprecated (split_all) warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-detections/credit-card-exposure/./main.bro, line 93: deprecated (join_string_array) fatal error in : Val::CONVERTER (string/port) (80/tcp) ==== stdout.log PacketFilter::LOG X509::LOG Software::LOG SSH::LOG DHCP::LOG DNS::LOG HTTP::LOG SOCKS::LOG DNP3::LOG Known::HOSTS_LOG ==== .cmdline -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=manager ==== .status TERMINATED [atexit] ==== No prof.log {noformat} was (Author: aeppert): Encountering the same problem in a clustered configuration with only a single worker and proxy at the moment. Confirming the same error and the linked BIT-1253 ticket. Also getting this: fatal error in : val::CONVERTER (string/port) (80/tcp) > BroControl manager crashes when logs rotate > ------------------------------------------- > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Fix For: 2.4 > > > The BroControl manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 17:40:02 2015 From: jira at bro-tracker.atlassian.net (scampbell (JIRA)) Date: Tue, 17 Mar 2015 19:40:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] scampbell updated BIT-985: -------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Absolutely - the key issues that I ran into with the first patch were dealing with file rotation under the reader and leaks in the data copying scheme. After spending a few days on the mem leak issues modifying the single use linear buffers (and mostly de-stabilizing everything), I reimplemented the whole thing as a ring buffer. My use case - reading a very rapidly moving log file - might be far enough away from the original design pattern of small reasonably static files that it is worth another type? On the other hand I might have just messed up the original work. If this makes no sense please let me know and I will look over my notes re the changes. thanks for looking into this, scott -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlUIyPMACgkQK2Plq8B7ZByVQwCghwbGlmgetHNMkxicrms6wl69 d2EAoIXsHbv1JWPeXJ5rpWv2rAlfWpPQ =bKTE -----END PGP SIGNATURE----- > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: input.diff, PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 18:22:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 17 Mar 2015 20:22:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20018#comment-20018 ] Johanna Amann commented on BIT-985: ----------------------------------- Thank you for that explanation. I assume that raw_unescape_URI function made it into the patch by accident? > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: input.diff, PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Tue Mar 17 18:30:00 2015 From: jira at bro-tracker.atlassian.net (scampbell (JIRA)) Date: Tue, 17 Mar 2015 20:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-985) 'tail -f' functionality for file reading in input framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-985?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] scampbell updated BIT-985: -------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes - sorry about that! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlUI1MoACgkQK2Plq8B7ZBxKawCgpxUNSI21dDqcDg5o49g8JKUq Q3AAoKFtR//MMCSyCke5670RdA1nGfEw =HHK7 -----END PGP SIGNATURE----- > 'tail -f' functionality for file reading in input framework > ----------------------------------------------------------- > > Key: BIT-985 > URL: https://bro-tracker.atlassian.net/browse/BIT-985 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: scampbell > Assignee: Johanna Amann > Priority: Low > Fix For: 2.4 > > Attachments: input.diff, PATCH > > > With the current input framework, file data \-> event translation requires that the entire data file be read at bro start time. This can be prohibitive when the file sizes become large ( > 1GB ). > It would be great to see a file open option that would start reading at the end of the file. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Wed Mar 18 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 18 Mar 2015 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503180700.t2I70LCB014034@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ---------- ---------- ------------- ---------- ------------------------------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1303 [2] pysubnettree Daniel Thayer - 2015-03-17 2.4 Normal pysubnettree tests should be changed to use btest Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- 31795e7 [3] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- -------------------------------------------------------------------------- #28 [4] bro aeppert [5] 2015-03-18 Seems to fix a case where an entry in the table may be null on insert. [6] #27 [7] bro petiepooo [8] 2015-03-14 Add defensive check for localtime_r() call [9] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] BIT-1303 https://bro-tracker.atlassian.net/browse/BIT-1303 [3] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [4] Pull Request #28 https://github.com/bro/bro/pull/28 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [7] Pull Request #27 https://github.com/bro/bro/pull/27 [8] petiepooo https://github.com/petiepooo [9] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From jira at bro-tracker.atlassian.net Wed Mar 18 09:37:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Wed, 18 Mar 2015 11:37:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1343) Add Support for Including Common PAC Files In-Reply-To: References: Message-ID: grigorescu created BIT-1343: ------------------------------- Summary: Add Support for Including Common PAC Files Key: BIT-1343 URL: https://bro-tracker.atlassian.net/browse/BIT-1343 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC Reporter: grigorescu Priority: Low With some new analyzers, we're duplicating code that we're shipping with Bro, due to a limitation in BinPAC - currently, BinPAC doesn't support %include-ing files from other directories. ASN.1 is a good example of this - SNMP and Kerberos both need a copy of the same ASN.1 parsing code. SMB also has some overlap with other analyzers. I tried the obvious fix of adding parsing support for {{%include ../snmp/asn1.pac}}, but the include paths get mixed up and compilation fails. I believe this should be a relatively simple fix. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 10:10:01 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Wed, 18 Mar 2015 12:10:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-947) Incorrect size calculation for SSH failed/successful heuristic In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20020#comment-20020 ] grigorescu commented on BIT-947: -------------------------------- Yes - since the new SSH analyzer does away with the heuristic entirely, this issue will be addressed. > Incorrect size calculation for SSH failed/successful heuristic > -------------------------------------------------------------- > > Key: BIT-947 > URL: https://bro-tracker.atlassian.net/browse/BIT-947 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Priority: Low > Fix For: 2.4 > > > We're getting a lot of false positives for successful SSH logins from a source that we recently blackholed. I suspect what's happening is that the retransmissions keep bumping up the size of the connection, until it crosses the threshold for a "successful" connection. > With the changes from BIT-730: Find and fix tcp sequence counting bugs, is it possible to improve the accuracy of the reported size? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 10:12:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Wed, 18 Mar 2015 12:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-1344: ---------------------------- Status: Merge Request (was: Open) > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 10:12:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Wed, 18 Mar 2015 12:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: grigorescu created BIT-1344: ------------------------------- Summary: New SSH Analyzer Key: BIT-1344 URL: https://bro-tracker.atlassian.net/browse/BIT-1344 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: 2.4 Reporter: grigorescu The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 10:34:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 18 Mar 2015 12:34:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1344: ---------------------------------- Assignee: Johanna Amann > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 11:17:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Wed, 18 Mar 2015 13:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert In-Reply-To: References: Message-ID: Aaron Eppert created BIT-1345: --------------------------------- Summary: Crash due to a bad dictionary insert Key: BIT-1345 URL: https://bro-tracker.atlassian.net/browse/BIT-1345 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Aaron Eppert Priority: High #0 0x0000000000713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root//bro/src/Dict.cc:419 #1 0x00000000007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root//bro/src/Dict.cc:158 #2 0x00000000006cb508 in Dictionary::Insert (this=0x1339840, key=0x7ffff4ba81b0, val=0x67fde40) at /root//bro/src/Dict.h:47 #3 0x000000000077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 "#-..#21703#1182", val=0x67fde40) at /root//bro/src/Scope.h:18 #4 0x000000000077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 "#-..#21703#1182", id=0x67fde40) at /root//bro/src/Scope.h:26 #5 0x00000000008010cc in MutableVal::Bind (this=0x14f451f0) at /root//bro/src/Val.cc:624 #6 0x0000000000800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root//bro/src/Val.cc:558 #7 0x000000000080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root//bro/src/Val.cc:2866 #8 0x0000000000805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Val.cc:1502 #9 0x0000000000805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Val.cc:1442 #10 0x0000000000738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Expr.cc:3135 #11 0x00000000007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root//bro/src/Expr.cc:2463 #12 0x00000000007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root//bro/src/Expr.cc:2673 #13 0x00000000007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x7ffff4ba8624) at /root//bro/src/Stmt.cc:369 #14 0x00000000007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x7ffff4ba8624) at /root//bro/src/Stmt.cc:1764 #15 0x000000000074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root//bro/src/Func.cc:386 #16 0x0000000000725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root//bro/src/EventHandler.cc:80 #17 0x00000000006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root//bro/src/Event.h:50 #18 0x0000000000724ef7 in EventMgr::Dispatch (this=0xebd400) at /root//bro/src/Event.cc:111 #19 0x0000000000725032 in EventMgr::Drain (this=0xebd400) at /root//bro/src/Event.cc:128 #20 0x0000000000788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc
, hdr_size=14, src_ps=0x3314c00) at /root//bro/src/Net.cc:278 #21 0x0000000000a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root//bro/src/iosource/PktSrc.cc:411 #22 0x00000000007889f8 in net_run () at /root//bro/src/Net.cc:320 #23 0x00000000006d8157 in main (argc=20, argv=0x7ffff4ba9188) at /root//bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 11:18:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Wed, 18 Mar 2015 13:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20021#comment-20021 ] Aaron Eppert commented on BIT-1345: ----------------------------------- https://github.com/bro/bro/pull/28 is the proposed fix for this problem. > Crash due to a bad dictionary insert > ------------------------------------ > > Key: BIT-1345 > URL: https://bro-tracker.atlassian.net/browse/BIT-1345 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Priority: High > > #0 0x0000000000713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root//bro/src/Dict.cc:419 > #1 0x00000000007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root//bro/src/Dict.cc:158 > #2 0x00000000006cb508 in Dictionary::Insert (this=0x1339840, key=0x7ffff4ba81b0, val=0x67fde40) at /root//bro/src/Dict.h:47 > #3 0x000000000077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 "#-..#21703#1182", val=0x67fde40) at /root//bro/src/Scope.h:18 > #4 0x000000000077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 "#-..#21703#1182", id=0x67fde40) at /root//bro/src/Scope.h:26 > #5 0x00000000008010cc in MutableVal::Bind (this=0x14f451f0) at /root//bro/src/Val.cc:624 > #6 0x0000000000800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root//bro/src/Val.cc:558 > #7 0x000000000080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root//bro/src/Val.cc:2866 > #8 0x0000000000805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Val.cc:1502 > #9 0x0000000000805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Val.cc:1442 > #10 0x0000000000738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Expr.cc:3135 > #11 0x00000000007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root//bro/src/Expr.cc:2463 > #12 0x00000000007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root//bro/src/Expr.cc:2673 > #13 0x00000000007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x7ffff4ba8624) at /root//bro/src/Stmt.cc:369 > #14 0x00000000007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x7ffff4ba8624) at /root//bro/src/Stmt.cc:1764 > #15 0x000000000074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root//bro/src/Func.cc:386 > #16 0x0000000000725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root//bro/src/EventHandler.cc:80 > #17 0x00000000006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root//bro/src/Event.h:50 > #18 0x0000000000724ef7 in EventMgr::Dispatch (this=0xebd400) at /root//bro/src/Event.cc:111 > #19 0x0000000000725032 in EventMgr::Drain (this=0xebd400) at /root//bro/src/Event.cc:128 > #20 0x0000000000788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc
, hdr_size=14, src_ps=0x3314c00) > at /root//bro/src/Net.cc:278 > #21 0x0000000000a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root//bro/src/iosource/PktSrc.cc:411 > #22 0x00000000007889f8 in net_run () at /root//bro/src/Net.cc:320 > #23 0x00000000006d8157 in main (argc=20, argv=0x7ffff4ba9188) at /root//bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 11:24:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Wed, 18 Mar 2015 13:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1345) Crash due to a bad dictionary insert In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1345: --------------------------- Fix Version/s: 2.4 > Crash due to a bad dictionary insert > ------------------------------------ > > Key: BIT-1345 > URL: https://bro-tracker.atlassian.net/browse/BIT-1345 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Aaron Eppert > Priority: High > Fix For: 2.4 > > > #0 0x0000000000713b87 in Dictionary::Insert (this=0x1339840, new_entry=0xb18a9d0, copy_key=0) at /root//bro/src/Dict.cc:419 > #1 0x00000000007130b0 in Dictionary::Insert (this=0x1339840, key=0xa23f6d0, key_size=36, hash=658668102, val=0x67fde40, copy_key=0) at /root//bro/src/Dict.cc:158 > #2 0x00000000006cb508 in Dictionary::Insert (this=0x1339840, key=0x7ffff4ba81b0, val=0x67fde40) at /root//bro/src/Dict.h:47 > #3 0x000000000077ee9b in IDPDict::Insert (this=0x1339840, key=0xebf780 "#-..#21703#1182", val=0x67fde40) at /root//bro/src/Scope.h:18 > #4 0x000000000077ef05 in Scope::Insert (this=0x133a8b0, name=0xebf780 "#-..#21703#1182", id=0x67fde40) at /root//bro/src/Scope.h:26 > #5 0x00000000008010cc in MutableVal::Bind (this=0x14f451f0) at /root//bro/src/Val.cc:624 > #6 0x0000000000800ec8 in MutableVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root//bro/src/Val.cc:558 > #7 0x000000000080a8d6 in RecordVal::AddProperties (this=0x14f451f0, arg_props=2 '\002') at /root//bro/src/Val.cc:2866 > #8 0x0000000000805948 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, k=0x0, new_val=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Val.cc:1502 > #9 0x0000000000805501 in TableVal::Assign (this=0xb1dab00, index=0x13e81770, new_val=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Val.cc:1442 > #10 0x0000000000738b13 in IndexExpr::Assign (this=0x2087350, f=0x12073280, v=0x14f451f0, op=OP_ASSIGN) at /root//bro/src/Expr.cc:3135 > #11 0x00000000007362a2 in RefExpr::Assign (this=0x2087540, f=0x12073280, v=0x14f451f0, opcode=OP_ASSIGN) at /root//bro/src/Expr.cc:2463 > #12 0x00000000007370ea in AssignExpr::Eval (this=0x20874d0, f=0x12073280) at /root//bro/src/Expr.cc:2673 > #13 0x00000000007e22bb in ExprStmt::Exec (this=0x2087660, f=0x12073280, flow=@0x7ffff4ba8624) at /root//bro/src/Stmt.cc:369 > #14 0x00000000007e8375 in StmtList::Exec (this=0x2082c80, f=0x12073280, flow=@0x7ffff4ba8624) at /root//bro/src/Stmt.cc:1764 > #15 0x000000000074e6cd in BroFunc::Call (this=0x2087e70, args=0x13525bb0, parent=0x0) at /root//bro/src/Func.cc:386 > #16 0x0000000000725883 in EventHandler::Call (this=0x2082160, vl=0x13525bb0, no_remote=false) at /root//bro/src/EventHandler.cc:80 > #17 0x00000000006d8cc2 in Event::Dispatch (this=0x620e610, no_remote=false) at /root//bro/src/Event.h:50 > #18 0x0000000000724ef7 in EventMgr::Dispatch (this=0xebd400) at /root//bro/src/Event.cc:111 > #19 0x0000000000725032 in EventMgr::Drain (this=0xebd400) at /root//bro/src/Event.cc:128 > #20 0x0000000000788828 in net_packet_dispatch (t=1426626559.98401, hdr=0x3314d40, pkt=0x7f14a8b464cc
, hdr_size=14, src_ps=0x3314c00) > at /root//bro/src/Net.cc:278 > #21 0x0000000000a786d5 in iosource::PktSrc::Process (this=0x3314c00) at /root//bro/src/iosource/PktSrc.cc:411 > #22 0x00000000007889f8 in net_run () at /root//bro/src/Net.cc:320 > #23 0x00000000006d8157 in main (argc=20, argv=0x7ffff4ba9188) at /root//bro/src/main.cc:1200 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 11:47:00 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Wed, 18 Mar 2015 13:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20022#comment-20022 ] Aashish Sharma commented on BIT-1326: ------------------------------------- I am trying to test some stuff with the current master on FreeBSD. Any idea when this would be fixed and/or any hints on a workaround ? Thanks, > Broctl installation requires sqlite but does not check for its presence > ----------------------------------------------------------------------- > > Key: BIT-1326 > URL: https://bro-tracker.atlassian.net/browse/BIT-1326 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: > {code} > [bro at marge ~/master]$ broctl > Traceback (most recent call last): > File "/xa/bro/master/bin/broctl", line 29, in > from BroControl.broctl import BroCtl > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 8, in > from BroControl import util > File "/xa/bro/master/lib/broctl/BroControl/util.py", line 6, in > from BroControl import config > File "/xa/bro/master/lib/broctl/BroControl/config.py", line 10, in > from .state import SqliteState > File "/xa/bro/master/lib/broctl/BroControl/state.py", line 2, in > import sqlite3 > File "/usr/local/lib/python2.7/sqlite3/__init__.py", line 24, in > from dbapi2 import * > File "/usr/local/lib/python2.7/sqlite3/dbapi2.py", line 28, in > from _sqlite3 import * > ImportError: No module named _sqlite3 > {code} > We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 12:01:03 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 18 Mar 2015 14:01:03 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20023#comment-20023 ] Daniel Thayer commented on BIT-1326: ------------------------------------ On FreeBSD, you need to install a package called py27-sqlite3. > Broctl installation requires sqlite but does not check for its presence > ----------------------------------------------------------------------- > > Key: BIT-1326 > URL: https://bro-tracker.atlassian.net/browse/BIT-1326 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: > {code} > [bro at marge ~/master]$ broctl > Traceback (most recent call last): > File "/xa/bro/master/bin/broctl", line 29, in > from BroControl.broctl import BroCtl > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 8, in > from BroControl import util > File "/xa/bro/master/lib/broctl/BroControl/util.py", line 6, in > from BroControl import config > File "/xa/bro/master/lib/broctl/BroControl/config.py", line 10, in > from .state import SqliteState > File "/xa/bro/master/lib/broctl/BroControl/state.py", line 2, in > import sqlite3 > File "/usr/local/lib/python2.7/sqlite3/__init__.py", line 24, in > from dbapi2 import * > File "/usr/local/lib/python2.7/sqlite3/dbapi2.py", line 28, in > from _sqlite3 import * > ImportError: No module named _sqlite3 > {code} > We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 12:01:03 2015 From: jira at bro-tracker.atlassian.net (Aashish Sharma (JIRA)) Date: Wed, 18 Mar 2015 14:01:03 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20024#comment-20024 ] Aashish Sharma commented on BIT-1326: ------------------------------------- installing py27-sqlite3 does fix the issue on 10.1-RELEASE-p5 Thanks! > Broctl installation requires sqlite but does not check for its presence > ----------------------------------------------------------------------- > > Key: BIT-1326 > URL: https://bro-tracker.atlassian.net/browse/BIT-1326 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: > {code} > [bro at marge ~/master]$ broctl > Traceback (most recent call last): > File "/xa/bro/master/bin/broctl", line 29, in > from BroControl.broctl import BroCtl > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 8, in > from BroControl import util > File "/xa/bro/master/lib/broctl/BroControl/util.py", line 6, in > from BroControl import config > File "/xa/bro/master/lib/broctl/BroControl/config.py", line 10, in > from .state import SqliteState > File "/xa/bro/master/lib/broctl/BroControl/state.py", line 2, in > import sqlite3 > File "/usr/local/lib/python2.7/sqlite3/__init__.py", line 24, in > from dbapi2 import * > File "/usr/local/lib/python2.7/sqlite3/dbapi2.py", line 28, in > from _sqlite3 import * > ImportError: No module named _sqlite3 > {code} > We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 12:14:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Wed, 18 Mar 2015 14:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: Aaron Eppert created BIT-1346: --------------------------------- Summary: Val::CONVERTER Fatal Error - Sumstats Related Key: BIT-1346 URL: https://bro-tracker.atlassian.net/browse/BIT-1346 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Aaron Eppert Priority: Critical Bro 2.3-451-debug Linux 2.6.32-504.8.1.el6.x86_64 ==== reporter.log {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} ==== stderr.log internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: unlimited unlimited unlimited unlimited fatal error in : Val::CONVERTER (string/port) (80/tcp) ==== stdout.log max memory size (kbytes, -m) unlimited data seg size (kbytes, -d) unlimited virtual memory (kbytes, -v) unlimited core file size (blocks, -c) unlimited ==== .cmdline -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=manager ==== .status TERMINATED [atexit] ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") at /root/ane/bro/src/Obj.cc:134 #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) at /root/ane/bro/src/Val.h:282 #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) at /root/ane/bro/src/Expr.cc:4920 #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) at /root/ane/bro/src/Expr.cc:2669 #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) at /root/ane/bro/src/Expr.cc:4920 #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) at /root/ane/bro/src/Expr.cc:4920 #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) at /root/ane/bro/src/Expr.cc:4920 #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) at /root/ane/bro/src/Expr.cc:4920 #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, parent=0x5682490) at /root/ane/bro/src/Func.cc:386 #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) at /root/ane/bro/src/Expr.cc:4920 #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) at /root/ane/bro/src/Expr.cc:4920 #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, parent=0x0) at /root/ane/bro/src/Func.cc:386 #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) at /root/ane/bro/src/Event.h:50 #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, no_remote=true) at /root/ane/bro/src/Event.h:98 #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) at /root/ane/bro/src/RemoteSerializer.cc:1439 #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) at /root/ane/bro/src/main.cc:1200 (gdb) frame 2 #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 92 /root/ane/bro/src/Reporter.cc: No such file or directory. in /root/ane/bro/src/Reporter.cc (gdb) print *this $11 = {errors = 1, via_events = true, in_error_handler = 0, info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} (gdb) frame 3 #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") at /root/ane/bro/src/Obj.cc:134 134 /root/ane/bro/src/Obj.cc: No such file or directory. in /root/ane/bro/src/Obj.cc (gdb) print *this $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, location = 0x0, notify_plugins = false, ref_cnt = 5, static suppress_errors = 0} (gdb) print *this $13 = { = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, location = 0x0, notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, static register_type = {}, tid = {id = 2684174, static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, addr_val = 0x4cdd830, subnet_val = 0x4cdd830, double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, type = 0x1c30fb0, bound_id = 0x0} (gdb) print *this->val->string_val $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} (gdb) print *this->val->table_val $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, num_buckets = 32, num_entries = 0, max_num_entries = 81, den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, max_entries = 0, num_entries = 78707}, }}, } (gdb) frame 6 #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 564 /root/ane/bro/src/Func.cc: No such file or directory. in /root/ane/bro/src/Func.cc (gdb) print *this $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, bodies = std::vector of length 0, capacity 0, scope = 0x0, kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = "get_port_transport_proto", unique_id = 677, static unique_ids = { >> = { _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, _M_finish = 0x31280e8, _M_end_of_storage = 0x3129ac0}}, }}, static register_type = {}, tid = {id = 35977, static counter = 2684785}, func = 0x75ae6e , is_pure = 0} (gdb) print *this->location $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 35976, static counter = 2684785}} (gdb) frame 7 #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) at /root/ane/bro/src/Expr.cc:4920 4920 /root/ane/bro/src/Expr.cc: No such file or directory. in /root/ane/bro/src/Expr.cc (gdb) print *this $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x2299b00, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_CALL, type = 0x1c34890, paren = 0}, static register_type = {}, tid = {id = 44070, static counter = 2684785}, func = 0x2299690, args = 0x2299870} (gdb) (gdb) print *this->location $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 44069, static counter = 2684785}} (gdb) (gdb) frame 8 #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) at /root/ane/bro/src/Expr.cc:2669 2669 in /root/ane/bro/src/Expr.cc (gdb) print *this $25 = { = { = { = { = { _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x2299c70, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, type = 0x1c34890, paren = 0}, static register_type = {}, tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, op2 = 0x2299aa0}, static register_type = {}, tid = { id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} (gdb) print *this->location $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 44082, static counter = 2684785}} (gdb) frame 9 #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 369 /root/ane/bro/src/Stmt.cc: No such file or directory. in /root/ane/bro/src/Stmt.cc (gdb) print *this $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x2299d10, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, access_count = 274}, static register_type = {}, tid = { id = 44085, static counter = 2684785}, e = 0x2299b50} (gdb) print *this->location $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 44086, static counter = 2684785}} (gdb) frame 10 #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 484 in /root/ane/bro/src/Stmt.cc (gdb) print *this $29 = { = { = { = { = { _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x2299e90, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, access_count = 274}, static register_type = {}, tid = { id = 44092, static counter = 2684785}, e = 0x2299360}, static register_type = {}, tid = {id = 44094, static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} (gdb) print *this->location $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 44095, static counter = 2684785}} (gdb) frame 11 #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 373 in /root/ane/bro/src/Stmt.cc (gdb) print *this $31 = { = { = { = {_vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x2299e90, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, access_count = 274}, static register_type = {}, tid = { id = 44092, static counter = 2684785}, e = 0x2299360} (gdb) print *this->location $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 44095, static counter = 2684785}} (gdb) (gdb) frame 12 #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 1764 in /root/ane/bro/src/Stmt.cc (gdb) print *this $33 = { = { = { = {_vptr.SerialObj = 0xb02110, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x2293d60, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, access_count = 274}, static register_type = {}, tid = { id = 43644, static counter = 2684785}, stmts = { = { entry = 0x229fd20, chunk_size = 20, max_entries = 20, num_entries = 15}, }} (gdb) print *this->location $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 43643, static counter = 2684785}} .... (gdb) frame 48 #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) at /root/ane/bro/src/Event.h:50 50 /root/ane/bro/src/Event.h: No such file or directory. in /root/ane/bro/src/Event.h (gdb) print *this $35 = { = { = {_vptr.SerialObj = 0xae2fb0, static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, static time_counter = 211263, serial_type = 0}, in_ser_cache = false, location = 0x0, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} (gdb) frame 47 #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. in /root/ane/bro/src/EventHandler.cc (gdb) print *this $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, type = 0x2ac0600, used = false, enabled = true, error_handler = false, generate_always = false, receivers = { = {entry = 0x2ac0ba0, chunk_size = 10, max_entries = 10, num_entries = 0}, }} ---- (gdb) bt full #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 No symbol table info available. #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 No symbol table info available. #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fff70b11a50, reg_save_area = 0x7fff70b11980}} #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") at /root/ane/bro/src/Obj.cc:134 out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, offset = 37, size = 128, escape = false, escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, indent_with_spaces = 0} #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) at /root/ane/bro/src/Val.h:282 No locals. #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 p = 0xebd630 #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 plugin_result = 0x0 result = 0x7fff70b11ec0 i = 0 #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) at /root/ane/bro/src/Expr.cc:4920 func = 0x217e940 current_call = 0x22a2540 ret = 0x0 func_val = 0x217ea50 v = 0x58f2d50 #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) at /root/ane/bro/src/Expr.cc:2669 v = 0x2299360 #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 v = 0x7fff70b11fc0 #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 do_stmt = 0x2299cc0 result = 0x7e226e #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 ret_val = 0x708008 v = 0x58b1870 #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 result = 0x0 i = 4 #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 i = 0 plugin_result = 0x0 __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" i = 1 flow = FLOW_NEXT f = 0x5862c60 result = 0x0 #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) at /root/ane/bro/src/Expr.cc:4920 func = 0x22a1620 current_call = 0x21ec0e0 ret = 0x0 func_val = 0x22a1710 v = 0x4fe5fc0 #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 v = 0x7fff70b12330 #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 result = 0x4d629b0 i = 0 #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 i = 0 plugin_result = 0x0 __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" i = 1 flow = FLOW_NEXT f = 0x55fc1e0 result = 0x0 #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) at /root/ane/bro/src/Expr.cc:4920 func = 0x22a2cc0 current_call = 0x34236a0 ret = 0x0 func_val = 0x22a2db0 v = 0x5469570 #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 v = 0x7fff70b12600 #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 do_stmt = 0x21e38e0 result = 0x7e226e #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 ret_val = 0x708008 v = 0x5382180 #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 result = 0x0 i = 1 #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 i = 0 plugin_result = 0x0 __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" i = 1 flow = FLOW_NEXT f = 0x520ebc0 result = 0x0 #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) at /root/ane/bro/src/Expr.cc:4920 func = 0x21ed440 current_call = 0x2a39e10 ret = 0x0 func_val = 0x21e3a50 v = 0x509ca00 #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 v = 0x7fff70b12970 #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 result = 0x0 i = 4 #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 i = 0 plugin_result = 0x0 __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" i = 2 flow = FLOW_NEXT f = 0x53e1d50 result = 0x0 #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) at /root/ane/bro/src/Expr.cc:4920 func = 0x3423a10 current_call = 0x2b62770 ret = 0x0 func_val = 0x3423b00 v = 0x571e9e0 #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 v = 0x7fff70b12c40 #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 result = 0x0 i = 3 #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 result = 0x0 i = 1 #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, parent=0x5682490) at /root/ane/bro/src/Func.cc:386 i = 0 plugin_result = 0x0 __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" i = 3 flow = FLOW_NEXT f = 0x4e16b50 result = 0x0 #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) at /root/ane/bro/src/Expr.cc:4920 func = 0x2a3a050 current_call = 0x2bcf960 ret = 0x0 func_val = 0x2a3a290 v = 0x4ff3bf0 #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 v = 0x7fff70b12f60 #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 result = 0x8000e2 i = 0 #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 do_stmt = 0x2b606d0 result = 0x2bcf960 #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 ret_val = 0x708008 v = 0x2a33c00 #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 result = 0x0 i = 3 #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 i = 0 plugin_result = 0x0 __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" i = 4 flow = FLOW_NEXT f = 0x5682490 result = 0x0 #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) at /root/ane/bro/src/Expr.cc:4920 func = 0x2b08750 current_call = 0x0 ret = 0x0 func_val = 0x2bbdab0 v = 0x4cd7020 #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 v = 0x7fff70b13320 #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 result = 0x8000e2 i = 0 #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 do_stmt = 0x2bcf200 result = 0x7e226e #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 ret_val = 0x708008 v = 0x4e12040 #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 result = 0x0 i = 3 #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, parent=0x0) at /root/ane/bro/src/Func.cc:386 i = 0 plugin_result = 0x0 __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" i = 5 flow = FLOW_NEXT f = 0x51654a0 result = 0x0 #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 No locals. #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) at /root/ane/bro/src/Event.h:50 No locals. #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, no_remote=true) at /root/ane/bro/src/Event.h:98 No locals. #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) at /root/ane/bro/src/RemoteSerializer.cc:1439 be = 0x52f6520 event = 0x4d194d0 old_current_peer = 0x5affb90 i = 2 __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 ts = 1426699810 src = 0x1be4b28 loop_counter = 0 #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) at /root/ane/bro/src/main.cc:1200 time_net_start = 1426699494.8306091 mem_net_start_total = 0 mem_net_start_malloced = 28969936 time_net_done = 5.5884358079878406e-317 mem_net_done_total = 32767 mem_net_done_malloced = 1890663744 rule_files = { = {entry = 0x3b21000, chunk_size = 20, max_entries = 20, num_entries = 16}, } id_name = 0x0 seed_load_file = 0x0 debug_streams = 0x0 bare_mode = 0 opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' seed = 0 r = 0 missing_plugin = false bro_init = {handler = 0x1c02d90} long_optsind = 0 s = 0x0 bst_file = 0x0 print_plugins = 0 oldhandler = 0x1 p = 0x0 alive_handlers = 0x3bda980 user_pcap_filter = 0x0 op = -1 tmp = 0x0 dead_handlers = 0x3bda980 time_start = 1426699493.1773551 interfaces = { = {entry = 0x1ba5350, chunk_size = 10, max_entries = 10, num_entries = 0}, } read_files = { = {entry = 0x1ba53b0, chunk_size = 10, max_entries = 10, num_entries = 0}, } events_file = 0x0 to_xml = 0 RE_level = 4 dns_type = DNS_DEFAULT broxygen_config = "" dump_cfg = 0 do_watchdog = 0 rule_debug = 0 long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", has_arg = 0, flag = 0x0, val = 118}, { name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", has_arg = 1, flag = 0x0, val = 75}, { name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", has_arg = 1, flag = 0x0, val = 73}, { name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} override_ignore_checksums = 0 time_bro = 0 seed_save_file = 0x0 parse_only = 0 script_rule_files = 0x3b20d70 ".state" (gdb) frame 0 #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 (gdb) frame 3 #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") at /root/ane/bro/src/Obj.cc:134 134 /root/ane/bro/src/Obj.cc: No such file or directory. in /root/ane/bro/src/Obj.cc (gdb) info local out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, offset = 37, size = 128, escape = false, escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 12:23:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Wed, 18 Mar 2015 14:23:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1346: --------------------------- Fix Version/s: 2.4 > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 13:03:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 18 Mar 2015 15:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/tls In-Reply-To: References: Message-ID: Johanna Amann created BIT-1347: ---------------------------------- Summary: Please merge topic/johanna/tls Key: BIT-1347 URL: https://bro-tracker.atlassian.net/browse/BIT-1347 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Please merge topic/johanna/dtls First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 13:03:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 18 Mar 2015 15:03:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/tls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1347: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/tls > ------------------------------ > > Key: BIT-1347 > URL: https://bro-tracker.atlassian.net/browse/BIT-1347 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Labels: dtls, ssl > Fix For: 2.4 > > > Please merge topic/johanna/dtls > First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. > Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. > The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 13:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 18 Mar 2015 15:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1347: ------------------------------- Summary: Please merge topic/johanna/dtls (was: Please merge topic/johanna/tls) > Please merge topic/johanna/dtls > ------------------------------- > > Key: BIT-1347 > URL: https://bro-tracker.atlassian.net/browse/BIT-1347 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Labels: dtls, ssl > Fix For: 2.4 > > > Please merge topic/johanna/dtls > First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. > Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. > The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 14:20:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Wed, 18 Mar 2015 16:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20025#comment-20025 ] Jon Siwek commented on BIT-342: ------------------------------- topic/jsiwek/bit-342 > Add payload to ICMP analyzer > ---------------------------- > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 14:20:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Wed, 18 Mar 2015 16:20:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-342: -------------------------- Status: Merge Request (was: Open) > Add payload to ICMP analyzer > ---------------------------- > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 14:30:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 18 Mar 2015 16:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1348) topic/dnthayer/fix-typos In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1348: ---------------------------------- Summary: topic/dnthayer/fix-typos Key: BIT-1348 URL: https://bro-tracker.atlassian.net/browse/BIT-1348 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Daniel Thayer Fix For: 2.4 The branch topic/dnthayer/fix-typos in the bro-plugins repo contains a few small doc fixes, and a portability improvement for the configure script. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Wed Mar 18 14:30:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 18 Mar 2015 16:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1348) topic/dnthayer/fix-typos In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1348: ------------------------------- Status: Merge Request (was: Open) > topic/dnthayer/fix-typos > ------------------------ > > Key: BIT-1348 > URL: https://bro-tracker.atlassian.net/browse/BIT-1348 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Fix For: 2.4 > > > The branch topic/dnthayer/fix-typos in the bro-plugins repo contains a few small > doc fixes, and a portability improvement for the configure script. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Thu Mar 19 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 19 Mar 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503190700.t2J70OkV005890@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------- ---------- ------------- ---------- ------------------------------------------------- BIT-1348 [1] Bro Daniel Thayer - 2015-03-18 2.4 Normal topic/dnthayer/fix-typos [2] BIT-1347 [3] Bro Johanna Amann - 2015-03-18 2.4 Normal Please merge topic/johanna/dtls BIT-1344 [4] Bro grigorescu Johanna Amann 2015-03-18 - Normal New SSH Analyzer BIT-1340 [5] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1303 [6] pysubnettree Daniel Thayer - 2015-03-17 2.4 Normal pysubnettree tests should be changed to use btest BIT-342 [7] Bro Seth Hall Jon Siwek 2015-03-18 2.4 Normal Add payload to ICMP analyzer Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------------- eec7f77 [8] bro Daniel Thayer 2015-03-18 Correct a spelling error 31795e7 [9] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------------------------- #28 [10] bro aeppert [11] 2015-03-18 Seems to fix a case where an entry in the table may be null on insert. [12] #27 [13] bro petiepooo [14] 2015-03-14 Add defensive check for localtime_r() call [15] [1] BIT-1348 https://bro-tracker.atlassian.net/browse/BIT-1348 [2] fix-typos https://github.com/bro/bro/tree/topic/dnthayer/fix-typos [3] BIT-1347 https://bro-tracker.atlassian.net/browse/BIT-1347 [4] BIT-1344 https://bro-tracker.atlassian.net/browse/BIT-1344 [5] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [6] BIT-1303 https://bro-tracker.atlassian.net/browse/BIT-1303 [7] BIT-342 https://bro-tracker.atlassian.net/browse/BIT-342 [8] eec7f77 https://github.com/bro/bro/commit/eec7f77913e0385d83bbd9b086ae5e3e2c1cd4bb [9] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [10] Pull Request #28 https://github.com/bro/bro/pull/28 [11] aeppert https://github.com/aeppert [12] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [13] Pull Request #27 https://github.com/bro/bro/pull/27 [14] petiepooo https://github.com/petiepooo [15] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From jira at bro-tracker.atlassian.net Thu Mar 19 09:59:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 11:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20026#comment-20026 ] Jon Siwek commented on BIT-788: ------------------------------- topic/jsiwek/bit-788 is bro, bro-testing, bro-testing-private > Good analysis of unidirectional DNS flows > ----------------------------------------- > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: juliensentier > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 09:59:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 11:59:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-788: -------------------------- Status: Merge Request (was: Open) > Good analysis of unidirectional DNS flows > ----------------------------------------- > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: juliensentier > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 10:20:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 12:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-849) SMTP analyzer and reporter warnings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-849: -------------------------- Resolution: Fixed Status: Closed (was: Open) > SMTP analyzer and reporter warnings > ----------------------------------- > > Key: BIT-849 > URL: https://bro-tracker.atlassian.net/browse/BIT-849 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Jon Siwek > Labels: analyzer > Fix For: 2.4 > > > There are some warnings in the SMTP analyzer (ultimately from using the MIME analyzer) that go to reporter but they are wildly unhelpful in reporter.log. Here's an example line from reporter.log: > {noformat} > 1342043855.564338 Reporter::WARNING nested mail transaction (empty) - > {noformat} > Doing protocol violations on the smtp analyzer wouldn't quite be the right thing either because the dpd framework might remove the smtp analyzer from the connection. Part of the problem may stem from the fact that MIME analyzer isn't a true analyzer (doesn't descend from Analyzer). There is some obvious analyzer restructuring that needs to happen here but that can wait for the larger analyzer work that is coming up. > Does anyone have thoughts about what we could do with this message now to make it more useful? -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 11:21:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 13:21:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20027#comment-20027 ] Aaron Eppert commented on BIT-1346: ----------------------------------- Additional details from the reoccuring crash - same frame count and contents. I realized I neglected a few frames that may be of great importance: {noformat} (gdb) frame 5 #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( frame=0x5bbd470, BiF_ARGS=0x5fbd610) at bro.bif:3153 3153 bro.bif: No such file or directory. in bro.bif (gdb) print *this No symbol "this" in current context. (gdb) print *frame $7 = { = { = {_vptr.SerialObj = 0xaead70, static NEVER = 0, static ALWAYS = 1, static factories = 0x2220860, static names = 0x22208a0, static time_counter = 352870, serial_type = 0}, in_ser_cache = false, location = 0x0, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, frame = 0x5642a80, size = 1, function = 0x2b757c0, func_args = 0x57f6090, next_stmt = 0x2b6ded0, break_before_next_stmt = false, break_on_return = false, trigger = 0x0, call = 0x2b6dcb0, delayed = false} (gdb) print *frame->function $8 = { = { = { = {_vptr.SerialObj = 0xaf1610, static NEVER = 0, static ALWAYS = 1, static factories = 0x2220860, static names = 0x22208a0, static time_counter = 352870, serial_type = 0}, in_ser_cache = false, location = 0x2b75840, notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, bodies = std::vector of length 1, capacity 1 = {{stmts = 0x2b67d60, priority = 0}}, scope = 0x2b67840, kind = Func::BRO_FUNC, type = 0x2b67660, name = "Notice::apply_policy", unique_id = 847, static unique_ids = { >> = { _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x37a1e60, _M_finish = 0x37a4458, _M_end_of_storage = 0x37a5e60}}, }}, static register_type = {}, tid = {id = 61088, static counter = 12380774}, frame_size = 1} (gdb) (gdb) frame 6 #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x280da00, args=0x5fbd610, parent=0x5bbd470) at /root/ane/bro/src/Func.cc:564 564 /root/ane/bro/src/Func.cc: No such file or directory. in /root/ane/bro/src/Func.cc (gdb) print *this $9 = { = { = { = {_vptr.SerialObj = 0xaf1550, static NEVER = 0, static ALWAYS = 1, static factories = 0x2220860, static names = 0x22208a0, static time_counter = 352870, serial_type = 0}, in_ser_cache = false, location = 0x280da80, notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, bodies = std::vector of length 0, capacity 0, scope = 0x0, kind = Func::BUILTIN_FUNC, type = 0x2357430, name = "get_port_transport_proto", unique_id = 677, static unique_ids = { >> = { _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x37a1e60, _M_finish = 0x37a4458, _M_end_of_storage = 0x37a5e60}}, }}, static register_type = {}, tid = {id = 35974, static counter = 12380774}, func = 0x75ae6e , is_pure = 0} (gdb) print *this->location $10 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x2220860, static names = 0x22208a0, static time_counter = 352870, serial_type = 0}, filename = 0x2802b20 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 35973, static counter = 12380774}} (gdb) (gdb) frame 7 #7 0x0000000000740c4d in CallExpr::Eval (this=0x2b6dcb0, f=0x5bbd470) at /root/ane/bro/src/Expr.cc:4920 4920 /root/ane/bro/src/Expr.cc: No such file or directory. in /root/ane/bro/src/Expr.cc (gdb) print *this $11 = { = { = { = {_vptr.SerialObj = 0xae6b10, static NEVER = 0, static ALWAYS = 1, static factories = 0x2220860, static names = 0x22208a0, static time_counter = 352870, serial_type = 0}, in_ser_cache = false, location = 0x2b6dd10, notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_CALL, type = 0x22c11e0, paren = 0}, static register_type = {}, tid = {id = 60497, static counter = 12380774}, func = 0x2b6d8a0, args = 0x2b6da80} (gdb) print *this->location $12 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, static ALWAYS = 1, static factories = 0x2220860, static names = 0x22208a0, static time_counter = 352870, serial_type = 0}, filename = 0x2a6da70 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, delete_data = false, timestamp = 0, text = 0x0, static register_type = {}, tid = {id = 60496, static counter = 12380774}} {noformat} > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 11:26:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 13:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1255) TCP reassembly issue In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1255: --------------------------- Resolution: Fixed Status: Closed (was: Open) > TCP reassembly issue > -------------------- > > Key: BIT-1255 > URL: https://bro-tracker.atlassian.net/browse/BIT-1255 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Environment: CentOS 6 > Reporter: Jimmy Jones > Assignee: Jon Siwek > Fix For: 2.4 > > Attachments: out.pcap > > > Been testing bro with some messy (but valid) TCP streams, using docker and netem (happy to upload a gist if people are interested). > The attached file reassembles correctly in wireshark, but bro only gives the first 4069 bytes when extracted with the file analysis framework, and obviously the wrong hash (md5 is the URI). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 11:40:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 13:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20028#comment-20028 ] Aaron Eppert commented on BIT-1346: ----------------------------------- Another manifestation in .crash-diag.log - but the same stack frames as above: {noformat} Bro 2.3-451-debug Linux 2.6.32-504.8.1.el6.x86_64 ==== reporter.log {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: terminating thread","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: SQLite call failed: unable to open database file","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: Init failed","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: terminating thread","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: SQLite call failed: unable to open database file","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: Init failed","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: terminating thread","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: SQLite call failed: unable to open database file","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: Init failed","location":""} {"ts":1426788958.638709,"level":"Reporter::ERROR","message":"/opt/packetsled/db/known/Input::READER_SQLITE: terminating thread","location":""} ==== stderr.log internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-file-analytics/./ps-file-analytics_known_lookup.bro, line 1: Discarded extraneous Broxygen comment: internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-file-analytics/./ps-file-analytics_known_lookup.bro, line 1: Discarded extraneous Broxygen comment: Exclude our log from being sent upstream internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-file-analytics/./ps-file-analytics_known_lookup.bro, line 1: Discarded extraneous Broxygen comment: internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-file-analytics/./ps-file-analytics_known_lookup.bro, line 9: Discarded extraneous Broxygen comment: internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-file-analytics/./ps-file-analytics_known_lookup.bro, line 9: Discarded extraneous Broxygen comment: Exclude our log from being sent upstream internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-file-analytics/./ps-file-analytics_known_lookup.bro, line 9: Discarded extraneous Broxygen comment: /usr/local/bro/share/broctl/scripts/run-bro: line 85: 1960 Killed nohup $mybro "$@" ==== stdout.log max memory size (kbytes, -m) unlimited data seg size (kbytes, -d) unlimited virtual memory (kbytes, -v) unlimited core file size (blocks, -c) unlimited ==== .cmdline -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/sbin:/usr/sbin:/bin:/usr/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE=manager ==== .status RUNNING [net_run] {noformat} > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 12:52:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 14:52:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20029#comment-20029 ] Jon Siwek commented on BIT-1324: -------------------------------- topic/jsiwek/bit-1324 > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Jon Siwek > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 12:53:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 14:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1324: --------------------------- Status: Merge Request (was: Open) > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Jon Siwek > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 13:57:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 15:57:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20030#comment-20030 ] Jon Siwek commented on BIT-1346: -------------------------------- Looks like the {{p}} field of a {{Notice::Info}} record may be getting corrupt somehow, but the location where that happens seems to be further down in the stack than you examined. Can you show a bit more? Here's an example that I think reproduces this: {code} redef enum Notice::Type += { Test, }; global crash = "80/tcp"; event bro_init() { NOTICE([$note=Test, $src=1.2.3.4, $p=lookup_ID("crash"), $msg="test", $identifier=cat(1.2.3.4)]); } {code} The {{lookup_ID}} function may not be the only way to "corrupt" a value with the wrong type, just the first one I thought of. I didn't see anything that ships w/ Bro that looked very suspicious, there is policy/misc/scan.bro which uses sumstats and sets the {{p}} field when raising a notice, but it should do that in a type safe way. Do you have any custom scripts which call out to the {{NOTICE}} function and set the {{p}} field? Or custom scripts using SumStats? > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:15:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 16:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-169) netstats fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20031#comment-20031 ] grigorescu commented on BIT-169: -------------------------------- I think we should close this, due to lack of response. Additionally, if broctl is seeing a node of type "standalone," the implication to me is that the cluster wasn't setup properly. > netstats fails > -------------- > > Key: BIT-169 > URL: https://bro-tracker.atlassian.net/browse/BIT-169 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 1.5.2 > Reporter: mccreary > > Netstats doesn't work in r6918 in cluster mode > >Welcome to BroControl 0.2 [r6918] > > > >Type "help" for help. > > > >[BroControl] > netstats > >unknown node 'standalone' -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:17:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 19 Mar 2015 16:17:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-169) netstats fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-169: ------------------------------ Component/s: (was: Bro) BroControl > netstats fails > -------------- > > Key: BIT-169 > URL: https://bro-tracker.atlassian.net/browse/BIT-169 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: mccreary > > Netstats doesn't work in r6918 in cluster mode > >Welcome to BroControl 0.2 [r6918] > > > >Type "help" for help. > > > >[BroControl] > netstats > >unknown node 'standalone' -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:17:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 16:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-169) netstats fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-169: -------------------------- Resolution: Feedback Missing Status: Closed (was: Open) > netstats fails > -------------- > > Key: BIT-169 > URL: https://bro-tracker.atlassian.net/browse/BIT-169 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: mccreary > > Netstats doesn't work in r6918 in cluster mode > >Welcome to BroControl 0.2 [r6918] > > > >Type "help" for help. > > > >[BroControl] > netstats > >unknown node 'standalone' -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:27:01 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 16:27:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-233) Python error when running `broctl cron` In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20032#comment-20032 ] grigorescu commented on BIT-233: -------------------------------- I believe that we can close this. The 4th field of df is available bytes, and shouldn't have any percent symbols in it. The percent available is the 5th field. I tested Gentoo, Ubuntu, OS X and FreeBSD, and I was unable to find a df implementation that doesn't follow this convention. > Python error when running `broctl cron` > --------------------------------------- > > Key: BIT-233 > URL: https://bro-tracker.atlassian.net/browse/BIT-233 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 1.5.1 > Reporter: jones > > I have a fresh installation of Bro 1.5.1, and I am encountering an error when running 'broctl cron'. It appears that when broctl attempts to do a df, the % symbol is not stripped before python tries to convert it to a float. This throws a python error, as you can see below. > I made the error disappear by changing {{avail=float(df[3])}} to {{avail=float(df[3].strip("%"))}} > Thanks, > Nick Jones > {noformat} > # broctl cron > warning: removing stale lock > Traceback (most recent call last): > File "/usr/local/bro/bin/broctl", line 726, in ? > loop.onecmd(line) > File "/usr/lib64/python2.4/cmd.py", line 219, in onecmd > return func(arg) > File "/usr/local/bro/bin/broctl", line 341, in do_cron > cron.doCron() > File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 41, in doCron > _checkDiskSpace() > File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 150, in _checkDiskSpace > avail = float(df[3]) > ValueError: invalid literal for float(): 2% > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:34:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 16:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-233) Python error when running `broctl cron` In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-233: -------------------------- Resolution: Cannot Reproduce Status: Closed (was: Open) > Python error when running `broctl cron` > --------------------------------------- > > Key: BIT-233 > URL: https://bro-tracker.atlassian.net/browse/BIT-233 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 1.5.1 > Reporter: jones > > I have a fresh installation of Bro 1.5.1, and I am encountering an error when running 'broctl cron'. It appears that when broctl attempts to do a df, the % symbol is not stripped before python tries to convert it to a float. This throws a python error, as you can see below. > I made the error disappear by changing {{avail=float(df[3])}} to {{avail=float(df[3].strip("%"))}} > Thanks, > Nick Jones > {noformat} > # broctl cron > warning: removing stale lock > Traceback (most recent call last): > File "/usr/local/bro/bin/broctl", line 726, in ? > loop.onecmd(line) > File "/usr/lib64/python2.4/cmd.py", line 219, in onecmd > return func(arg) > File "/usr/local/bro/bin/broctl", line 341, in do_cron > cron.doCron() > File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 41, in doCron > _checkDiskSpace() > File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 150, in _checkDiskSpace > avail = float(df[3]) > ValueError: invalid literal for float(): 2% > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:35:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 16:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-233) Python error when running `broctl cron` In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-233: -------------------------- Component/s: (was: Bro) BroControl > Python error when running `broctl cron` > --------------------------------------- > > Key: BIT-233 > URL: https://bro-tracker.atlassian.net/browse/BIT-233 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.1 > Reporter: jones > > I have a fresh installation of Bro 1.5.1, and I am encountering an error when running 'broctl cron'. It appears that when broctl attempts to do a df, the % symbol is not stripped before python tries to convert it to a float. This throws a python error, as you can see below. > I made the error disappear by changing {{avail=float(df[3])}} to {{avail=float(df[3].strip("%"))}} > Thanks, > Nick Jones > {noformat} > # broctl cron > warning: removing stale lock > Traceback (most recent call last): > File "/usr/local/bro/bin/broctl", line 726, in ? > loop.onecmd(line) > File "/usr/lib64/python2.4/cmd.py", line 219, in onecmd > return func(arg) > File "/usr/local/bro/bin/broctl", line 341, in do_cron > cron.doCron() > File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 41, in doCron > _checkDiskSpace() > File "/usr/local/bro/lib/broctl/BroControl/cron.py", line 150, in _checkDiskSpace > avail = float(df[3]) > ValueError: invalid literal for float(): 2% > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:41:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 16:41:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-327) Binding attributes to values/variables In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20033#comment-20033 ] grigorescu commented on BIT-327: -------------------------------- The discussion in BIT-327 needs to be resolved before topic/jsiwek/attr-propogation can be merged, which has at least partial fixes for all 5 tickets. > Binding attributes to values/variables > -------------------------------------- > > Key: BIT-327 > URL: https://bro-tracker.atlassian.net/browse/BIT-327 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Fix For: 2.5 > > > From Vern: > In abstract terms, we need to marry two notions: per-variable > attributes (those introduced when defining the variable) and > per-value attributes (those introduced when creating a value). > These both exist under-the-hood, but the rules for propagating > them are ad hoc. > I'm attaching the follow-up email thread with further thoughts on > streamlining this. > Robin > [^"None"] > Did we ever reach resolution regarding the appended thread (from, um, > a year ago\!), or at least put something in the Tracker so we don't lose > sight of it? > Vern > [^"None-1"] > On Tue, Nov 03, 2009 at 17:25 \-0800, you wrote: > > In abstract terms, we need to marry two notions: per-variable attributes > > (those introduced when defining the variable) and per-value attributes > > (those introduced when creating a value). These both exist under-the-hood, > > but the rules for propagating them are ad hoc. > This is something I've wondered about a few times already what the > right thing to do is. The keyword at the moment is indeed "ad-hoc": > I remember that a number of times I've been running into problems > with propagating (or not propagating) attributes, and while I was > always able to fix the immediate problem in some way, we don't have > a clear system at the moment when that happens and when not. > That said, I'm not really sure that this should ideally look like. > Intuitively, I'd actually say attributes belong to values, not > variables, because transfer-on-assignment can lead to subtle effects > (values are passed around, and what if the receiving function > happens to assign the value to the wrong variable?. Also what if you > assign a value with attribute X to a variable without X; shouldn't > the value then be *deleted* for consistency reasons?). > If we accept for a moment that attributes belong only to values, > then we can think about how to set them. A global definition such as > const log_file = open_log_file("foo") &rotate_interval > > can be interpreted as assigning the attribute to the value returned > from the function (more generaly to whatever what the assigned > expression yields). > We can use the "add foo &raw_output" syntax you suggested for adding > attributes to the value of foo dynamically. > A declaration such as > const foo = F &redef; > > can be interpreted as "we can rebind foo if it's current value has > the &redef attribute". > I haven't thought this through actually but I guess my question is > whether we need per-variable attributes at all? > Robin > [^"None-2"] > On Nov 4, 2009, at 7:54 PM, Robin Sommer wrote: > >That said, I'm not really sure that this should ideally look like. > >Intuitively, I'd actually say attributes belong to values, not > >variables, because transfer-on-assignment can lead to subtle effects > >(values are passed around, and what if the receiving function > >happens to assign the value to the wrong variable?. Also what if you > >assign a value with attribute X to a variable without X; shouldn't > >the value then be *deleted* for consistency reasons?). > Attributes being attached to value really seems to make sense. > >If we accept for a moment that attributes belong only to values, > >then we can think about how to set them. A global definition such as > > > > const log_file = open_log_file("foo") &rotate_interval > It works in this case, but this has typically been where trouble was encountered. What about cases where there isn't a value assigned yet? Something like... > const bad_addrs_with_description: table[addr] of string &redef &write_expire=10mins; > There isn't a value yet, but it has an attribute applied to it. Would that style still be supported? It would seem to conflict with having only value attributes. > Even for my database backed variable stuff I'm working on, it created a stumbling block. What I'm doing internally is creating a copy of the value including attributes to a separate internal value when a query is being run. That value is then filled from the database and the script level variable is rebound to my newly filled internal value and the old value is deleted. I think that would be the right way to do it in this case even if only value attributes exist because it's an internal detail and the new value is being created internally, but it's certainly confusing sometimes. > bq. .Seth > [^"None-3"] > On Wed, Nov 04, 2009 at 20:26 \-0500, you wrote: > > const bad_addrs_with_description: table[addr] of string &redef > > &write_expire=10mins; > > > > There isn't a value yet, but it has an attribute applied to it. > Actually there is: it's assigned an empty table. So, yes that would > still work. > What would be different however is a later assignment (redef for > const [1]), which would ignore the &write_expire of the original > definition and instead use the attributes from the assigned value. > Robin > [1] A "=" redef, not a "+=" redef which works on the original value. > [^"None-4"] > On Nov 10, 2009, at 12:32 AM, Robin Sommer wrote: > >What would be different however is a later assignment (redef for > >const [1]), which would ignore the &write_expire of the original > >definition and instead use the attributes from the assigned value. > > > >[1] A "=" redef, not a "+=" redef which works on the original value. > Ah, ok. This is all coming together for me now. :) > Another question I have is if the change was made to allow attribute additions and deletions at runtime, does it sort of violate the concept of const? const seems to tie together the value and variable together and make them unchangeable at runtime but it's a little confusing conceptually if you're able to still change the attributes of a const at runtime. > Am I thinking about that right? > bq. .Seth > [^"None-5"] > On Fri, Nov 13, 2009 at 13:24 \-0500, you wrote: > > Another question I have is if the change was made to allow attribute > > additions and deletions at runtime, does it sort of violate the concept > > of const? > That's a good point, yes. Perhaps "const foo = xxx" should actually > mean that the value xxx gets an (internal) attribute &const so that > it's not changeable? And then assigning to a global with a current > value that has the &const attribute would be prohibited as well. > Does that make sense? > Robin -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:47:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 16:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-258) Removed duplicate login_non_failure_msgs from policy/login.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-258: --------------------------- Resolution: No longer applies Status: Closed (was: Open) policy/login.bro is no longer included with Bro. > Removed duplicate login_non_failure_msgs from policy/login.bro > -------------------------------------------------------------- > > Key: BIT-258 > URL: https://bro-tracker.atlassian.net/browse/BIT-258 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: brosenberg > Attachments: login.bro.patch > > > Removed duplicate login_non_failure_msgs from policy/login.bro. The same block was listed twice, one with &redef and the other without. Seemed superfluous. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:51:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 16:51:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-329) Optimizing detect-protocols-http.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-329: --------------------------- Resolution: No longer applies Status: Closed (was: Open) This script no longer ships with Bro. > Optimizing detect-protocols-http.bro > ------------------------------------ > > Key: BIT-329 > URL: https://bro-tracker.atlassian.net/browse/BIT-329 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > This script does a for loop over a 7 element table for every http_header and http_request event. In my opinion, I'd say that the benefit does not outweigh the cost and it should be removed from the default local.bro scripts. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 14:57:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 16:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-529) Support for DLT IEEE802_11_RADIO linktype In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-529?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20037#comment-20037 ] grigorescu commented on BIT-529: -------------------------------- Seth, you want to take this one? Since you have topic/seth/radiotap ? > Support for DLT IEEE802_11_RADIO linktype > ----------------------------------------- > > Key: BIT-529 > URL: https://bro-tracker.atlassian.net/browse/BIT-529 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: gregor > Priority: Low > > {noformat} > #!rst > Add support for DLT IEEE802_11_RADIO to Bro. It appears this linktype adds a bunch of info from the WLAN radio in front of the actual ethernet header. Unfortunately, it appears to have variable length headers, to adding support to Bro is not trivial. > Many (all?) wlan interface can create pcap captures with this DLT. E.g, one can use > * ``tcpdump -I ....`` or > * ``tcpdump -y IEEE802_11_RADIO`` (depending on OS and tcpdump version used) > On my Mac OS ``tcpdump -I`` works. > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:02:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 19 Mar 2015 17:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1229) loading a non-existant enum from an input file terminates bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1229: ------------------------------- Resolution: Duplicate Status: Closed (was: Reopened) Will be handled together with BIT-1199 - closing this one since the two bug descriptions are basically the same. > loading a non-existant enum from an input file terminates bro > ------------------------------------------------------------- > > Key: BIT-1229 > URL: https://bro-tracker.atlassian.net/browse/BIT-1229 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: ignored_notices.csv, ignore-notices.bro > > > If you have an input file with an enum in it and it does not exist, bro terminates: > internal error: Value not found in enum mappimg. Module: NoSuch, var: Notice, var size: 6 -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:02:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 17:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20038#comment-20038 ] Aaron Eppert commented on BIT-1346: ----------------------------------- Per discussion on the mailing list, we implemented the proposed changes in BITS-1339 to our own local repo: {noformat} NOTICE([$note=Address_Scan, $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:02:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 17:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20038#comment-20038 ] Aaron Eppert edited comment on BIT-1346 at 3/19/15 5:01 PM: ------------------------------------------------------------ Per discussion on the mailing list, we implemented the proposed changes in https://bro-tracker.atlassian.net/browse/BIT-1339 to our own local repo: {noformat} NOTICE([$note=Address_Scan, $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} was (Author: aeppert): Per discussion on the mailing list, we implemented the proposed changes in BITS-1339 to our own local repo: {noformat} NOTICE([$note=Address_Scan, $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:03:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 17:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1324: ------------------------------ Assignee: (was: Jon Siwek) > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:03:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 17:03:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-788: ----------------------------- Assignee: (was: Jon Siwek) > Good analysis of unidirectional DNS flows > ----------------------------------------- > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: juliensentier > Fix For: 2.4 > > Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:03:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 17:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20038#comment-20038 ] Aaron Eppert edited comment on BIT-1346 at 3/19/15 5:02 PM: ------------------------------------------------------------ Per discussion on the mailing list, we implemented the proposed changes in [BIT-1339|https://bro-tracker.atlassian.net/browse/BIT-1339] to our own local repo: {noformat} NOTICE([$note=Address_Scan, $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} was (Author: aeppert): Per discussion on the mailing list, we implemented the proposed changes in https://bro-tracker.atlassian.net/browse/BIT-1339 to our own local repo: {noformat} NOTICE([$note=Address_Scan, $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:03:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 17:03:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-342: ----------------------------- Assignee: (was: Jon Siwek) > Add payload to ICMP analyzer > ---------------------------- > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: Seth Hall > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:10:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 19 Mar 2015 17:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20040#comment-20040 ] Jon Siwek commented on BIT-1346: -------------------------------- {{$resp_p=key$str}} doesn't look right to me, should that be {{$resp_p=to_port(key$str)}} ? > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:15:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 19 Mar 2015 17:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore In-Reply-To: References: Message-ID: Johanna Amann created BIT-1349: ---------------------------------- Summary: Broctl stop output is not sorted anymore Key: BIT-1349 URL: https://bro-tracker.atlassian.net/browse/BIT-1349 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Priority: Trivial Fix For: 2.4 Minor: the output of the worker nodes when doing broctl stop is not sorted anymore. We should either sort it (or just skip outputting it altogether) - at the moment it is not really useful; if there is no numerical order it is difficult to see if a number one wants to have in there is missing or not. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:15:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 17:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20041#comment-20041 ] Aaron Eppert commented on BIT-1346: ----------------------------------- It should be, the original as written was not. I'll put a comment in BIT-1339. > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:17:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 17:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042 ] Aaron Eppert commented on BIT-1339: ----------------------------------- Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {code:bro} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {code} > Remove src and dst from notice > ------------------------------ > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, > $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), > $sub=sub_msg, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, > $msg="An SQL injection attacker was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=SQL_Injection_Victim, > $msg="An SQL injection victim was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=Port_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, > $msg=fmt("%s seems to be running traceroute using %s", src, proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], > $identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:18:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 17:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042 ] Aaron Eppert edited comment on BIT-1339 at 3/19/15 5:17 PM: ------------------------------------------------------------ Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {noformat} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} was (Author: aeppert): Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {code:bro} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {code} > Remove src and dst from notice > ------------------------------ > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, > $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), > $sub=sub_msg, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, > $msg="An SQL injection attacker was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=SQL_Injection_Victim, > $msg="An SQL injection victim was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=Port_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, > $msg=fmt("%s seems to be running traceroute using %s", src, proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], > $identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:18:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 19 Mar 2015 17:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042 ] Aaron Eppert edited comment on BIT-1339 at 3/19/15 5:17 PM: ------------------------------------------------------------ Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {noformat} NOTICE([$note=Address_Scan, $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} was (Author: aeppert): Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {noformat} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} > Remove src and dst from notice > ------------------------------ > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, > $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), > $sub=sub_msg, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, > $msg="An SQL injection attacker was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=SQL_Injection_Victim, > $msg="An SQL injection victim was discovered!", > $email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > ? > NOTICE([$note=Port_Scan, > #$src=key$host, > + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), > $sub=side, > $msg=message, > $identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, > $msg=fmt("%s seems to be running traceroute using %s", src, proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], > $identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:24:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 17:24:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1031) add script based on BBN's Flow Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-1031: ---------------------------- Resolution: Rejected Status: Closed (was: Open) This script looks like it would require a significant amount of tuning, and doesn't really seem like a great fit for Bro. We can revisit this within the context of a contributed script repository. > add script based on BBN's Flow Analyzer > --------------------------------------- > > Key: BIT-1031 > URL: https://bro-tracker.atlassian.net/browse/BIT-1031 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-Flow-Analyzer.patch > > > BBN's RePS team wrote this script that might be useful to the Bro community if it were added to the bro-scripts repository. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:26:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 17:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1032) add script based on BBN's Host Characterization In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1032?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-1032: ---------------------------- Resolution: Rejected Status: Closed (was: Open) This script looks like it would require a significant amount of tuning, and doesn't really seem like a great fit for Bro. We can revisit this within the context of a contributed script repository. > add script based on BBN's Host Characterization > ----------------------------------------------- > > Key: BIT-1032 > URL: https://bro-tracker.atlassian.net/browse/BIT-1032 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-Host-Characterization.patch > > > BBN's RePS team wrote this script that might be useful to the Bro community if it were added to the bro-scripts repository. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 15:29:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 19 Mar 2015 17:29:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1033) add script based on BBN's ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20045#comment-20045 ] grigorescu commented on BIT-1033: --------------------------------- I'd like to see this reimplemented with SumStats, but I think this would be cool to have. > add script based on BBN's ICMP analyzer > --------------------------------------- > > Key: BIT-1033 > URL: https://bro-tracker.atlassian.net/browse/BIT-1033 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-ICMP-analyzer.patch > > -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 16:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 19 Mar 2015 18:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1199: ------------------------------- Status: Merge Request (was: Open) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 16:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 19 Mar 2015 18:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1199: ---------------------------------- Assignee: (was: Johanna Amann) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Thu Mar 19 16:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 19 Mar 2015 18:06:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20046#comment-20046 ] Johanna Amann commented on BIT-1199: ------------------------------------ And again - topic/johanna/bit-1199 now addresses the bug, changes the error message as specifies and does not exit with an InternalError anymore; instead the line in question should just be ignored. I tried to implement it with minimal impact on the already existing code -- sadly it makes the already messy functions that do event / predicate dispatch even messier. But - not by very much. > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: grigorescu > Assignee: Johanna Amann > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Fri Mar 20 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 20 Mar 2015 00:00:26 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503200700.t2K70Qfr017571@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------- ---------- ------------- ---------- ----------------------------------------------------------- BIT-1348 [1] Bro Daniel Thayer - 2015-03-18 2.4 Normal topic/dnthayer/fix-typos [2] BIT-1347 [3] Bro Johanna Amann - 2015-03-18 2.4 Normal Please merge topic/johanna/dtls BIT-1344 [4] Bro grigorescu Johanna Amann 2015-03-18 - Normal New SSH Analyzer BIT-1340 [5] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1324 [6] Bro Justin Azoff - 2015-03-19 2.4 Low default_path_func does weird things to underscores BIT-1303 [7] pysubnettree Daniel Thayer - 2015-03-17 2.4 Normal pysubnettree tests should be changed to use btest BIT-1199 [8] Bro grigorescu - 2015-03-19 2.4 Normal Better error messages for input file errors in READER_ASCII BIT-788 [9] Bro juliensentier - 2015-03-19 2.4 Normal Good analysis of unidirectional DNS flows BIT-342 [10] Bro Seth Hall - 2015-03-19 2.4 Normal Add payload to ICMP analyzer Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- ------------- ---------- ----------------------------------------------------------- eec7f77 [11] bro Daniel Thayer 2015-03-18 Correct a spelling error 31795e7 [12] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------------------------- #28 [13] bro aeppert [14] 2015-03-18 Seems to fix a case where an entry in the table may be null on insert. [15] #27 [16] bro petiepooo [17] 2015-03-14 Add defensive check for localtime_r() call [18] [1] BIT-1348 https://bro-tracker.atlassian.net/browse/BIT-1348 [2] fix-typos https://github.com/bro/bro/tree/topic/dnthayer/fix-typos [3] BIT-1347 https://bro-tracker.atlassian.net/browse/BIT-1347 [4] BIT-1344 https://bro-tracker.atlassian.net/browse/BIT-1344 [5] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [6] BIT-1324 https://bro-tracker.atlassian.net/browse/BIT-1324 [7] BIT-1303 https://bro-tracker.atlassian.net/browse/BIT-1303 [8] BIT-1199 https://bro-tracker.atlassian.net/browse/BIT-1199 [9] BIT-788 https://bro-tracker.atlassian.net/browse/BIT-788 [10] BIT-342 https://bro-tracker.atlassian.net/browse/BIT-342 [11] eec7f77 https://github.com/bro/bro/commit/eec7f77913e0385d83bbd9b086ae5e3e2c1cd4bb [12] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [13] Pull Request #28 https://github.com/bro/bro/pull/28 [14] aeppert https://github.com/aeppert [15] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [16] Pull Request #27 https://github.com/bro/bro/pull/27 [17] petiepooo https://github.com/petiepooo [18] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From jira at bro-tracker.atlassian.net Fri Mar 20 07:45:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 09:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1350) Anonymous inner record insufficient type checking In-Reply-To: References: Message-ID: Jon Siwek created BIT-1350: ------------------------------ Summary: Anonymous inner record insufficient type checking Key: BIT-1350 URL: https://bro-tracker.atlassian.net/browse/BIT-1350 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Jon Siwek Fix For: 2.5 This mistake should be caught at parse-time: {code} global crash = "80/tcp"; type myrec: record { cid: conn_id; }; event bro_init() { local mr: myrec; mr = [$cid = [$orig_h=1.2.3.4,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=crash]]; get_port_transport_proto(mr$cid$resp_p); } {code} instead it errors out at runtime: fatal error in ././test.bro, line 1: Val::CONVERTER (string/port) (80/tcp) -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 07:48:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 09:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1346) Val::CONVERTER Fatal Error - Sumstats Related In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1346: --------------------------- Resolution: Fixed Status: Closed (was: Open) Made a separate ticket to look into improving the type-checking, I think this mistake would have been catchable at parse-time: BIT-1350 > Val::CONVERTER Fatal Error - Sumstats Related > --------------------------------------------- > > Key: BIT-1346 > URL: https://bro-tracker.atlassian.net/browse/BIT-1346 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Aaron Eppert > Priority: Critical > Labels: sumstats > Fix For: 2.4 > > > Bro 2.3-451-debug > Linux 2.6.32-504.8.1.el6.x86_64 > ==== reporter.log > {"ts":1426643084.0629,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643086.504566,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"extra base64 groups after \u0027=\u0027 padding are ignored","location":""} > {"ts":1426643089.234903,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643093.283505,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643095.710806,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643098.094734,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643108.020824,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643110.429037,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > {"ts":1426643122.957015,"level":"Reporter::ERROR","message":"incomplete base64 group, padding with 12 bits of 0","location":""} > ==== stderr.log > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: Check to see if the tagged attribute exists, if so, log it, else > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: it is from the original Intel::LOG, drop it on the floor. This > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: prevents duplicate logging AND avoids a tertiary intel log to > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: parse. > internal warning in /usr/local/bro/spool/installed-scripts-do-not-touch/site/ps-cif/./ps-cif.bro, line 4: Discarded extraneous Broxygen comment: > unlimited > unlimited > unlimited > unlimited > fatal error in : Val::CONVERTER (string/port) (80/tcp) > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto -B threading > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/tokumx/bin:/root/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE=manager > ==== .status > TERMINATED [atexit] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > (gdb) frame 2 > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > 92 /root/ane/bro/src/Reporter.cc: No such file or directory. > in /root/ane/bro/src/Reporter.cc > (gdb) print *this > $11 = {errors = 1, via_events = true, in_error_handler = 0, > info_to_stderr = true, warnings_to_stderr = false, errors_to_stderr = false, > locations = std::list = {[0] = {first = 0xebf480, second = 0x0}}} > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) print *this > $12 = { = {_vptr.SerialObj = 0xb08370, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 34822}, in_ser_cache = false, > location = 0x0, notify_plugins = false, ref_cnt = 5, > static suppress_errors = 0} > (gdb) print *this > $13 = { = { = {_vptr.SerialObj = 0xb08370, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 34822}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 5, static suppress_errors = 0}, > static register_type = {}, tid = {id = 2684174, > static counter = 2684785}, val = {int_val = 80599088, uint_val = 80599088, > addr_val = 0x4cdd830, subnet_val = 0x4cdd830, > double_val = 3.9821240466935464e-316, string_val = 0x4cdd830, > func_val = 0x4cdd830, file_val = 0x4cdd830, re_val = 0x4cdd830, > table_val = 0x4cdd830, val_list_val = 0x4cdd830, vector_val = 0x4cdd830}, > type = 0x1c30fb0, bound_id = 0x0} > (gdb) print *this->val->string_val > $14 = {static EXPANDED_STRING = 39, static BRO_STRING_LITERAL = 56, > b = 0x4bbbd40 "80/tcp", n = 6, final_NUL = 1, use_free_to_delete = 0} > (gdb) print *this->val->table_val > $16 = { = {_vptr.Dictionary = 0x4bbbd40, tbl = 0x100000006, > num_buckets = 32, num_entries = 0, max_num_entries = 81, > den_thresh = 5.7159126496652157e-317, thresh_entries = 0, tbl2 = 0x0, > num_buckets2 = 875836160, num_entries2 = 1, max_num_entries2 = 1225167, > den_thresh2 = 1426703154.9832709, thresh_entries2 = 29612816, > tbl_next_ind = 0, order = 0x65746163696669, delete_func = 0x61, > cookies = { = {entry = 0x2377ff0, chunk_size = 92305888, > max_entries = 0, > num_entries = 78707}, }}, } > (gdb) frame 6 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > 564 /root/ane/bro/src/Func.cc: No such file or directory. > in /root/ane/bro/src/Func.cc > (gdb) print *this > $21 = { = { = { = {_vptr.SerialObj = 0xaf1550, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x217e9c0, > notify_plugins = false, ref_cnt = 2, static suppress_errors = 0}, > bodies = std::vector of length 0, capacity 0, scope = 0x0, > kind = Func::BUILTIN_FUNC, type = 0x1cc9fb0, name = > "get_port_transport_proto", unique_id = 677, > static unique_ids = { >> = { > _M_impl = {> = {<__gnu_cxx::new_allocator> = {}, }, _M_start = 0x3125ac0, > _M_finish = 0x31280e8, > _M_end_of_storage = 0x3129ac0}}, }}, > static register_type = {}, tid = {id = 35977, > static counter = 2684785}, > func = 0x75ae6e , > is_pure = 0} > (gdb) print *this->location > $22 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2173970 "/usr/local/bro/share/bro/base/bif/plugins/./Bro_X509.functions.bif.bro", first_line = 69, last_line = 69, first_column = 0, > last_column = 0, delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 35976, > static counter = 2684785}} > (gdb) frame 7 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > 4920 /root/ane/bro/src/Expr.cc: No such file or directory. > in /root/ane/bro/src/Expr.cc > (gdb) print *this > $23 = { = { = { = {_vptr.SerialObj = 0xae6b10, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299b00, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = EXPR_CALL, type = 0x1c34890, paren = 0}, > static register_type = {}, tid = {id = 44070, > static counter = 2684785}, func = 0x2299690, args = 0x2299870} > (gdb) > (gdb) print *this->location > $24 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44069, > static counter = 2684785}} > (gdb) > (gdb) frame 8 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > 2669 in /root/ane/bro/src/Expr.cc > (gdb) print *this > $25 = { = { = { = { = { > _vptr.SerialObj = 0xae7bd0, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299c70, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = EXPR_ASSIGN, > type = 0x1c34890, paren = 0}, static register_type = {}, > tid = {id = 44080, static counter = 2684785}, op1 = 0x2299c10, > op2 = 0x2299aa0}, static register_type = {}, tid = { > id = 44081, static counter = 2684785}, is_init = 0, val = 0x0} > (gdb) print *this->location > $26 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44082, > static counter = 2684785}} > (gdb) frame 9 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > 369 /root/ane/bro/src/Stmt.cc: No such file or directory. > in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $27 = { = { = { = {_vptr.SerialObj = 0xb029f0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299d10, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_EXPR, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44085, static counter = 2684785}, e = 0x2299b50} > (gdb) print *this->location > $28 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 597, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44086, > static counter = 2684785}} > (gdb) frame 10 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > 484 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $29 = { = { = { = { = { > _vptr.SerialObj = 0xb02930, static NEVER = 0, static ALWAYS = 1, > static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > in_ser_cache = false, location = 0x2299e90, notify_plugins = false, > ref_cnt = 1, static suppress_errors = 0}, tag = STMT_IF, > breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360}, > static register_type = {}, tid = {id = 44094, > static counter = 2684785}, s1 = 0x2299cc0, s2 = 0x2299d80} > (gdb) print *this->location > $30 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) frame 11 > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > 373 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $31 = { = { = { = {_vptr.SerialObj = 0xb02930, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2299e90, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_IF, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 44092, static counter = 2684785}, e = 0x2299360} > (gdb) print *this->location > $32 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 597, last_line = 596, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 44095, > static counter = 2684785}} > (gdb) > (gdb) frame 12 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > 1764 in /root/ane/bro/src/Stmt.cc > (gdb) print *this > $33 = { = { = { = {_vptr.SerialObj = 0xb02110, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x2293d60, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > tag = STMT_LIST, breakpoint_count = 0, last_access = 1426699810.94208, > access_count = 274}, static register_type = {}, tid = { > id = 43644, static counter = 2684785}, stmts = { = { > entry = 0x229fd20, chunk_size = 20, max_entries = 20, > num_entries = 15}, }} > (gdb) print *this->location > $34 = { = {_vptr.SerialObj = 0xaf52f0, static NEVER = 0, > static ALWAYS = 1, static factories = 0x1b92860, static names = 0x1b928a0, > static time_counter = 211263, serial_type = 0}, > filename = 0x2216180 "/usr/local/bro/share/bro/base/frameworks/notice/./main.bro", first_line = 568, last_line = 636, first_column = 0, last_column = 0, > delete_data = false, timestamp = 0, text = 0x0, > static register_type = {}, tid = {id = 43643, > static counter = 2684785}} > .... > (gdb) frame 48 > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > 50 /root/ane/bro/src/Event.h: No such file or directory. > in /root/ane/bro/src/Event.h > (gdb) print *this > $35 = { = { = {_vptr.SerialObj = 0xae2fb0, > static NEVER = 0, static ALWAYS = 1, static factories = 0x1b92860, > static names = 0x1b928a0, static time_counter = 211263, > serial_type = 0}, in_ser_cache = false, location = 0x0, > notify_plugins = false, ref_cnt = 1, static suppress_errors = 0}, > handler = {handler = 0x2ac0870}, args = 0x55665e0, src = 10001, aid = 0, > mgr = 0x1bdbe70, obj = 0x0, next_event = 0x0} > (gdb) frame 47 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > 80 /root/ane/bro/src/EventHandler.cc: No such file or directory. > in /root/ane/bro/src/EventHandler.cc > (gdb) print *this > $36 = {name = 0x2ac0c00 "SumStats::cluster_send_result", local = 0x2ac0a30, > type = 0x2ac0600, used = false, enabled = true, error_handler = false, > generate_always = false, receivers = { = {entry = 0x2ac0ba0, > chunk_size = 10, max_entries = 10, num_entries = 0}, }} > ---- > (gdb) bt full > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > No symbol table info available. > #1 0x0000003345c33e05 in abort () from /lib64/libc.so.6 > No symbol table info available. > #2 0x00000000007847d9 in Reporter::FatalError (this=0x1ba5490, > fmt=0xaf4f56 "%s") at /root/ane/bro/src/Reporter.cc:92 > ap = {{gp_offset = 16, fp_offset = 48, > overflow_arg_area = 0x7fff70b11a50, > reg_save_area = 0x7fff70b11980}} > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\ > \ \v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\0 > v\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, > indent_level = 0, is_short = 1, want_quotes = 0, do_flush = 1, > include_stats = 0, indent_with_spaces = 0} > #4 0x0000000000770c1c in Val::AsPortVal (this=0x4edeb20) > at /root/ane/bro/src/Val.h:282 > No locals. > #5 0x000000000075aecd in BifFunc::bro_get_port_transport_proto ( > frame=0x5862c60, BiF_ARGS=0x58f2d50) at bro.bif:3153 > p = 0xebd630 > #6 0x000000000074f3cd in BuiltinFunc::Call (this=0x217e940, args=0x58f2d50, > parent=0x5862c60) at /root/ane/bro/src/Func.cc:564 > plugin_result = 0x0 > result = 0x7fff70b11ec0 > i = 0 > #7 0x0000000000740c4d in CallExpr::Eval (this=0x2299aa0, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x217e940 > current_call = 0x22a2540 > ret = 0x0 > func_val = 0x217ea50 > v = 0x58f2d50 > #8 0x00000000007370b7 in AssignExpr::Eval (this=0x2299b50, f=0x5862c60) > at /root/ane/bro/src/Expr.cc:2669 > v = 0x2299360 > #9 0x00000000007e22bf in ExprStmt::Exec (this=0x2299cc0, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b11fc0 > #10 0x00000000007e2b6f in IfStmt::DoExec (this=0x2299e20, f=0x5862c60, > v=0x58b1870, flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2299cc0 > result = 0x7e226e > #11 0x00000000007e22f3 in ExprStmt::Exec (this=0x2299e20, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x58b1870 > #12 0x00000000007e8379 in StmtList::Exec (this=0x2293b70, f=0x5862c60, > flow=@0x7fff70b12154) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #13 0x000000000074e6d5 in BroFunc::Call (this=0x22a1620, args=0x4fe5fc0, > parent=0x55fc1e0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x5862c60 > result = 0x0 > #14 0x0000000000740c4d in CallExpr::Eval (this=0x22a2540, f=0x55fc1e0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a1620 > current_call = 0x21ec0e0 > ret = 0x0 > func_val = 0x22a1710 > v = 0x4fe5fc0 > #15 0x00000000007e22bf in ExprStmt::Exec (this=0x22a2660, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12330 > #16 0x00000000007e8379 in StmtList::Exec (this=0x22a2060, f=0x55fc1e0, > flow=@0x7fff70b12424) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x4d629b0 > i = 0 > #17 0x000000000074e6d5 in BroFunc::Call (this=0x22a2cc0, args=0x5469570, > parent=0x520ebc0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x55fc1e0 > result = 0x0 > #18 0x0000000000740c4d in CallExpr::Eval (this=0x21ec0e0, f=0x520ebc0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x22a2cc0 > current_call = 0x34236a0 > ret = 0x0 > func_val = 0x22a2db0 > v = 0x5469570 > #19 0x00000000007e22bf in ExprStmt::Exec (this=0x21e38e0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12600 > #20 0x00000000007e2b6f in IfStmt::DoExec (this=0x21ed9a0, f=0x520ebc0, > v=0x5382180, flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x21e38e0 > result = 0x7e226e > #21 0x00000000007e22f3 in ExprStmt::Exec (this=0x21ed9a0, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x5382180 > #22 0x00000000007e8379 in StmtList::Exec (this=0x21eaa60, f=0x520ebc0, > flow=@0x7fff70b12794) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #23 0x000000000074e6d5 in BroFunc::Call (this=0x21ed440, args=0x509ca00, > parent=0x53e1d50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 1 > flow = FLOW_NEXT > f = 0x520ebc0 > result = 0x0 > #24 0x0000000000740c4d in CallExpr::Eval (this=0x34236a0, f=0x53e1d50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x21ed440 > current_call = 0x2a39e10 > ret = 0x0 > func_val = 0x21e3a50 > v = 0x509ca00 > #25 0x00000000007e22bf in ExprStmt::Exec (this=0x34237c0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12970 > #26 0x00000000007e8379 in StmtList::Exec (this=0x341d8e0, f=0x53e1d50, > flow=@0x7fff70b12a64) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 4 > #27 0x000000000074e6d5 in BroFunc::Call (this=0x3423a10, args=0x571e9e0, > parent=0x4e16b50) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 2 > flow = FLOW_NEXT > f = 0x53e1d50 > result = 0x0 > #28 0x0000000000740c4d in CallExpr::Eval (this=0x2a39e10, f=0x4e16b50) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x3423a10 > current_call = 0x2b62770 > ret = 0x0 > func_val = 0x3423b00 > v = 0x571e9e0 > #29 0x00000000007e22bf in ExprStmt::Exec (this=0x2a39f30, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12c40 > #30 0x00000000007e8379 in StmtList::Exec (this=0x2a36770, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #31 0x00000000007e8379 in StmtList::Exec (this=0x2a39f80, f=0x4e16b50, > flow=@0x7fff70b12d84) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 1 > #32 0x000000000074e6d5 in BroFunc::Call (this=0x2a3a050, args=0x4ff3bf0, > parent=0x5682490) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 3 > flow = FLOW_NEXT > f = 0x4e16b50 > result = 0x0 > #33 0x0000000000740c4d in CallExpr::Eval (this=0x2b62770, f=0x5682490) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2a3a050 > current_call = 0x2bcf960 > ret = 0x0 > func_val = 0x2a3a290 > v = 0x4ff3bf0 > #34 0x00000000007e22bf in ExprStmt::Exec (this=0x2bbb7b0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b12f60 > #35 0x00000000007e8379 in StmtList::Exec (this=0x2b606d0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #36 0x00000000007e2b6f in IfStmt::DoExec (this=0x2b6f010, f=0x5682490, > v=0x2a33c00, flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2b606d0 > result = 0x2bcf960 > #37 0x00000000007e22f3 in ExprStmt::Exec (this=0x2b6f010, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x2a33c00 > #38 0x00000000007e8379 in StmtList::Exec (this=0x2b69cb0, f=0x5682490, > flow=@0x7fff70b13144) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #39 0x000000000074e6d5 in BroFunc::Call (this=0x2b08750, args=0x4cd7020, > parent=0x51654a0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 4 > flow = FLOW_NEXT > f = 0x5682490 > result = 0x0 > #40 0x0000000000740c4d in CallExpr::Eval (this=0x2bcf960, f=0x51654a0) > at /root/ane/bro/src/Expr.cc:4920 > func = 0x2b08750 > current_call = 0x0 > ret = 0x0 > func_val = 0x2bbdab0 > v = 0x4cd7020 > #41 0x00000000007e22bf in ExprStmt::Exec (this=0x2bcfa80, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:369 > v = 0x7fff70b13320 > #42 0x00000000007e8379 in StmtList::Exec (this=0x2bcf200, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x8000e2 > i = 0 > #43 0x00000000007e2b6f in IfStmt::DoExec (this=0x2bd04f0, f=0x51654a0, > v=0x4e12040, flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:484 > do_stmt = 0x2bcf200 > result = 0x7e226e > #44 0x00000000007e22f3 in ExprStmt::Exec (this=0x2bd04f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:373 > ret_val = 0x708008 > v = 0x4e12040 > #45 0x00000000007e8379 in StmtList::Exec (this=0x2bca5f0, f=0x51654a0, > flow=@0x7fff70b13504) at /root/ane/bro/src/Stmt.cc:1764 > result = 0x0 > i = 3 > #46 0x000000000074e6d5 in BroFunc::Call (this=0x2ac0a30, args=0x55665e0, > parent=0x0) at /root/ane/bro/src/Func.cc:386 > i = 0 > plugin_result = 0x0 > __PRETTY_FUNCTION__ = "virtual Val* BroFunc::Call(val_list*, Frame*) const" > i = 5 > flow = FLOW_NEXT > f = 0x51654a0 > result = 0x0 > #47 0x000000000072588b in EventHandler::Call (this=0x2ac0870, vl=0x55665e0, > no_remote=true) at /root/ane/bro/src/EventHandler.cc:80 > No locals. > #48 0x00000000006d8cc2 in Event::Dispatch (this=0x4d194d0, no_remote=true) > at /root/ane/bro/src/Event.h:50 > No locals. > #49 0x00000000006d8e41 in EventMgr::Dispatch (this=0xebdb60, event=0x4d194d0, > no_remote=true) at /root/ane/bro/src/Event.h:98 > No locals. > #50 0x00000000007a15f2 in RemoteSerializer::Process (this=0x1be4b00) > at /root/ane/bro/src/RemoteSerializer.cc:1439 > be = 0x52f6520 > event = 0x4d194d0 > old_current_peer = 0x5affb90 > i = 2 > __PRETTY_FUNCTION__ = "virtual void RemoteSerializer::Process()" > #51 0x00000000007889fc in net_run () at /root/ane/bro/src/Net.cc:320 > ts = 1426699810 > src = 0x1be4b28 > loop_counter = 0 > #52 0x00000000006d8157 in main (argc=16, argv=0x7fff70b13f98) > at /root/ane/bro/src/main.cc:1200 > time_net_start = 1426699494.8306091 > mem_net_start_total = 0 > mem_net_start_malloced = 28969936 > time_net_done = 5.5884358079878406e-317 > mem_net_done_total = 32767 > mem_net_done_malloced = 1890663744 > rule_files = { = {entry = 0x3b21000, chunk_size = 20, > max_entries = 20, num_entries = 16}, } > id_name = 0x0 > seed_load_file = 0x0 > debug_streams = 0x0 > bare_mode = 0 > opts = "B:D:e:f:I:i:K:l:n:p:R:r:s:T:t:U:w:x:X:z:CFGLNOPSWabdghvZQ", '\000' > seed = 0 > r = 0 > missing_plugin = false > bro_init = {handler = 0x1c02d90} > long_optsind = 0 > s = 0x0 > bst_file = 0x0 > print_plugins = 0 > oldhandler = 0x1 > p = 0x0 > alive_handlers = 0x3bda980 > user_pcap_filter = 0x0 > op = -1 > tmp = 0x0 > dead_handlers = 0x3bda980 > time_start = 1426699493.1773551 > interfaces = { = {entry = 0x1ba5350, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > read_files = { = {entry = 0x1ba53b0, chunk_size = 10, > max_entries = 10, num_entries = 0}, } > events_file = 0x0 > to_xml = 0 > RE_level = 4 > dns_type = DNS_DEFAULT > broxygen_config = "" > dump_cfg = 0 > do_watchdog = 0 > rule_debug = 0 > long_opts = {{name = 0xadae58 "parse-only", has_arg = 0, flag = 0x0, > val = 97}, {name = 0xadae63 "bare-mode", has_arg = 0, flag = 0x0, > val = 98}, {name = 0xadae6d "debug-policy", has_arg = 0, > flag = 0x0, val = 100}, {name = 0xadae7a "dump-config", > has_arg = 0, flag = 0x0, val = 103}, {name = 0xadae86 "exec", > has_arg = 1, flag = 0x0, val = 101}, {name = 0xadae8b "filter", > has_arg = 1, flag = 0x0, val = 102}, {name = 0xadae92 "help", > has_arg = 0, flag = 0x0, val = 104}, {name = 0xadae97 "iface", > has_arg = 1, flag = 0x0, val = 105}, {name = 0xadae9d "broxygen", > has_arg = 1, flag = 0x0, val = 88}, {name = 0xadaea6 "prefix", > has_arg = 1, flag = 0x0, val = 112}, {name = 0xadaead "readfile", > has_arg = 1, flag = 0x0, val = 114}, {name = 0xadaeb6 "flowfile", > has_arg = 1, flag = 0x0, val = 121}, {name = 0xadaebf "netflow", > has_arg = 1, flag = 0x0, val = 89}, {name = 0xadaec7 "rulefile", > has_arg = 1, flag = 0x0, val = 115}, {name = 0xadaed0 "tracefile", > has_arg = 1, flag = 0x0, val = 116}, {name = 0xadaeda "writefile", > has_arg = 1, flag = 0x0, val = 119}, {name = 0xadaee4 "version", > has_arg = 0, flag = 0x0, val = 118}, { > name = 0xadaeec "print-state", has_arg = 1, flag = 0x0, > val = 120}, {name = 0xadaef8 "analyze", has_arg = 1, flag = 0x0, > val = 122}, {name = 0xadaf00 "no-checksums", has_arg = 0, > flag = 0x0, val = 67}, {name = 0xadaf0d "dfa-cache", has_arg = 1, > flag = 0x0, val = 68}, {name = 0xadaf17 "force-dns", has_arg = 0, > flag = 0x0, val = 70}, {name = 0xadaf21 "load-seeds", has_arg = 1, > flag = 0x0, val = 71}, {name = 0xadaf2c "save-seeds", has_arg = 1, > flag = 0x0, val = 72}, {name = 0xadaf37 "set-seed", has_arg = 1, > flag = 0x0, val = 74}, {name = 0xadaf40 "md5-hashkey", > has_arg = 1, flag = 0x0, val = 75}, { > name = 0xadaf4c "rule-benchmark", has_arg = 0, flag = 0x0, > val = 76}, {name = 0xadaf5b "print-plugins", has_arg = 0, > flag = 0x0, val = 78}, {name = 0xadaf69 "optimize", has_arg = 0, > flag = 0x0, val = 79}, {name = 0xadaf72 "prime-dns", has_arg = 0, > flag = 0x0, val = 80}, {name = 0xadaf7c "replay", has_arg = 1, > flag = 0x0, val = 82}, {name = 0xadaf83 "debug-rules", > has_arg = 0, flag = 0x0, val = 83}, {name = 0xadaf8f "re-level", > has_arg = 1, flag = 0x0, val = 82}, {name = 0xadaf98 "watchdog", > has_arg = 0, flag = 0x0, val = 87}, {name = 0xadafa1 "print-id", > has_arg = 1, flag = 0x0, val = 73}, { > name = 0xadafaa "status-file", has_arg = 1, flag = 0x0, val = 85}, > {name = 0xadafb6 "debug", has_arg = 1, flag = 0x0, val = 66}, { > name = 0xadafbc "pseudo-realtime", has_arg = 2, flag = 0x0, > val = 69}, {name = 0x0, has_arg = 0, flag = 0x0, val = 0}} > override_ignore_checksums = 0 > time_bro = 0 > seed_save_file = 0x0 > parse_only = 0 > script_rule_files = 0x3b20d70 ".state" > (gdb) frame 0 > #0 0x0000003345c32625 in raise () from /lib64/libc.so.6 > (gdb) frame 3 > #3 0x000000000078bfb4 in BroObj::BadTag (this=0x4edeb20, > msg=0xaeaeae "Val::CONVERTER", t1=0xb05a89 "string", t2=0xb05aa3 "port") > at /root/ane/bro/src/Obj.cc:134 > 134 /root/ane/bro/src/Obj.cc: No such file or directory. > in /root/ane/bro/src/Obj.cc > (gdb) info local > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036 > out = "Val::CONVERTER (string/port)\000\000\000\000R\000\000\000\000\000\000\000\360\035\261p\377\177\000\000\346\036\261p\377\177\000\000\000\000\000\000\003\000\000\000\340\032\261p\377\177\000\000\346\036\261p\377\177\000\000\360\032\261p\377\177\000\000\350\036\261p\377\177\000\000u\350\065\005", '\000' , "??\260\000\000\000\000\000\003\364\177", '\000' , "@*=\005\v\000\00 > 0 00\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\0 > 0\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000`\033\261p\377\177\000\000)\016\200", '\000' , "@*=\005\000\000\000\000\220*=\005\000\000\000\000\000\265K\005\000\000\000\000\220*=\005\000\000\000\000@*=\005\000\000\000\000\000\350\065\005\000\000\000\000\002\000\000\000\000\000\000\000\220"... > d = {type = DESC_READABLE, style = STANDARD_STYLE, base = 0x58db560, > offset = 37, size = 128, escape = false, > escape_sequences = std::set with 0 elements, f = 0x0, indent_level = 0, > is_short = 1, want_quotes = 0, do_flush = 1, include_stats = 0, > indent_with_spaces = 0} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 07:57:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 09:57:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1348) topic/dnthayer/fix-typos In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1348: ------------------------------ Assignee: Jon Siwek > topic/dnthayer/fix-typos > ------------------------ > > Key: BIT-1348 > URL: https://bro-tracker.atlassian.net/browse/BIT-1348 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Jon Siwek > Fix For: 2.4 > > > The branch topic/dnthayer/fix-typos in the bro-plugins repo contains a few small > doc fixes, and a portability improvement for the configure script. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 07:58:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 09:58:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-725) Incorrect weird (unmatched_HTTP_reply) in the HTTP analyzer. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-725?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-725: ----------------------------- Assignee: Jon Siwek > Incorrect weird (unmatched_HTTP_reply) in the HTTP analyzer. > ------------------------------------------------------------ > > Key: BIT-725 > URL: https://bro-tracker.atlassian.net/browse/BIT-725 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Assignee: Jon Siwek > Labels: analyzer > Fix For: 2.4 > > Attachments: http-request-timeout.trace > > > The HTTP analyzer is rasing the unmatched_HTTP_reply weird if it sees a response that there was no packet for. There are cases where this is legit and the case is handled correctly by the new http scripts so the weird should probably be removed since it's really just noise. I'll attach a tracefile that shows a legit response-only connection. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 08:36:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 10:36:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1207) Add test to catch changes breaking local.bro In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1207: --------------------------- Resolution: Fixed Status: Closed (was: Open) > Add test to catch changes breaking local.bro > -------------------------------------------- > > Key: BIT-1207 > URL: https://bro-tracker.atlassian.net/browse/BIT-1207 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Assignee: Jon Siwek > Fix For: 2.4 > > > We should get a better at tracking when a shipping local.bro breaks. > We could add a test that runs the local.bro of the past release. Once > something breaks, we'd update the test's copy of local.bro but then > also take that as a trigger to document the change. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 08:47:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 10:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1348) topic/dnthayer/fix-typos In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1348: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/fix-typos > ------------------------ > > Key: BIT-1348 > URL: https://bro-tracker.atlassian.net/browse/BIT-1348 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Jon Siwek > Fix For: 2.4 > > > The branch topic/dnthayer/fix-typos in the bro-plugins repo contains a few small > doc fixes, and a portability improvement for the configure script. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 09:15:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 11:15:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-725) Incorrect weird (unmatched_HTTP_reply) in the HTTP analyzer. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-725?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-725: -------------------------- Resolution: Fixed Status: Closed (was: Open) > Incorrect weird (unmatched_HTTP_reply) in the HTTP analyzer. > ------------------------------------------------------------ > > Key: BIT-725 > URL: https://bro-tracker.atlassian.net/browse/BIT-725 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Seth Hall > Assignee: Jon Siwek > Labels: analyzer > Fix For: 2.4 > > Attachments: http-request-timeout.trace > > > The HTTP analyzer is rasing the unmatched_HTTP_reply weird if it sees a response that there was no packet for. There are cases where this is legit and the case is handled correctly by the new http scripts so the weird should probably be removed since it's really just noise. I'll attach a tracefile that shows a legit response-only connection. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 10:19:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Fri, 20 Mar 2015 12:19:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer In-Reply-To: References: Message-ID: grigorescu created BIT-1351: ------------------------------- Summary: Rename the ASCII writer to file writer Key: BIT-1351 URL: https://bro-tracker.atlassian.net/browse/BIT-1351 Project: Bro Issue Tracker Issue Type: Task Components: Bro Affects Versions: 2.3, git/master Reporter: grigorescu Priority: Low With the addition of the JSON output format, the ASCII log writer is a bit of a misnomer. This is a reminder based on a discussion that Seth and Robin had to rename this to be a bit more accurate. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 11:07:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Fri, 20 Mar 2015 13:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-755) Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS responses In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-755: --------------------------- Resolution: Fixed Status: Closed (was: Open) Seth managed to dig up the trace, and I ran master against it. At some point, this was fixed. > Bogus DNS_truncated_ans_too_short notice in weird.log for NetBIOS DNS responses > ------------------------------------------------------------------------------- > > Key: BIT-755 > URL: https://bro-tracker.atlassian.net/browse/BIT-755 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Matthias Vallentin > Fix For: 2.4 > > > As part of the trace testing for 2.0, I found an issue with NetBIOS DNS traffic. (To reproduce, run Bro on slice 10 trace 6.) The issue is that aach NetBIOS DNS response elicits a {{DNS_truncated_ans_too_short}} notice. Presumably this occurs because the DNS analyzer is not aware when it analyzes NetBIOS traffic and always uses default DNS settings. > Here is an excerpt of {{weird.log}}: > {noformat} > #separator \x09 > #path weird > #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer > #types time string addr port addr port string string bool string > 1258595204.973641 zXeo86cfbm7 192.168.1.1 137 192.168.1.103 137 DNS_label_len_gt_pkt - F bro > 1258595204.973641 zXeo86cfbm7 192.168.1.1 137 192.168.1.103 137 DNS_truncated_ans_too_short - F bro > 1258595929.455451 z4HTnleZ5K7 192.168.1.1 137 192.168.1.103 137 DNS_truncated_ans_too_short - F bro > 1258596653.936597 JabVxb51nSh 192.168.1.1 137 192.168.1.103 137 DNS_truncated_ans_too_short - F bro > 1258597378.402488 wP49IojzMDi 192.168.1.1 137 192.168.1.103 137 DNS_truncated_ans_too_short - F bro > 1258598102.868114 yFYuqEzJF87 192.168.1.1 137 192.168.1.103 137 DNS_truncated_ans_too_short - F bro > [..] > {noformat} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From jira at bro-tracker.atlassian.net Fri Mar 20 14:30:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 20 Mar 2015 16:30:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-978) delete seems to invalidate set iteration In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-978: -------------------------- Resolution: Fixed Status: Closed (was: Open) > delete seems to invalidate set iteration > ---------------------------------------- > > Key: BIT-978 > URL: https://bro-tracker.atlassian.net/browse/BIT-978 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Assignee: Jon Siwek > Priority: Low > Fix For: 2.4 > > Attachments: test.bro > > > Deleting an element of a set inside of a for loop iterating over the set seems to cause unpredictable behavior. I think this should either be documented as a known non-feature or fixed. -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) From noreply at bro.org Sat Mar 21 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 21 Mar 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503210700.t2L70ISU024432@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------- ---------- ------------- ---------- ----------------------------------------------------------- BIT-1347 [1] Bro Johanna Amann - 2015-03-18 2.4 Normal Please merge topic/johanna/dtls BIT-1344 [2] Bro grigorescu Johanna Amann 2015-03-18 - Normal New SSH Analyzer BIT-1340 [3] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1324 [4] Bro Justin Azoff - 2015-03-19 2.4 Low default_path_func does weird things to underscores BIT-1303 [5] pysubnettree Daniel Thayer - 2015-03-17 2.4 Normal pysubnettree tests should be changed to use btest BIT-1199 [6] Bro grigorescu - 2015-03-19 2.4 Normal Better error messages for input file errors in READER_ASCII BIT-788 [7] Bro juliensentier - 2015-03-19 2.4 Normal Good analysis of unidirectional DNS flows BIT-342 [8] Bro Seth Hall - 2015-03-19 2.4 Normal Add payload to ICMP analyzer Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- ------------- ---------- ----------------------------------------------------------- eec7f77 [9] bro Daniel Thayer 2015-03-18 Correct a spelling error 31795e7 [10] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------------------------- #28 [11] bro aeppert [12] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [13] #27 [14] bro petiepooo [15] 2015-03-14 Add defensive check for localtime_r() call [16] [1] BIT-1347 https://bro-tracker.atlassian.net/browse/BIT-1347 [2] BIT-1344 https://bro-tracker.atlassian.net/browse/BIT-1344 [3] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [4] BIT-1324 https://bro-tracker.atlassian.net/browse/BIT-1324 [5] BIT-1303 https://bro-tracker.atlassian.net/browse/BIT-1303 [6] BIT-1199 https://bro-tracker.atlassian.net/browse/BIT-1199 [7] BIT-788 https://bro-tracker.atlassian.net/browse/BIT-788 [8] BIT-342 https://bro-tracker.atlassian.net/browse/BIT-342 [9] eec7f77 https://github.com/bro/bro/commit/eec7f77913e0385d83bbd9b086ae5e3e2c1cd4bb [10] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [11] Pull Request #28 https://github.com/bro/bro/pull/28 [12] aeppert https://github.com/aeppert [13] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [14] Pull Request #27 https://github.com/bro/bro/pull/27 [15] petiepooo https://github.com/petiepooo [16] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From noreply at bro.org Sun Mar 22 00:00:37 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 22 Mar 2015 00:00:37 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503220700.t2M70bAP007388@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------- ---------- ------------- ---------- ----------------------------------------------------------- BIT-1347 [1] Bro Johanna Amann - 2015-03-18 2.4 Normal Please merge topic/johanna/dtls BIT-1344 [2] Bro grigorescu Johanna Amann 2015-03-18 - Normal New SSH Analyzer BIT-1340 [3] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1324 [4] Bro Justin Azoff - 2015-03-19 2.4 Low default_path_func does weird things to underscores BIT-1303 [5] pysubnettree Daniel Thayer - 2015-03-17 2.4 Normal pysubnettree tests should be changed to use btest BIT-1199 [6] Bro grigorescu - 2015-03-19 2.4 Normal Better error messages for input file errors in READER_ASCII BIT-788 [7] Bro juliensentier - 2015-03-19 2.4 Normal Good analysis of unidirectional DNS flows BIT-342 [8] Bro Seth Hall - 2015-03-19 2.4 Normal Add payload to ICMP analyzer Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- ------------- ---------- ----------------------------------------------------------- eec7f77 [9] bro Daniel Thayer 2015-03-18 Correct a spelling error 31795e7 [10] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------------------------- #28 [11] bro aeppert [12] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [13] #27 [14] bro petiepooo [15] 2015-03-14 Add defensive check for localtime_r() call [16] [1] BIT-1347 https://bro-tracker.atlassian.net/browse/BIT-1347 [2] BIT-1344 https://bro-tracker.atlassian.net/browse/BIT-1344 [3] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [4] BIT-1324 https://bro-tracker.atlassian.net/browse/BIT-1324 [5] BIT-1303 https://bro-tracker.atlassian.net/browse/BIT-1303 [6] BIT-1199 https://bro-tracker.atlassian.net/browse/BIT-1199 [7] BIT-788 https://bro-tracker.atlassian.net/browse/BIT-788 [8] BIT-342 https://bro-tracker.atlassian.net/browse/BIT-342 [9] eec7f77 https://github.com/bro/bro/commit/eec7f77913e0385d83bbd9b086ae5e3e2c1cd4bb [10] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [11] Pull Request #28 https://github.com/bro/bro/pull/28 [12] aeppert https://github.com/aeppert [13] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [14] Pull Request #27 https://github.com/bro/bro/pull/27 [15] petiepooo https://github.com/petiepooo [16] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From noreply at bro.org Mon Mar 23 00:00:47 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 23 Mar 2015 00:00:47 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503230700.t2N70l5N002146@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------- ---------- ------------- ---------- ----------------------------------------------------------- BIT-1347 [1] Bro Johanna Amann - 2015-03-18 2.4 Normal Please merge topic/johanna/dtls BIT-1344 [2] Bro grigorescu Johanna Amann 2015-03-18 - Normal New SSH Analyzer BIT-1340 [3] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) BIT-1324 [4] Bro Justin Azoff - 2015-03-19 2.4 Low default_path_func does weird things to underscores BIT-1303 [5] pysubnettree Daniel Thayer - 2015-03-17 2.4 Normal pysubnettree tests should be changed to use btest BIT-1199 [6] Bro grigorescu - 2015-03-19 2.4 Normal Better error messages for input file errors in READER_ASCII BIT-788 [7] Bro juliensentier - 2015-03-19 2.4 Normal Good analysis of unidirectional DNS flows BIT-342 [8] Bro Seth Hall - 2015-03-19 2.4 Normal Add payload to ICMP analyzer Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- ------------- ---------- ----------------------------------------------------------- eec7f77 [9] bro Daniel Thayer 2015-03-18 Correct a spelling error 31795e7 [10] bro Johanna Amann 2015-03-10 When setting the SSL analyzer to fail, also stop processing Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- -------------- ---------- --------------------------------------------------------------------------- #28 [11] bro aeppert [12] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [13] #27 [14] bro petiepooo [15] 2015-03-14 Add defensive check for localtime_r() call [16] [1] BIT-1347 https://bro-tracker.atlassian.net/browse/BIT-1347 [2] BIT-1344 https://bro-tracker.atlassian.net/browse/BIT-1344 [3] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [4] BIT-1324 https://bro-tracker.atlassian.net/browse/BIT-1324 [5] BIT-1303 https://bro-tracker.atlassian.net/browse/BIT-1303 [6] BIT-1199 https://bro-tracker.atlassian.net/browse/BIT-1199 [7] BIT-788 https://bro-tracker.atlassian.net/browse/BIT-788 [8] BIT-342 https://bro-tracker.atlassian.net/browse/BIT-342 [9] eec7f77 https://github.com/bro/bro/commit/eec7f77913e0385d83bbd9b086ae5e3e2c1cd4bb [10] 31795e7 https://github.com/bro/bro/commit/31795e7600561511add762951eee6292b186f6d3 [11] Pull Request #28 https://github.com/bro/bro/pull/28 [12] aeppert https://github.com/aeppert [13] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [14] Pull Request #27 https://github.com/bro/bro/pull/27 [15] petiepooo https://github.com/petiepooo [16] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From jira at bro-tracker.atlassian.net Mon Mar 23 07:54:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Mar 2015 09:54:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1303: ------------------------------ Assignee: Jon Siwek > pysubnettree tests should be changed to use btest > ------------------------------------------------- > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Reporter: Daniel Thayer > Assignee: Jon Siwek > Fix For: 2.4 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 08:34:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 23 Mar 2015 10:34:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-944) @bro-meta index in ES writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-944: -------------------------- Fix Version/s: (was: 2.4) 2.5 > @bro-meta index in ES writer > ---------------------------- > > Key: BIT-944 > URL: https://bro-tracker.atlassian.net/browse/BIT-944 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > Fix For: 2.5 > > > The elasticsearch writer isn't creating/modifying the required (for Brownian) @bro-meta index when using the ReLog script to import old logs because rotation is disabled when importing logs. For now the right answer is to probably just leave off out the start and end fields and write to the index in the UpdateIndex method if rotation is disabled. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 08:34:02 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Mar 2015 10:34:02 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1221) DPD website docs out of date In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1221?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1221: --------------------------- Resolution: Fixed Status: Closed (was: Open) > DPD website docs out of date > ---------------------------- > > Key: BIT-1221 > URL: https://bro-tracker.atlassian.net/browse/BIT-1221 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Website > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > http://www.bro.org/development/howtos/dpd.html > Some parts of that document reference old code. At a glance, {{dpd_config}}, {{DPM}}, and the use of {{int}} as the type for sequence numbers are things that pop out at me. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 08:35:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 23 Mar 2015 10:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-944) @bro-meta index in ES writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20100#comment-20100 ] Seth Hall commented on BIT-944: ------------------------------- Yep, it's going to need to get rescheduled. > @bro-meta index in ES writer > ---------------------------- > > Key: BIT-944 > URL: https://bro-tracker.atlassian.net/browse/BIT-944 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Priority: Low > Fix For: 2.5 > > > The elasticsearch writer isn't creating/modifying the required (for Brownian) @bro-meta index when using the ReLog script to import old logs because rotation is disabled when importing logs. For now the right answer is to probably just leave off out the start and end fields and write to the index in the UpdateIndex method if rotation is disabled. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 08:42:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Mar 2015 10:42:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1303) pysubnettree tests should be changed to use btest In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1303: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > pysubnettree tests should be changed to use btest > ------------------------------------------------- > > Key: BIT-1303 > URL: https://bro-tracker.atlassian.net/browse/BIT-1303 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Reporter: Daniel Thayer > Assignee: Jon Siwek > Fix For: 2.4 > > > The test cases in pysubnettree should be changed to use btest > so that the tests are easier to run and can be better organized > by splitting them into multiple test files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 08:54:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Mar 2015 10:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20101#comment-20101 ] Jon Siwek commented on BIT-1351: -------------------------------- Is this meant to be scheduled for 2.4 ? If so, please set the Fix Version field to 2.4 (or possibly something else or not at all depending on where/whether you want it on the roadmap). > Rename the ASCII writer to file writer > -------------------------------------- > > Key: BIT-1351 > URL: https://bro-tracker.atlassian.net/browse/BIT-1351 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master, 2.3 > Reporter: grigorescu > Priority: Low > Labels: logging > > With the addition of the JSON output format, the ASCII log writer is a bit of a misnomer. This is a reminder based on a discussion that Seth and Robin had to rename this to be a bit more accurate. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 09:02:00 2015 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Mon, 23 Mar 2015 11:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20102#comment-20102 ] grigorescu commented on BIT-1351: --------------------------------- No, this was just meant as a reminder. I don't think 2.4 is reasonable or worth it. > Rename the ASCII writer to file writer > -------------------------------------- > > Key: BIT-1351 > URL: https://bro-tracker.atlassian.net/browse/BIT-1351 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master, 2.3 > Reporter: grigorescu > Priority: Low > Labels: logging > > With the addition of the JSON output format, the ASCII log writer is a bit of a misnomer. This is a reminder based on a discussion that Seth and Robin had to rename this to be a bit more accurate. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 09:18:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 23 Mar 2015 11:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1351) Rename the ASCII writer to file writer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu updated BIT-1351: --------------------------------- Fix Version/s: 2.5 > Rename the ASCII writer to file writer > -------------------------------------- > > Key: BIT-1351 > URL: https://bro-tracker.atlassian.net/browse/BIT-1351 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Affects Versions: git/master, 2.3 > Reporter: grigorescu > Priority: Low > Labels: logging > Fix For: 2.5 > > > With the addition of the JSON output format, the ASCII log writer is a bit of a misnomer. This is a reminder based on a discussion that Seth and Robin had to rename this to be a bit more accurate. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 10:03:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 12:03:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-342: -------------------------------- Assignee: Robin Sommer > Add payload to ICMP analyzer > ---------------------------- > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 10:10:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 12:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-788: -------------------------------- Assignee: Robin Sommer > Good analysis of unidirectional DNS flows > ----------------------------------------- > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: juliensentier > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 10:11:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 12:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1199: --------------------------------- Assignee: Robin Sommer > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 10:27:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 12:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1324: --------------------------------- Assignee: Robin Sommer > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Robin Sommer > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 11:07:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Mar 2015 13:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1226) bad example in quickstart guide In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1226: --------------------------- Resolution: Fixed Status: Closed (was: Open) > bad example in quickstart guide > ------------------------------- > > Key: BIT-1226 > URL: https://bro-tracker.atlassian.net/browse/BIT-1226 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.3 > Reporter: Jon Siwek > Assignee: Jon Siwek > Labels: documentation > Fix For: 2.4 > > > The quickstart has a "deployment customization" involving watching for an SSH login to a specific set of hosts. The first problem is the code is wrong; an updated example is at https://gist.github.com/jsiwek/2a7692aa9f24e197ca9c. But there's other reasons why this example is not straightforward for new users. I think it should be replaced with a different example. Should add a unit test for it as well to make sure it doesn't become outdated. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 23 Mar 2015 14:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1352) Certificate validation script does not deal well with root-certs being sent by server In-Reply-To: References: Message-ID: Johanna Amann created BIT-1352: ---------------------------------- Summary: Certificate validation script does not deal well with root-certs being sent by server Key: BIT-1352 URL: https://bro-tracker.atlassian.net/browse/BIT-1352 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Johanna Amann Fix For: 2.4 Currently, the validate-certs script in policy does not deal well with certain certificate chains, where the trust-anchor is being sent by the server. We should be able to fix this by removing the trust-anchor automatically from the chain; solving this might potentially change the way root-certs are currently being loaded into Bro. Example server: access.redhat.com -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:07:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 23 Mar 2015 14:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1329: ------------------------------- Resolution: Fixed Status: Closed (was: Open) This was apparently fixed by some commit. > BroControl scripts displays meta-information from bro logger > ------------------------------------------------------------ > > Key: BIT-1329 > URL: https://bro-tracker.atlassian.net/browse/BIT-1329 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Environment: When issuing a broctl status, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. > Example: > {code} > [BroControl] > scripts manager > manager scripts are ok. > #separator \x09 > #set_separator , > #empty_field (empty) > #unset_field - > #path loaded_scripts > #open 2015-03-05-13-24-34 > #fields name > #types string > /xa/bro/master/share/bro/base/init-bare.bro > /xa/bro/master/share/bro/base/bif/const.bif.bro > ... > /xa/bro/master/share/bro/broctl/check.bro > #close 2015-03-05-13-24-34 > {code} > Reporter: Johanna Amann > Fix For: 2.4 > > -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:26:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 23 Mar 2015 14:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time In-Reply-To: References: Message-ID: Johanna Amann created BIT-1353: ---------------------------------- Summary: BroCtl status/top take excessive amount of time Key: BIT-1353 URL: https://bro-tracker.atlassian.net/browse/BIT-1353 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (>2 minutes for a broctl status). This was not the case right after starting up the cluster. If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:27:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 23 Mar 2015 14:27:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1329: ------------------------------- Status: Reopened (was: Closed) Resolution: (was: Fixed) > BroControl scripts displays meta-information from bro logger > ------------------------------------------------------------ > > Key: BIT-1329 > URL: https://bro-tracker.atlassian.net/browse/BIT-1329 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Environment: When issuing a broctl status, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. > Example: > {code} > [BroControl] > scripts manager > manager scripts are ok. > #separator \x09 > #set_separator , > #empty_field (empty) > #unset_field - > #path loaded_scripts > #open 2015-03-05-13-24-34 > #fields name > #types string > /xa/bro/master/share/bro/base/init-bare.bro > /xa/bro/master/share/bro/base/bif/const.bif.bro > ... > /xa/bro/master/share/bro/broctl/check.bro > #close 2015-03-05-13-24-34 > {code} > Reporter: Johanna Amann > Fix For: 2.4 > > -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 23 Mar 2015 14:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1329: ------------------------------- Environment: (was: When issuing a broctl status, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. Example: {code} [BroControl] > scripts manager manager scripts are ok. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path loaded_scripts #open 2015-03-05-13-24-34 #fields name #types string /xa/bro/master/share/bro/base/init-bare.bro /xa/bro/master/share/bro/base/bif/const.bif.bro ... /xa/bro/master/share/bro/broctl/check.bro #close 2015-03-05-13-24-34 {code}) > BroControl scripts displays meta-information from bro logger > ------------------------------------------------------------ > > Key: BIT-1329 > URL: https://bro-tracker.atlassian.net/browse/BIT-1329 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:28:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1347: --------------------------------- Assignee: Robin Sommer > Please merge topic/johanna/dtls > ------------------------------- > > Key: BIT-1347 > URL: https://bro-tracker.atlassian.net/browse/BIT-1347 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Labels: dtls, ssl > Fix For: 2.4 > > > Please merge topic/johanna/dtls > First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. > Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. > The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 23 Mar 2015 14:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20104#comment-20104 ] Johanna Amann commented on BIT-1329: ------------------------------------ Sorry, was not fixed, I was stupid... > BroControl scripts displays meta-information from bro logger > ------------------------------------------------------------ > > Key: BIT-1329 > URL: https://bro-tracker.atlassian.net/browse/BIT-1329 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Environment: When issuing a broctl status, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. > Example: > {code} > [BroControl] > scripts manager > manager scripts are ok. > #separator \x09 > #set_separator , > #empty_field (empty) > #unset_field - > #path loaded_scripts > #open 2015-03-05-13-24-34 > #fields name > #types string > /xa/bro/master/share/bro/base/init-bare.bro > /xa/bro/master/share/bro/base/bif/const.bif.bro > ... > /xa/bro/master/share/bro/broctl/check.bro > #close 2015-03-05-13-24-34 > {code} > Reporter: Johanna Amann > Fix For: 2.4 > > -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 23 Mar 2015 14:28:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1329: ------------------------------- Description: When issuing a broctl scripts, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. Example: {code} [BroControl] > scripts manager manager scripts are ok. #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path loaded_scripts #open 2015-03-05-13-24-34 #fields name #types string /xa/bro/master/share/bro/base/init-bare.bro /xa/bro/master/share/bro/base/bif/const.bif.bro ... /xa/bro/master/share/bro/broctl/check.bro #close 2015-03-05-13-24-34 {code} > BroControl scripts displays meta-information from bro logger > ------------------------------------------------------------ > > Key: BIT-1329 > URL: https://bro-tracker.atlassian.net/browse/BIT-1329 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > When issuing a broctl scripts, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. > Example: > {code} > [BroControl] > scripts manager > manager scripts are ok. > #separator \x09 > #set_separator , > #empty_field (empty) > #unset_field - > #path loaded_scripts > #open 2015-03-05-13-24-34 > #fields name > #types string > /xa/bro/master/share/bro/base/init-bare.bro > /xa/bro/master/share/bro/base/bif/const.bif.bro > ... > /xa/bro/master/share/bro/broctl/check.bro > #close 2015-03-05-13-24-34 > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:41:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 23 Mar 2015 14:41:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1306) bro process would get stuck/freeze with myricom drivers In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20105#comment-20105 ] Jon Siwek commented on BIT-1306: -------------------------------- Can you check if this small patch helps? {code} diff --git a/src/main.cc b/src/main.cc index fb48bdc..7827302 100644 --- a/src/main.cc +++ b/src/main.cc @@ -391,6 +391,7 @@ void terminate_bro() delete event_serializer; delete state_serializer; delete event_registry; + delete remote_serializer; delete analyzer_mgr; delete file_mgr; delete log_mgr; {code} I'm not sure why that got removed (it still exists in 2.3.2), but it might cause the main Bro processes to not reap its child. The main Bro process being the one that opened a network interface and the child being the one doing remote communication, but which inherits the parent's open file descriptors. So a total guess is that the process forked for remote communication became a zombie (due to lack of what's in the patch above) and holds an open file descriptor on the network device. > bro process would get stuck/freeze with myricom drivers > ------------------------------------------------------- > > Key: BIT-1306 > URL: https://bro-tracker.atlassian.net/browse/BIT-1306 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: OS: FreeBSD 9.3-RELEASE-p5 OS > bro version 2.3-328 > git log -1 --format="%H" > 379593c7fded0f9791ae71a52dd78a4c9d5a2c1f > Reporter: Aashish Sharma > Labels: bro-git, myricom > Fix For: 2.4 > > > When I stop bro (in cluster mode), one of the bro worker process (random) would get stuck and wouldn't shutdown, stop or even be killed using kill -s 9. > System has to be ultimately rebooted to remove stuck bro process. > On running myri_start_stop I see: > # /usr/local/opt/snf/sbin/myri_start_stop stop > Removing myri_snf.ko > kldunload: can't unload file: Device busy > It appears that the myri_snf.ko driver cannot be unloaded because of the stuck bro process. That process still has an open descriptor on the Sniffer device/driver and bro process freezes > More details: > The bro process is stuck in RNE state > R Marks a runnable process. > N The process has reduced CPU scheduling priority (see setpriority(2)). > E The process is trying to exit. > Here is an example: > ### stuck process: > [bro at 01 ~]$ ps auxwww | fgrep 1616 > bro 1616 100.0 0.0 758040 60480 ?? RNE 2:57PM 53:50.04 /usr/local/bro-git/bin/bro -i myri0 -U .status -p broctl -p broctl-live -p local -p worker-1-1 mgr.bro broctl base/frameworks/cluster local-worker.bro broctl/auto > ####when checking for process in proc: > [bro at c ~]$ ls -l /proc/1616 > ls: /proc/1616: No such file or directory -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:52:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:52:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1347) Please merge topic/johanna/dtls In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1347: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/johanna/dtls > ------------------------------- > > Key: BIT-1347 > URL: https://bro-tracker.atlassian.net/browse/BIT-1347 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Robin Sommer > Labels: dtls, ssl > Fix For: 2.4 > > > Please merge topic/johanna/dtls > First and foremost, this branch brings DTLS 1.0 / 1.2 support to Bro. Dtls is mostly handled just like SSL. It emits the same events and thus works seamlessly with the current SSL scripts in the Bro core. > Furthermore, it implements TLS record layer defragmentation for the TLS Handshake protocol enabling us e.g. to deal with connections containing large certificates. > The analyzer is now split into three parts, a SSL/TLS analyzer, a DTLS analyzer and a TLS handshake protocol analyzer. The SSL/TLS and DTLS analyzer use a large amount of same code by including common pac-files. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:52:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:52:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-342) Add payload to ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-342: ----------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) . > Add payload to ICMP analyzer > ---------------------------- > > Key: BIT-342 > URL: https://bro-tracker.atlassian.net/browse/BIT-342 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: ICMP-add-payload.diff > > > This is a patch from Julien Sentier on the mailing list that makes ICMP payloads available at the scripting layer. Is there a reason this isn't already available? I would have committed it to fastpath except I don't know if it's not already doing this due to the potential overhead of creating a lot of strings in ICMP floods. At the very least, I suppose it could be optional (which the patch doesn't currently do). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:52:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:52:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1199) Better error messages for input file errors in READER_ASCII In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1199?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1199: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Better error messages for input file errors in READER_ASCII > ----------------------------------------------------------- > > Key: BIT-1199 > URL: https://bro-tracker.atlassian.net/browse/BIT-1199 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Vlad Grigorescu > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: test.intel > > > This came up on the mailing list a few weeks ago. If one tries to load the attached file as Intelligence, Bro will error out, with: > {code} > internal error: Value not found in enum mappimg. Module: GLOBAL, var: , var size: 0 > {code} > The attached file contains an extra tab after downloader.com. > It'd be nice if Bro would tell you that this was an issue with the input reader, which file it occurred in, and a line number. > I think generally speaking, if there's an issue with an input file, it'd be nice to know the line number. > (Also, there's a typo in mappimg in the error message that's currently displayed). -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:52:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:52:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1324) default_path_func does weird things to underscores In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1324?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1324: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > default_path_func does weird things to underscores > -------------------------------------------------- > > Key: BIT-1324 > URL: https://bro-tracker.atlassian.net/browse/BIT-1324 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Justin Azoff > Assignee: Robin Sommer > Priority: Low > Labels: logging > Fix For: 2.4 > > > The following script creates a > {noformat} > foo__b_ar.log > {noformat} > > instead of the expected {noformat}foo_bar{noformat} > {code} > module FOO_BAR; > export { > redef enum Log::ID += { LOG }; > type Info: record { > ts: time &log; > msg: string &log; > }; > } > event bro_init() { > Log::create_stream(LOG, [$columns=Info]); > local l = [$ts = network_time(), $msg="hello"]; > Log::write(LOG, l); > print "Logged"; > } > {code} > The problem is in script land in default_path_func > {code} > local module_parts = split_string_n("FOO_BAR", /[^A-Z][A-Z][a-z]*/, T, 4); > print module_parts; > {code} > outputs > {code} > [FOO, _B, AR] > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:52:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:52:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-788) Good analysis of unidirectional DNS flows In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-788?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-788: ----------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Good analysis of unidirectional DNS flows > ----------------------------------------- > > Key: BIT-788 > URL: https://bro-tracker.atlassian.net/browse/BIT-788 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: juliensentier > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: 0011-Good-analysis-of-unidirectional-answer-DNS-traffic-f.patch > > > Some use port udp 53 as a source port for dns requests. > And sometimes, we can miss the DNS request. > In this case, we can rely on the DNS field QR to identify the direction of the flow. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:55:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:55:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20107#comment-20107 ] Robin Sommer commented on BIT-1313: ----------------------------------- Adapted and merged in 1dbc5ed523700c5c > Add help and all options to -B > ------------------------------- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jdonnelly > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Mon Mar 23 12:56:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 23 Mar 2015 14:56:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1313) Add help and all options to -B In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1313: ------------------------------ Resolution: Merged Status: Closed (was: Open) > Add help and all options to -B > ------------------------------- > > Key: BIT-1313 > URL: https://bro-tracker.atlassian.net/browse/BIT-1313 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Reporter: jdonnelly > Assignee: Robin Sommer > Fix For: 2.4 > > Attachments: log.diff > > > Expand -B to include all,help, and list all the various debug trace points : > #/usr/local/bro/bin/bro -B poo > fatal error: unknown debug stream poo, try -B help. > # /usr/local/bro/bin/bro -B help > Options may be separated by "," > all > help > serial > rules > comm > state > chunkedio > compressor > string > notifiers > main-loop > dpd > tm > logging > input > threading > file_analysis > plugins > broxygen > pktio -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From johanna at icir.org Mon Mar 23 13:49:46 2015 From: johanna at icir.org (Johanna Amann) Date: Mon, 23 Mar 2015 13:49:46 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time In-Reply-To: <55107889.7040209@illinois.edu> References: <55107889.7040209@illinois.edu> Message-ID: <20150323204946.GA23307@wifi86.sys.ICSI.Berkeley.EDU> Hi, On Mon, Mar 23, 2015 at 03:33:13PM -0500, Daniel Thayer wrote: > I'm glad to hear that you're testing broctl on FreeBSD (I always > test on Linux). Here are my initial ideas: > How many hosts are in your cluster? (you mentioned "28 physical nodes", > does that mean 28 computers?!) It is 28 computers, each running 3 bro worker processes with 2 more physical machines running the master and proxies. > Are you running the git master version of broctl? it is not quite master - it currently is running 5e2defe, so the state as of March 13th. > Is every broctl command slow, or just status and top? All the ones that I tried are slow. I can upgrade to master and test again - I just wanted to ask if there is some way to debug what is going on before restarting the cluster, since the problem took a few days to manifest itself. Hence I probably will not be able to directly reproduce it :) > The broctl status command usually spends most of its time > waiting for broccoli. I've added a new option that you > can set in your etc/broctl.cfg file that will skip > the broccoli code so that broctl status runs much faster. > To enable this feature, make sure this line is in your > broctl.cfg file: > StatusCmdShowAll = 0 > (after you add this, broctl will say that you have to run > either "install" or "deploy", but you don't actually > need to for this particular broctl option). I added this (without running install / depoloy) and it now is now faster, but still takes a while. I examined spool/debug.log a bit and it actually seems that a significant period of time is spent getting the process status. The timeline currently looks like this: 23 Mar 11:53:05 [broctl] status 23 Mar 11:53:05 [broctl] Getting process status ... 23 Mar 11:53:05 [execute] blade26: /xa/bro/master/share/broctl/scripts/helpers/check-pid 2513 [...] (many lines like this and many exit code lines) 23 Mar 11:54:07 [execute] blade15: exit code 0 23 Mar 11:54:07 [execute] blade26: /xa/bro/master/share/broctl/scripts/helpers/cat-file /xa/bro/master/spool/worker-26-0/.startup [...] 23 Mar 11:54:09 [execute] blade15: exit code 0 23 Mar 11:54:09 [events] broccoli: Control::peer_status_request() to node worker-26-0 [...] 23 Mar 11:54:29 [events] broccoli: Control::peer_status_response(1427136868.812806 [...] -> status output Johanna From johanna at icir.org Mon Mar 23 14:22:32 2015 From: johanna at icir.org (Johanna Amann) Date: Mon, 23 Mar 2015 14:22:32 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time In-Reply-To: <55108260.6010804@illinois.edu> References: <55107889.7040209@illinois.edu> <20150323204946.GA23307@wifi86.sys.ICSI.Berkeley.EDU> <55108260.6010804@illinois.edu> Message-ID: <20150323212232.GA25771@wifi86.sys.ICSI.Berkeley.EDU> On Mon, Mar 23, 2015 at 04:15:12PM -0500, Daniel Thayer wrote: > When you do a broctl status, does it show a status line for every Bro > node in your cluster? Yes, it does. At least I think so, the number is quite large :) > How are you running broctl status: > 1) just by typing "broctl status", or > 2) by running "broctl", then type the "status" command at the BroControl > prompt. I run broctl first and then type status. > When you run "broctl status", it must establish an ssh session to > every remote machine, which could take awhile when there are 28 > machines. However, when you run just "broctl", then type "status" > at the BroControl prompt, it keeps the ssh sessions open, so the 2nd > time you type "status" should be faster than the 1st time (because > the 2nd time it doesn't need to do the ssh connections). There does not seem to be a big speed difference between the first time and the second time status is run. Johanna From noreply at bro.org Tue Mar 24 00:00:34 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 24 Mar 2015 00:00:34 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503240700.t2O70Y67022202@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- --------------- ------------- ---------- ------------- ---------- ----------------------------- BIT-1344 [1] Bro Vlad Grigorescu Johanna Amann 2015-03-18 - Normal New SSH Analyzer BIT-1340 [2] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- -------------------------------------------------------------------------- #28 [3] bro aeppert [4] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [5] #27 [6] bro petiepooo [7] 2015-03-14 Add defensive check for localtime_r() call [8] [1] BIT-1344 https://bro-tracker.atlassian.net/browse/BIT-1344 [2] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [3] Pull Request #28 https://github.com/bro/bro/pull/28 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [6] Pull Request #27 https://github.com/bro/bro/pull/27 [7] petiepooo https://github.com/petiepooo [8] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From jira at bro-tracker.atlassian.net Tue Mar 24 14:41:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Mar 2015 16:41:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20108#comment-20108 ] Johanna Amann commented on BIT-1344: ------------------------------------ Hi, just a few small questions I stumbled accross while merging this: * is there a reason why you do not register the analyzer to port 22 by default? If I am not mistaken, the old one and basically all other protocol analyzers register to their well-known ports by default and just fail if they cannot parse the protocol. * currently some of the texts in different files still state that login success/failure is determined by heuristics. Should we leave that text in or is it safe if I remove if while merging? > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Tue Mar 24 14:52:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Tue, 24 Mar 2015 16:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20109#comment-20109 ] Vlad Grigorescu commented on BIT-1344: -------------------------------------- {quote} is there a reason why you do not register the analyzer to port 22 by default? If I am not mistaken, the old one and basically all other protocol analyzers register to their well-known ports by default and just fail if they cannot parse the protocol. {quote} This is something I've actually been moving away from. If I have a high level of confidence in the DPD signature, I'd rather rely on that, since I believe it will be more efficient than to try to attach the analyzer to all traffic on that port, and wait for a violation. This was based off some informal discussions with Seth, but I'm happy to throw it out to bro-dev and see what others think. {quote} currently some of the texts in different files still state that login success/failure is determined by heuristics. Should we leave that text in or is it safe if I remove if while merging? {quote} Ah, good catch. We should remove it - in the base script, I adopted an attitude of "if we don't know for certain, let's just tell the user that it's unknown" instead of implementing any heuristics. I can go through and remove it as well, if you'd like me to. > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Tue Mar 24 15:14:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Mar 2015 17:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20110#comment-20110 ] Johanna Amann commented on BIT-1344: ------------------------------------ Thanks. And no, I will just go over it while continuing the merge, I think I already removed most of them. > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Tue Mar 24 17:07:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 24 Mar 2015 19:07:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-631) Special message for broctl locking when done by cron In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20111#comment-20111 ] Daniel Thayer commented on BIT-631: ----------------------------------- I've added an improvement (now the "waiting for lock" message shows the PID of the lock owner) to address this issue. > Special message for broctl locking when done by cron > ---------------------------------------------------- > > Key: BIT-631 > URL: https://bro-tracker.atlassian.net/browse/BIT-631 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Reporter: Seth Hall > Fix For: 2.4 > > > If the broctl lock is being held by the cron command it would be nice if the message that indicates a lock is already held would indicate if it is the cron command. If multiple people are working with broctl the person that gets a lock doesn't know if it's because of another user or because they happened to be trying to do something while the cron command is running. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Tue Mar 24 18:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Mar 2015 20:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1344: ------------------------------- Status: Open (was: Merge Request) > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Tue Mar 24 18:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Mar 2015 20:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1344: ---------------------------------- Assignee: Vlad Grigorescu (was: Johanna Amann) > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Vlad Grigorescu > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Tue Mar 24 18:04:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Mar 2015 20:04:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20112#comment-20112 ] Johanna Amann commented on BIT-1344: ------------------------------------ I found a regression from master where the new SSH analyzer does not correctly identify the source and the destination for traces where it missed packets. Since the trace is private I will send you a followup per mail. > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From noreply at bro.org Wed Mar 25 00:00:18 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 25 Mar 2015 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503250700.t2P70IOr007054@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ------------- ---------- -------------------------------------------------------------------------- #28 [2] bro aeppert [3] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [4] #27 [5] bro petiepooo [6] 2015-03-14 Add defensive check for localtime_r() call [7] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] Pull Request #28 https://github.com/bro/bro/pull/28 [3] aeppert https://github.com/aeppert [4] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master [5] Pull Request #27 https://github.com/bro/bro/pull/27 [6] petiepooo https://github.com/petiepooo [7] Merge Pull Request #27 with git pull --no-ff --no-commit https://github.com/petiepooo/bro.git topic/petiepooo/localtime_r-segv From robin at icir.org Wed Mar 25 08:29:39 2015 From: robin at icir.org (Robin Sommer) Date: Wed, 25 Mar 2015 08:29:39 -0700 Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: <20150325152939.GX762@icir.org> On Tue, Mar 24, 2015 at 16:52 -0500, you wrote: > This is something I've actually been moving away from. If I have a > high level of confidence in the DPD signature, I'd rather rely on > that, since I believe it will be more efficient than to try to attach > the analyzer to all traffic on that port, and wait for a violation. > This was based off some informal discussions with Seth, but I'm happy > to throw it out to bro-dev and see what others think. I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. From jira at bro-tracker.atlassian.net Wed Mar 25 08:31:01 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 25 Mar 2015 10:31:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1344: ------------------------------ I would prefer staying with the well-known ports. I see the argument for signature-only, but it would be inconsistent with how the other analyzers works, making it hard to explain to people what's going on. And I don't expect much of a problem in terms of efficienicy for SSH. > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Vlad Grigorescu > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 09:14:01 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Wed, 25 Mar 2015 11:14:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20114#comment-20114 ] Vlad Grigorescu commented on BIT-1344: -------------------------------------- Fair enough. I'll get that added. > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Vlad Grigorescu > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 09:57:01 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Wed, 25 Mar 2015 11:57:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20115#comment-20115 ] Vlad Grigorescu commented on BIT-1344: -------------------------------------- I committed a change to register the analyzer on 22/tcp. There's still one regression in the private test suite - an SSH connection no longer gets identified as such. This is because there are TCP gaps, and the new analyzer follows the style of other BinPAC analyzers that don't try to parse when there's a gap. Because we're now doing actual parsing on the packets, I'd rather keep the strict behavior in place - the chances of parsing succeeding if there's a gap in the cleartext portion of the protocol are slim. > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Vlad Grigorescu > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 09:57:01 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Wed, 25 Mar 2015 11:57:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vlad Grigorescu reassigned BIT-1344: ------------------------------------ Assignee: Johanna Amann (was: Vlad Grigorescu) > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 10:39:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Mar 2015 12:39:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1344: ------------------------------- Status: Merge Request (was: Open) > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From seth at icir.org Wed Mar 25 11:01:34 2015 From: seth at icir.org (Seth Hall) Date: Wed, 25 Mar 2015 14:01:34 -0400 Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: <20150325152939.GX762@icir.org> References: <20150325152939.GX762@icir.org> Message-ID: <87FE44F5-8355-474D-9401-B55E8D272610@icir.org> > On Mar 25, 2015, at 11:29 AM, Robin Sommer wrote: > > I would prefer staying with the well-known ports. I see the argument > for signature-only, but it would be inconsistent with how the other > analyzers works, making it hard to explain to people what's going on. > And I don't expect much of a problem in terms of efficienicy for SSH. Ah, good point. I can see the argument to wait and do that all at once as yet another nail in the coffin of port-based-analysis. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Wed Mar 25 11:03:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 25 Mar 2015 13:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1344: --------------------------- Ah, good point. I can see the argument to wait and do that all at once as yet another nail in the coffin of port-based-analysis. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 11:20:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Mar 2015 13:20:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1344) New SSH Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1344?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1344: ------------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > New SSH Analyzer > ---------------- > > Key: BIT-1344 > URL: https://bro-tracker.atlassian.net/browse/BIT-1344 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > > The SSH analyzer was rewritten from scratch in topic/vladg/ssh. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 11:46:00 2015 From: jira at bro-tracker.atlassian.net (Michel (JIRA)) Date: Wed, 25 Mar 2015 13:46:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1354) Missing timestamp initialization in Signatures framework In-Reply-To: References: Message-ID: Michel created BIT-1354: --------------------------- Summary: Missing timestamp initialization in Signatures framework Key: BIT-1354 URL: https://bro-tracker.atlassian.net/browse/BIT-1354 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.3 Environment: CentOS 6.5 x86_64 Reporter: Michel Attachments: 0001-Added-timestamp-to-log-write-call.patch The call to log a Signatures::Multiple_Sig_Responders record is missing the timestamp. This issue was previously sent to the mailing list: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2013-February/005679.html but does not seem to have been changed in the source. Patch initilizes timestamp with network_time() -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 11:53:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Mar 2015 13:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1354) Missing timestamp initialization in Signatures framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1354: ---------------------------------- Assignee: Johanna Amann > Missing timestamp initialization in Signatures framework > -------------------------------------------------------- > > Key: BIT-1354 > URL: https://bro-tracker.atlassian.net/browse/BIT-1354 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Environment: CentOS 6.5 x86_64 > Reporter: Michel > Assignee: Johanna Amann > Attachments: 0001-Added-timestamp-to-log-write-call.patch > > > The call to log a Signatures::Multiple_Sig_Responders record is missing the timestamp. > This issue was previously sent to the mailing list: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2013-February/005679.html but does not seem to have been changed in the source. > Patch initilizes timestamp with network_time() -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 12:03:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Mar 2015 14:03:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1354) Missing timestamp initialization in Signatures framework In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1354: ------------------------------- Resolution: Fixed Status: Closed (was: Open) > Missing timestamp initialization in Signatures framework > -------------------------------------------------------- > > Key: BIT-1354 > URL: https://bro-tracker.atlassian.net/browse/BIT-1354 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.3 > Environment: CentOS 6.5 x86_64 > Reporter: Michel > Assignee: Johanna Amann > Attachments: 0001-Added-timestamp-to-log-write-call.patch > > > The call to log a Signatures::Multiple_Sig_Responders record is missing the timestamp. > This issue was previously sent to the mailing list: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2013-February/005679.html but does not seem to have been changed in the source. > Patch initilizes timestamp with network_time() -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 12:38:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Mar 2015 14:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20117#comment-20117 ] Johanna Amann commented on BIT-1353: ------------------------------------ I looked into this a tad more - and it seems that two nodes were very slow to reply and potentially ran into a timeout. That does not really seem obvious from the status output at the moment though (unless I completely missed it) - perhaps we should add that. > BroCtl status/top take excessive amount of time > ----------------------------------------------- > > Key: BIT-1353 > URL: https://bro-tracker.atlassian.net/browse/BIT-1353 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (>2 minutes for a broctl status). This was not the case right after starting up the cluster. > If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 12:54:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Mar 2015 14:54:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output In-Reply-To: References: Message-ID: Johanna Amann created BIT-1355: ---------------------------------- Summary: Hitting crl+c in broctl gives ugly output Key: BIT-1355 URL: https://bro-tracker.atlassian.net/browse/BIT-1355 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Hitting ctrl+c in broctl results in an ugly stack-trace at the moment: {code} $ broctl warning: new bro version detected (run the broctl "deploy" command) Welcome to BroControl 1.3-162 Type "help" for help. [BroControl] > Traceback (most recent call last): File "/xa/bro/master/bin/broctl", line 777, in sys.exit(main()) File "/xa/bro/master/bin/broctl", line 772, in main cmdsuccess = loop.cmdloop("\nWelcome to BroControl %s\n\nType \"help\" for help.\n" % version.VERSION) File "/xa/bro/master/lib/broctl/BroControl/brocmd.py", line 36, in cmdloop line = py3bro.input(self.prompt) KeyboardInterrupt $ {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Wed Mar 25 16:36:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 25 Mar 2015 18:36:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1356) Bro process sticks around after broctl stop In-Reply-To: References: Message-ID: Johanna Amann created BIT-1356: ---------------------------------- Summary: Bro process sticks around after broctl stop Key: BIT-1356 URL: https://bro-tracker.atlassian.net/browse/BIT-1356 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 It seems that after running a "broctl stop" not all bro processes are killed immediately. On our cluster, one of the processes keeps running; I seems like it eventually terminates after all log-compression is done. Is that on purpose or is that a bug? Ps output (on the node running the manager, bro process in first line, including the running compression jobs for completeness): {code} $ ps -ax | grep bro 23353 - IN 20:06.96 /xa/bro/master/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 24979 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log http.2015-03-25-14-40-30.log http 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii 25047 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log conn.2015-03-25-14-40-30.log conn 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii 25841 - S 0:00.59 bash /xa/bro/master/share/broctl/scripts/post-terminate /xa/bro/master/spool/manager 29204 0 D+ 0:00.00 grep bro {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From noreply at bro.org Thu Mar 26 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 26 Mar 2015 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503260700.t2Q70Otf011080@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- -------------------------------------------------------------------------- #29 [2] bro jshlbrd [3] 2015-03-25 Add PROXY-AUTHORIZATION header to http.log [4] #28 [5] bro aeppert [6] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [7] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] Pull Request #29 https://github.com/bro/bro/pull/29 [3] jshlbrd https://github.com/jshlbrd [4] Merge Pull Request #29 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git patch-2 [5] Pull Request #28 https://github.com/bro/bro/pull/28 [6] aeppert https://github.com/aeppert [7] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master From jira at bro-tracker.atlassian.net Thu Mar 26 07:47:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 26 Mar 2015 09:47:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20118#comment-20118 ] Johanna Amann commented on BIT-1353: ------------------------------------ And even more detail - the cause of this was hardware problems on two nodes. The bro instances of these nodes were still kind-of-running, but I don't think they were communicating with master anymore and they were unnkillable (even with kill -9); probably hanging while waiting for disk-io (harddrive problems). Since you still could ssh into the nodes, and they worked normally unless you tried to do certain file system accesses, broctl apparently listed them as online, without giving any indication of problems with the nodes, besides the fact that "status" takes a long time. > BroCtl status/top take excessive amount of time > ----------------------------------------------- > > Key: BIT-1353 > URL: https://bro-tracker.atlassian.net/browse/BIT-1353 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > > After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (>2 minutes for a broctl status). This was not the case right after starting up the cluster. > If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:09:00 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1331) Bro manager crashes when logs rotate In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1331?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1331: ------------------------------ Description: The Bro manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" send-mail: SENDMAIL-NOTFOUND not found was: The BroControl manager crashes when the logs rotate. Workers run fine through this process. stderr.log output: internal error: finish missing /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" send-mail: SENDMAIL-NOTFOUND not found Summary: Bro manager crashes when logs rotate (was: BroControl manager crashes when logs rotate) Edited name, not Broctrl, but Bro manager > Bro manager crashes when logs rotate > ------------------------------------ > > Key: BIT-1331 > URL: https://bro-tracker.atlassian.net/browse/BIT-1331 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.4 > Environment: Ubuntu 12.04.5 LTS, PF_RING lb_method > Reporter: Josh Liburdi > Priority: High > Fix For: 2.4 > > > The Bro manager crashes when the logs rotate. Workers run fine through this process. > stderr.log output: > internal error: finish missing > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 157357 Aborted (core dumped) nohup "$mybro" "$@" > send-mail: SENDMAIL-NOTFOUND not found -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:11:00 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1326: --------------------------------- Assignee: Jon Siwek > Broctl installation requires sqlite but does not check for its presence > ----------------------------------------------------------------------- > > Key: BIT-1326 > URL: https://bro-tracker.atlassian.net/browse/BIT-1326 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Jon Siwek > Fix For: 2.4 > > > Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: > {code} > [bro at marge ~/master]$ broctl > Traceback (most recent call last): > File "/xa/bro/master/bin/broctl", line 29, in > from BroControl.broctl import BroCtl > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 8, in > from BroControl import util > File "/xa/bro/master/lib/broctl/BroControl/util.py", line 6, in > from BroControl import config > File "/xa/bro/master/lib/broctl/BroControl/config.py", line 10, in > from .state import SqliteState > File "/xa/bro/master/lib/broctl/BroControl/state.py", line 2, in > import sqlite3 > File "/usr/local/lib/python2.7/sqlite3/__init__.py", line 24, in > from dbapi2 import * > File "/usr/local/lib/python2.7/sqlite3/dbapi2.py", line 28, in > from _sqlite3 import * > ImportError: No module named _sqlite3 > {code} > We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:11:01 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:11:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1356) Bro process sticks around after broctl stop In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1356: --------------------------------- Assignee: Daniel Thayer > Bro process sticks around after broctl stop > ------------------------------------------- > > Key: BIT-1356 > URL: https://bro-tracker.atlassian.net/browse/BIT-1356 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Fix For: 2.4 > > > It seems that after running a "broctl stop" not all bro processes are killed immediately. On our cluster, one of the processes keeps running; I seems like it eventually terminates after all log-compression is done. Is that on purpose or is that a bug? > Ps output (on the node running the manager, bro process in first line, including the running compression jobs for completeness): > {code} > $ ps -ax | grep bro > 23353 - IN 20:06.96 /xa/bro/master/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto > 24979 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log http.2015-03-25-14-40-30.log http 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii > 25047 - I 0:00.01 bash /xa/bro/master/share/broctl/scripts/archive-log conn.2015-03-25-14-40-30.log conn 15-03-25_14.40.30 15-03-25_16.29.29 1 ascii > 25841 - S 0:00.59 bash /xa/bro/master/share/broctl/scripts/post-terminate /xa/bro/master/spool/manager > 29204 0 D+ 0:00.00 grep bro > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:12:00 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1353: --------------------------------- Assignee: Daniel Thayer > BroCtl status/top take excessive amount of time > ----------------------------------------------- > > Key: BIT-1353 > URL: https://bro-tracker.atlassian.net/browse/BIT-1353 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Fix For: 2.4 > > > After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (>2 minutes for a broctl status). This was not the case right after starting up the cluster. > If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:12:01 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:12:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1349) Broctl stop output is not sorted anymore In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1349: --------------------------------- Assignee: Daniel Thayer > Broctl stop output is not sorted anymore > ---------------------------------------- > > Key: BIT-1349 > URL: https://bro-tracker.atlassian.net/browse/BIT-1349 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Priority: Trivial > Fix For: 2.4 > > > Minor: the output of the worker nodes when doing broctl stop is not sorted anymore. We should either sort it (or just skip outputting it altogether) - at the moment it is not really useful; if there is no numerical order it is difficult to see if a number one wants to have in there is missing or not. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:12:00 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:12:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1355) Hitting crl+c in broctl gives ugly output In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1355: --------------------------------- Assignee: Daniel Thayer > Hitting crl+c in broctl gives ugly output > ----------------------------------------- > > Key: BIT-1355 > URL: https://bro-tracker.atlassian.net/browse/BIT-1355 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Fix For: 2.4 > > > Hitting ctrl+c in broctl results in an ugly stack-trace at the moment: > {code} > $ broctl > warning: new bro version detected (run the broctl "deploy" command) > Welcome to BroControl 1.3-162 > Type "help" for help. > [BroControl] > Traceback (most recent call last): > File "/xa/bro/master/bin/broctl", line 777, in > sys.exit(main()) > File "/xa/bro/master/bin/broctl", line 772, in main > cmdsuccess = loop.cmdloop("\nWelcome to BroControl %s\n\nType \"help\" for help.\n" % version.VERSION) > File "/xa/bro/master/lib/broctl/BroControl/brocmd.py", line 36, in cmdloop > line = py3bro.input(self.prompt) > KeyboardInterrupt > $ > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:14:01 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:14:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-631) Special message for broctl locking when done by cron In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-631?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-631: -------------------------------- Assignee: Daniel Thayer > Special message for broctl locking when done by cron > ---------------------------------------------------- > > Key: BIT-631 > URL: https://bro-tracker.atlassian.net/browse/BIT-631 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Reporter: Seth Hall > Assignee: Daniel Thayer > Fix For: 2.4 > > > If the broctl lock is being held by the cron command it would be nice if the message that indicates a lock is already held would indicate if it is the cron command. If multiple people are working with broctl the person that gets a lock doesn't know if it's because of another user or because they happened to be trying to do something while the cron command is running. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Thu Mar 26 13:14:00 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 26 Mar 2015 15:14:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1263: --------------------------------- Assignee: Jon Siwek (was: hui) Hui is doing his prelims, probably won't have a chance for a couple months to look at anything. > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Assignee: Jon Siwek > Priority: Low > Labels: analyzer, modbus > Fix For: 2.4 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From noreply at bro.org Fri Mar 27 00:00:45 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 27 Mar 2015 00:00:45 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503270700.t2R70jdV007046@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- -------------------------------------------------------------------------- #29 [2] bro jshlbrd [3] 2015-03-25 Add PROXY-AUTHORIZATION header to http.log [4] #28 [5] bro aeppert [6] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [7] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] Pull Request #29 https://github.com/bro/bro/pull/29 [3] jshlbrd https://github.com/jshlbrd [4] Merge Pull Request #29 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git patch-2 [5] Pull Request #28 https://github.com/bro/bro/pull/28 [6] aeppert https://github.com/aeppert [7] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master From jira at bro-tracker.atlassian.net Fri Mar 27 12:18:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 27 Mar 2015 14:18:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1342) Occasional test failures In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20121#comment-20121 ] Daniel Thayer commented on BIT-1342: ------------------------------------ This is a race condition caused by daemon threads (sometimes) still running when broctl terminates. > Occasional test failures > ------------------------ > > Key: BIT-1342 > URL: https://bro-tracker.atlassian.net/browse/BIT-1342 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Robin Sommer > Fix For: 2.4 > > > Two tests in current master fail for me occasionally (usually when I run the full broctl test-suite but not when I rerun just these failing tests). Diag output below. > {code} > command.start-stop-standalone ... failed > % 'btest-diff stop.out' failed unexpectedly (exit code 1) > % cat .diag > == File =============================== > stopping bro ... > Exception in thread Thread-1 (most likely raised during interpreter shutdown): > Traceback (most recent call last): > File "/usr/lib64/python2.7/threading.py", line 811, in __bootstrap_inner > File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", line > File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", line > File "/usr/lib64/python2.7/Queue.py", line 177, in get > File "/usr/lib64/python2.7/threading.py", line 354, in wait > : 'NoneType' object is not callable > == Diff =============================== > --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-stop-standalone/stop.out 2013-06-01 00:29:07.0000 > +++ stop.out 2015-03-17 22:50:01.857838625 +0000 > @@ -1 +1,9 @@ > stopping bro ... > +Exception in thread Thread-1 (most likely raised during interpreter shutdown): > +Traceback (most recent call last): > + File "/usr/lib64/python2.7/threading.py", line 811, in __bootstrap_inner > + File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", l > + File "/home/robin/bro/master/aux/broctl/testing/../build/testing/test.21123/lib/broctl/BroControl/ssh_runner.py", l > + File "/usr/lib64/python2.7/Queue.py", line 177, in get > + File "/usr/lib64/python2.7/threading.py", line 354, in wait > +: 'NoneType' object is not callable > ======================================= > [...] > command.start-cluster-slowstart ... failed > % 'btest-diff status2.out' failed unexpectedly (exit code 1) > % cat .diag > == File =============================== > Getting process status ... > Getting peer status ... > Name Type Host Status Pid Peers Started > manager manager localhost stopped > proxy-1 proxy localhost stopped > worker-1 worker localhost stopped > worker-2 worker localhost stopped > == Diff =============================== > --- /home/robin/bro/master/aux/broctl/testing/Baseline/command.start-cluster-slowstart/status2.out 2015-03-04 20:16 > +++ status2.out 2015-03-17 22:50:26.578618684 +0000 > @@ -3,5 +3,5 @@ > Name Type Host Status Pid Peers Started > manager manager localhost stopped > proxy-1 proxy localhost stopped > -worker-1 worker localhost crashed > +worker-1 worker localhost stopped > worker-2 worker localhost stopped > ======================================= > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From jira at bro-tracker.atlassian.net Fri Mar 27 14:40:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 27 Mar 2015 16:40:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1353) BroCtl status/top take excessive amount of time In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20122#comment-20122 ] Daniel Thayer commented on BIT-1353: ------------------------------------ I'm not seeing a problem. As a test, I simulated a slow node by adding a "sleep" command to one of the scripts that broctl runs on the remote host. If the sleep is long enough to exceed the timeout, then I see "???" in the status output (in the "Running", "Peers", and "Started" columns). Otherwise, broctl status simply gathers information reported by Bro. > BroCtl status/top take excessive amount of time > ----------------------------------------------- > > Key: BIT-1353 > URL: https://bro-tracker.atlassian.net/browse/BIT-1353 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Fix For: 2.4 > > > After running a large bro cluster for a few days on a FreeBSD system (FreeBSD 10.1, 28 physical nodes, 81 worker processes), broctl actions that interact with all nodes seem to take excessive amounts of time (>2 minutes for a broctl status). This was not the case right after starting up the cluster. > If there is any way I can help with more information, please let me know what to do. -- This message was sent by Atlassian JIRA (v6.4-OD-16-005#64014) From noreply at bro.org Sat Mar 28 00:00:34 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 28 Mar 2015 00:00:34 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503280700.t2S70YIS020071@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- -------------------------------------------------------------------------- #29 [2] bro jshlbrd [3] 2015-03-25 Add PROXY-AUTHORIZATION header to http.log [4] #28 [5] bro aeppert [6] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [7] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] Pull Request #29 https://github.com/bro/bro/pull/29 [3] jshlbrd https://github.com/jshlbrd [4] Merge Pull Request #29 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git patch-2 [5] Pull Request #28 https://github.com/bro/bro/pull/28 [6] aeppert https://github.com/aeppert [7] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master From noreply at bro.org Sun Mar 29 00:00:33 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 29 Mar 2015 00:00:33 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503290700.t2T70XAK028858@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- -------------------------------------------------------------------------- #29 [2] bro jshlbrd [3] 2015-03-25 Add PROXY-AUTHORIZATION header to http.log [4] #28 [5] bro aeppert [6] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [7] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] Pull Request #29 https://github.com/bro/bro/pull/29 [3] jshlbrd https://github.com/jshlbrd [4] Merge Pull Request #29 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git patch-2 [5] Pull Request #28 https://github.com/bro/bro/pull/28 [6] aeppert https://github.com/aeppert [7] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master From noreply at bro.org Mon Mar 30 00:00:46 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 30 Mar 2015 00:00:46 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503300700.t2U70kKh003304@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ---------- ---------- ------------- ---------- ----------------------------- BIT-1340 [1] Bro Seth Hall Jon Siwek 2015-03-13 2.4 Normal RDP analyzer (topic/seth/rdp) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- -------------------------------------------------------------------------- #29 [2] bro jshlbrd [3] 2015-03-25 Add PROXY-AUTHORIZATION header to http.log [4] #28 [5] bro aeppert [6] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [7] [1] BIT-1340 https://bro-tracker.atlassian.net/browse/BIT-1340 [2] Pull Request #29 https://github.com/bro/bro/pull/29 [3] jshlbrd https://github.com/jshlbrd [4] Merge Pull Request #29 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git patch-2 [5] Pull Request #28 https://github.com/bro/bro/pull/28 [6] aeppert https://github.com/aeppert [7] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master From jira at bro-tracker.atlassian.net Mon Mar 30 09:09:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 11:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1357) Complete TODOs in NEWS file In-Reply-To: References: Message-ID: Jon Siwek created BIT-1357: ------------------------------ Summary: Complete TODOs in NEWS file Key: BIT-1357 URL: https://bro-tracker.atlassian.net/browse/BIT-1357 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Jon Siwek Fix For: 2.4 There's several TODO markers in NEWS to complete before releasing. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 09:26:00 2015 From: jira at bro-tracker.atlassian.net (Nicholas Weaver (JIRA)) Date: Mon, 30 Mar 2015 11:26:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1358) Pcap with unusual packet ordering doesn't reassemble In-Reply-To: References: Message-ID: Nicholas Weaver created BIT-1358: ------------------------------------ Summary: Pcap with unusual packet ordering doesn't reassemble Key: BIT-1358 URL: https://bro-tracker.atlassian.net/browse/BIT-1358 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Environment: OS-X Yosmeite Reporter: Nicholas Weaver Attachments: telnet_test.pcap The attached PCAP does send traffic in an unusual order (namely the initial data packet appears after the FIN) but telnet did receive the information from the server. Bro -r {file} Conn::default_extract=T did not extract the reply's contents, and the conn log says "missed bytes" when the bytes "missed" were simply received slightly after the FIN. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 10:40:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 12:40:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1359) DTLS bad shift operation In-Reply-To: References: Message-ID: Jon Siwek created BIT-1359: ------------------------------ Summary: DTLS bad shift operation Key: BIT-1359 URL: https://bro-tracker.atlassian.net/browse/BIT-1359 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Jon Siwek Assignee: Johanna Amann Fix For: 2.4 Coverity is reporting a left shift in dtls-analyzer.pac that may cause undefined behavior in some cases. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 11:07:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 13:07:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20200#comment-20200 ] Jon Siwek commented on BIT-1263: -------------------------------- Doesn't look like any of the existing modbus pcaps trigger the new events, so unless Robin no longer cares about having a test case or someone gives me sample pcaps, I'm not much help here. > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Assignee: Jon Siwek > Priority: Low > Labels: analyzer, modbus > Fix For: 2.4 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 11:07:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 13:07:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1263: ------------------------------ Assignee: (was: Jon Siwek) > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Priority: Low > Labels: analyzer, modbus > Fix For: 2.4 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 11:38:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 30 Mar 2015 13:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1359) DTLS bad shift operation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20201#comment-20201 ] Johanna Amann commented on BIT-1359: ------------------------------------ Sorry for that. Fix is in topic/johanna/bit-1359 > DTLS bad shift operation > ------------------------ > > Key: BIT-1359 > URL: https://bro-tracker.atlassian.net/browse/BIT-1359 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Assignee: Johanna Amann > Fix For: 2.4 > > > Coverity is reporting a left shift in dtls-analyzer.pac that may cause undefined behavior in some cases. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 11:38:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 30 Mar 2015 13:38:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1359) DTLS bad shift operation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1359: ---------------------------------- Assignee: (was: Johanna Amann) > DTLS bad shift operation > ------------------------ > > Key: BIT-1359 > URL: https://bro-tracker.atlassian.net/browse/BIT-1359 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Fix For: 2.4 > > > Coverity is reporting a left shift in dtls-analyzer.pac that may cause undefined behavior in some cases. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 11:38:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 30 Mar 2015 13:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1359) DTLS bad shift operation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1359: ------------------------------- Status: Merge Request (was: Open) > DTLS bad shift operation > ------------------------ > > Key: BIT-1359 > URL: https://bro-tracker.atlassian.net/browse/BIT-1359 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Assignee: Johanna Amann > Fix For: 2.4 > > > Coverity is reporting a left shift in dtls-analyzer.pac that may cause undefined behavior in some cases. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 11:50:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 13:50:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1326) Broctl installation requires sqlite but does not check for its presence In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1326: --------------------------- Resolution: Fixed Status: Closed (was: Open) > Broctl installation requires sqlite but does not check for its presence > ----------------------------------------------------------------------- > > Key: BIT-1326 > URL: https://bro-tracker.atlassian.net/browse/BIT-1326 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Jon Siwek > Fix For: 2.4 > > > Trying to start broctl on a new installation of FreeBSD with a standard python installation results in the following error message upon first start: > {code} > [bro at marge ~/master]$ broctl > Traceback (most recent call last): > File "/xa/bro/master/bin/broctl", line 29, in > from BroControl.broctl import BroCtl > File "/xa/bro/master/lib/broctl/BroControl/broctl.py", line 8, in > from BroControl import util > File "/xa/bro/master/lib/broctl/BroControl/util.py", line 6, in > from BroControl import config > File "/xa/bro/master/lib/broctl/BroControl/config.py", line 10, in > from .state import SqliteState > File "/xa/bro/master/lib/broctl/BroControl/state.py", line 2, in > import sqlite3 > File "/usr/local/lib/python2.7/sqlite3/__init__.py", line 24, in > from dbapi2 import * > File "/usr/local/lib/python2.7/sqlite3/dbapi2.py", line 28, in > from _sqlite3 import * > ImportError: No module named _sqlite3 > {code} > We should probably check for the module in cmake and refuse installation if it is not present. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 11:53:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 13:53:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1359) DTLS bad shift operation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-1359: ------------------------------ Assignee: Jon Siwek > DTLS bad shift operation > ------------------------ > > Key: BIT-1359 > URL: https://bro-tracker.atlassian.net/browse/BIT-1359 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > Coverity is reporting a left shift in dtls-analyzer.pac that may cause undefined behavior in some cases. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 12:05:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 14:05:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1359) DTLS bad shift operation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1359?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1359: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > DTLS bad shift operation > ------------------------ > > Key: BIT-1359 > URL: https://bro-tracker.atlassian.net/browse/BIT-1359 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.4 > > > Coverity is reporting a left shift in dtls-analyzer.pac that may cause undefined behavior in some cases. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 13:35:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 15:35:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1343) Add Support for Including Common PAC Files In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20202#comment-20202 ] Jon Siwek commented on BIT-1343: -------------------------------- Just noting that I see ASN.1 parsing code has also been copied into the upcoming RDP analyzer. (so remember to factor that out when addressing this ticket). > Add Support for Including Common PAC Files > ------------------------------------------ > > Key: BIT-1343 > URL: https://bro-tracker.atlassian.net/browse/BIT-1343 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Reporter: Vlad Grigorescu > Priority: Low > > With some new analyzers, we're duplicating code that we're shipping with Bro, due to a limitation in BinPAC - currently, BinPAC doesn't support %include-ing files from other directories. ASN.1 is a good example of this - SNMP and Kerberos both need a copy of the same ASN.1 parsing code. SMB also has some overlap with other analyzers. > I tried the obvious fix of adding parsing support for {{%include ../snmp/asn1.pac}}, but the include paths get mixed up and compilation fails. > I believe this should be a relatively simple fix. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 14:33:00 2015 From: jira at bro-tracker.atlassian.net (hui (JIRA)) Date: Mon, 30 Mar 2015 16:33:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20203#comment-20203 ] hui commented on BIT-1263: -------------------------- Just done with my prelim. Actually I kept on eye on the sample cases that can trigger these three event handlers, but have no luck. Let me try with Randy in Abbot lab to see if he has any or not. Also, I will also try to see whether I can use the newly deployed TCIPG lab. > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Priority: Low > Labels: analyzer, modbus > Fix For: 2.4 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 15:09:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 30 Mar 2015 17:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist In-Reply-To: References: Message-ID: Johanna Amann created BIT-1360: ---------------------------------- Summary: Better error message when SpoolDir does not exist Key: BIT-1360 URL: https://bro-tracker.atlassian.net/browse/BIT-1360 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: git/master Reporter: Johanna Amann Priority: Low Fix For: 2.4 Currently, the error message that is given when SpoolDir in broctl.cfg does not exist is rather unhelpful (something in the direction of "Cannot open database". -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 15:11:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 30 Mar 2015 17:11:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1340) RDP analyzer (topic/seth/rdp) In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1340?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1340: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > RDP analyzer (topic/seth/rdp) > ----------------------------- > > Key: BIT-1340 > URL: https://bro-tracker.atlassian.net/browse/BIT-1340 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Jon Siwek > Fix For: 2.4 > > > This is Josh Liburdi's RDP analyzer which was cleaned up some and extended by myself and it's now prepared for merging into master. It's includes a small change by Johanna Amann to make it work with some odd X509 certificates that are transferred over RDP. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Mon Mar 30 16:52:00 2015 From: jira at bro-tracker.atlassian.net (Ted Llewellyn (JIRA)) Date: Mon, 30 Mar 2015 18:52:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: Ted Llewellyn created BIT-1361: ---------------------------------- Summary: New installation of Bro crashes and core dumps with error indicating ssh/binpac Key: BIT-1361 URL: https://bro-tracker.atlassian.net/browse/BIT-1361 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.3 Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port Reporter: Ted Llewellyn diag results: [BroControl] > diag [bro] Bro 2.3-633 Linux 3.2.0-4-686-pae No gdb installed. ==== No reporter.log ==== stderr.log listening on eth1, capture length 8192 bytes bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" ==== stdout.log max memory size (kbytes, -m) unlimited data seg size (kbytes, -d) unlimited virtual memory (kbytes, -v) unlimited core file size (blocks, -c) unlimited ==== .cmdline -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto ==== .env_vars PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site CLUSTER_NODE= ==== .status RUNNING [net_run] ==== No prof.log ==== No packet_filter.log ==== No loaded_scripts.log [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From noreply at bro.org Tue Mar 31 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 31 Mar 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201503310700.t2V70NtB027300@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- -------------------------------------------------------------------------- #29 [1] bro jshlbrd [2] 2015-03-25 Add PROXY-AUTHORIZATION header to http.log [3] #28 [4] bro aeppert [5] 2015-03-20 Seems to fix a case where an entry in the table may be null on insert. [6] [1] Pull Request #29 https://github.com/bro/bro/pull/29 [2] jshlbrd https://github.com/jshlbrd [3] Merge Pull Request #29 with git pull --no-ff --no-commit https://github.com/jshlbrd/bro.git patch-2 [4] Pull Request #28 https://github.com/bro/bro/pull/28 [5] aeppert https://github.com/aeppert [6] Merge Pull Request #28 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git master From jira at bro-tracker.atlassian.net Tue Mar 31 07:33:01 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 31 Mar 2015 09:33:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1361: --------------------------- Fix Version/s: 2.4 > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 08:22:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 31 Mar 2015 10:22:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1263) Implementing three event handlers for supported data structure in Modbus Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20204#comment-20204 ] Robin Sommer commented on BIT-1263: ----------------------------------- Yeah, I would like to have test cases before merging this. Did you test the new messages in some form when you developed the code? > Implementing three event handlers for supported data structure in Modbus Analyzer > --------------------------------------------------------------------------------- > > Key: BIT-1263 > URL: https://bro-tracker.atlassian.net/browse/BIT-1263 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: hui > Priority: Low > Labels: analyzer, modbus > Fix For: 2.4 > > > Three support data structures are defined in Modbus analyzer: > FileRecordRequest, > FileRecordResponse, > ReferenceWithData > Three event handlers are declared for them. > The changes are already made and pushed into the branch: > topic/hui/modbus-events2 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 08:55:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 31 Mar 2015 10:55:01 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1360) Better error message when SpoolDir does not exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1360: ---------------------------------- Assignee: Daniel Thayer > Better error message when SpoolDir does not exist > ------------------------------------------------- > > Key: BIT-1360 > URL: https://bro-tracker.atlassian.net/browse/BIT-1360 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.4 > > > Currently, the error message that is given when SpoolDir in broctl.cfg does not exist is rather unhelpful (something in the direction of "Cannot open database". -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 08:57:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 31 Mar 2015 10:57:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1329) BroControl scripts displays meta-information from bro logger In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1329: ---------------------------------- Assignee: Daniel Thayer > BroControl scripts displays meta-information from bro logger > ------------------------------------------------------------ > > Key: BIT-1329 > URL: https://bro-tracker.atlassian.net/browse/BIT-1329 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Johanna Amann > Assignee: Daniel Thayer > Fix For: 2.4 > > > When issuing a broctl scripts, the output contains meta bro-log-lines (like #fields, etc) that we probably do not want to display in this case. > Example: > {code} > [BroControl] > scripts manager > manager scripts are ok. > #separator \x09 > #set_separator , > #empty_field (empty) > #unset_field - > #path loaded_scripts > #open 2015-03-05-13-24-34 > #fields name > #types string > /xa/bro/master/share/bro/base/init-bare.bro > /xa/bro/master/share/bro/base/bif/const.bif.bro > ... > /xa/bro/master/share/bro/broctl/check.bro > #close 2015-03-05-13-24-34 > {code} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 09:16:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 31 Mar 2015 11:16:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20205#comment-20205 ] Jon Siwek commented on BIT-1361: -------------------------------- I have a pcap that reproduces this if anyone wants it let me know. I also started looking at fixing the problem this morning and have a general idea what BinPAC does wrong, but not certain yet what change to do to the code gen. > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 09:35:00 2015 From: jira at bro-tracker.atlassian.net (Ted Llewellyn (JIRA)) Date: Tue, 31 Mar 2015 11:35:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Llewellyn updated BIT-1361: ------------------------------- Attachment: bro-bt-033115.txt > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 09:38:00 2015 From: jira at bro-tracker.atlassian.net (Ted Llewellyn (JIRA)) Date: Tue, 31 Mar 2015 11:38:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20206#comment-20206 ] Ted Llewellyn commented on BIT-1361: ------------------------------------ I have attached a backtrace from 3/31/215. > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 11:45:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 31 Mar 2015 13:45:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4 In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1362: ---------------------------------- Summary: topic/dnthayer/fixes-for-2.4 Key: BIT-1362 URL: https://bro-tracker.atlassian.net/browse/BIT-1362 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Daniel Thayer Fix For: 2.4 -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 11:48:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 31 Mar 2015 13:48:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1362: ------------------------------- Description: The branch topic/dnthayer/fixes-for-2.4 contains fixes that address BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes and improvements. > topic/dnthayer/fixes-for-2.4 > ---------------------------- > > Key: BIT-1362 > URL: https://bro-tracker.atlassian.net/browse/BIT-1362 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > The branch topic/dnthayer/fixes-for-2.4 contains fixes that address > BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes > and improvements. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 11:49:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 31 Mar 2015 13:49:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1362) topic/dnthayer/fixes-for-2.4 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1362: ------------------------------- Status: Merge Request (was: Open) > topic/dnthayer/fixes-for-2.4 > ---------------------------- > > Key: BIT-1362 > URL: https://bro-tracker.atlassian.net/browse/BIT-1362 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.4 > > > The branch topic/dnthayer/fixes-for-2.4 contains fixes that address > BIT-1360, 1355, 1349, 1329, and 631, as well as various other fixes > and improvements. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 12:17:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Tue, 31 Mar 2015 14:17:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20207#comment-20207 ] Jon Siwek commented on BIT-1361: -------------------------------- Ted, want to give the following patch a try? https://github.com/bro/binpac/commit/47333b9be514aeb7c1f8c1463dc40f0157181f60 This is in the topic/jsiwek/bit-1361 branch of the binpac git repository. > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 12:32:00 2015 From: jira at bro-tracker.atlassian.net (Michal Purzynski (JIRA)) Date: Tue, 31 Mar 2015 14:32:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1363) Clustered AF_PACKET support In-Reply-To: References: Message-ID: Michal Purzynski created BIT-1363: ------------------------------------- Summary: Clustered AF_PACKET support Key: BIT-1363 URL: https://bro-tracker.atlassian.net/browse/BIT-1363 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Affects Versions: git/master Reporter: Michal Purzynski Let's have a support for packet capture with the AF_PACKET sockets in multi worker configuration. Bro can use a single worker with af_packet, I have tested and it works, but having a direct support for multi-worker load balancing would allow to avoid the pf_ring for many deployments with the traffic level where DNA / ZC / Myricom / DAG is not required. -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 15:05:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 31 Mar 2015 17:05:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet In-Reply-To: References: Message-ID: Johanna Amann created BIT-1364: ---------------------------------- Summary: Bro does not attach UDP analyzers when signature matches after first packet Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 15:43:00 2015 From: jira at bro-tracker.atlassian.net (Ted Llewellyn (JIRA)) Date: Tue, 31 Mar 2015 17:43:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Llewellyn updated BIT-1361: ------------------------------- Hmmm, that URL is giving me a 403 error when I try to "git clone" it. It didn't ask me for credentials and I'm using 1.7.10.4, so I'm not sure why. Ted Llewellyn Sr. Network Planning Engineer VoIP Engineering Frontier Communications 120 Plymouth Ave. N. Rochester, NY 14608 585-413-9743 > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 17:02:00 2015 From: jira at bro-tracker.atlassian.net (Ted Llewellyn (JIRA)) Date: Tue, 31 Mar 2015 19:02:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ted Llewellyn updated BIT-1361: ------------------------------- Never mind, I got it. I'm rebuilding now. Ted > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 18:09:00 2015 From: jira at bro-tracker.atlassian.net (Ted Llewellyn (JIRA)) Date: Tue, 31 Mar 2015 20:09:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20210#comment-20210 ] Ted Llewellyn commented on BIT-1361: ------------------------------------ I have rebuilt with Jon's patch for binpac and it's running. Other than not crashing is there anything about the install I should check or output I could send in? Ted > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) From jira at bro-tracker.atlassian.net Tue Mar 31 18:10:00 2015 From: jira at bro-tracker.atlassian.net (Ted Llewellyn (JIRA)) Date: Tue, 31 Mar 2015 20:10:00 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1361) New installation of Bro crashes and core dumps with error indicating ssh/binpac In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20208#comment-20208 ] Ted Llewellyn edited comment on BIT-1361 at 3/31/15 8:09 PM: ------------------------------------------------------------- Hmmm, that URL is giving me a 403 error when I try to "git clone" it. It didn't ask me for credentials and I'm using 1.7.10.4, so I'm not sure why. Ted Llewellyn was (Author: llewell): Hmmm, that URL is giving me a 403 error when I try to "git clone" it. It didn't ask me for credentials and I'm using 1.7.10.4, so I'm not sure why. Ted Llewellyn Sr. Network Planning Engineer VoIP Engineering Frontier Communications 120 Plymouth Ave. N. Rochester, NY 14608 585-413-9743 > New installation of Bro crashes and core dumps with error indicating ssh/binpac > ------------------------------------------------------------------------------- > > Key: BIT-1361 > URL: https://bro-tracker.atlassian.net/browse/BIT-1361 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.3 > Environment: Debian wheezy, Dell 1750 (dual 32-bit Xeon dual-core cpus), capturing on one 100 meg mirrored switch port > Reporter: Ted Llewellyn > Labels: binpac, ssh > Fix For: 2.4 > > Attachments: bro-bt-033115.txt > > > diag results: > [BroControl] > diag > [bro] > Bro 2.3-633 > Linux 3.2.0-4-686-pae > No gdb installed. > ==== No reporter.log > ==== stderr.log > listening on eth1, capture length 8192 bytes > bro: /root/bro/build/src/analyzer/protocol/ssh/ssh_pac.cc:1382: int binpac::SSH::SSH2_KEXINIT::Parse(binpac::const_byteptr, binpac::const_byteptr, binpac::SSH::ContextSSH*, int): Assertion `t_dataptr_after_cookie <= t_end_of_data' failed. > /usr/local/bro/share/broctl/scripts/run-bro: line 100: 10307 Aborted (core dumped) nohup "$mybro" "$@" > ==== stdout.log > max memory size (kbytes, -m) unlimited > data seg size (kbytes, -d) unlimited > virtual memory (kbytes, -v) unlimited > core file size (blocks, -c) unlimited > ==== .cmdline > -i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > ==== .env_vars > PATH=/usr/local/bro/bin:/usr/local/bro/share/broctl/scripts:/usr/local/bro/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin > BROPATH=/usr/local/bro/spool/installed-scripts-do-not-touch/site::/usr/local/bro/spool/installed-scripts-do-not-touch/auto:/usr/local/bro/share/bro:/usr/local/bro/share/bro/policy:/usr/local/bro/share/bro/site > CLUSTER_NODE= > ==== .status > RUNNING [net_run] > ==== No prof.log > ==== No packet_filter.log > ==== No loaded_scripts.log > [BroControl] > -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014)