From noreply at bro.org Sun Nov 1 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 1 Nov 2015 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511010700.tA170Nx5004349@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Nov 2 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 2 Nov 2015 00:00:32 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511020800.tA280W8N025853@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Mon Nov 2 11:38:00 2015 From: jira at bro-tracker.atlassian.net (Mark Fernandez (JIRA)) Date: Mon, 2 Nov 2015 13:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1 In-Reply-To: References: Message-ID: Mark Fernandez created BIT-1500: ----------------------------------- Summary: BinPAC Call to FlowBuffer::NewFrame with frame_length -1 Key: BIT-1500 URL: https://bro-tracker.atlassian.net/browse/BIT-1500 Project: Bro Issue Tracker Issue Type: Problem Components: BinPAC Affects Versions: 2.4 Reporter: Mark Fernandez Attachments: test.pac I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.? The auto-generated C++ code does not parse the chunked data correctly.? I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().? The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.? Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.? This is very frustrating.? Please review and let me know what you think. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Mon Nov 2 12:39:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 2 Nov 2015 14:39:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22800#comment-22800 ] Vlad Grigorescu commented on BIT-1500: -------------------------------------- I've run into some similar weirdness, which is usually solved by creating a new record type for the element in question. Try: type my_chunk = record { data = bytestring &restofdata; }; type TEST_chunk = record { ... chunk_data : my_chunk &length=chunk_length; ... }; > BinPAC Call to FlowBuffer::NewFrame with frame_length -1 > -------------------------------------------------------- > > Key: BIT-1500 > URL: https://bro-tracker.atlassian.net/browse/BIT-1500 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Reporter: Mark Fernandez > Labels: analyzer > Attachments: test.pac > > > I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.? The auto-generated C++ code does not parse the chunked data correctly.? I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().? The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.? Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.? This is very frustrating.? Please review and let me know what you think. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Mon Nov 2 17:35:00 2015 From: jira at bro-tracker.atlassian.net (David Smith (JIRA)) Date: Mon, 2 Nov 2015 19:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1501) smb_com_tree_connect_andx event not receiving correct parameters from analyzer In-Reply-To: References: Message-ID: David Smith created BIT-1501: -------------------------------- Summary: smb_com_tree_connect_andx event not receiving correct parameters from analyzer Key: BIT-1501 URL: https://bro-tracker.atlassian.net/browse/BIT-1501 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.4 Reporter: David Smith Priority: Low Attachments: smb.patch smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string) in SMB.cc: SMB_Session::ParseTreeConnectAndx the C++ function tries to pass a record as the third argument to the event and doesn't pass the fourth at all. instead it should simply pass two strings for the third and fourth arguments. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Tue Nov 3 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 3 Nov 2015 00:00:29 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511030800.tA380TKC028461@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-10-26 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Nov 3 07:52:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 3 Nov 2015 09:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1501) smb_com_tree_connect_andx event not receiving correct parameters from analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1501: --------------------------- Resolution: Rejected Status: Closed (was: Open) Unfortunately that code you've patched is wildly out of date. The SMB analyzer is not finished yet, but has been wildly rewritten and updated by Broala. The current state can be found in topic/vladg/smb. > smb_com_tree_connect_andx event not receiving correct parameters from analyzer > ------------------------------------------------------------------------------ > > Key: BIT-1501 > URL: https://bro-tracker.atlassian.net/browse/BIT-1501 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: David Smith > Priority: Low > Attachments: smb.patch > > > smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string) > in SMB.cc: SMB_Session::ParseTreeConnectAndx > the C++ function tries to pass a record as the third argument to the event and doesn't pass the fourth at all. instead it should simply pass two strings for the third and fourth arguments. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 3 09:45:00 2015 From: jira at bro-tracker.atlassian.net (David Smith (JIRA)) Date: Tue, 3 Nov 2015 11:45:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1501) smb_com_tree_connect_andx event not receiving correct parameters from analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22802#comment-22802 ] David Smith commented on BIT-1501: ---------------------------------- cool. thanks. i noticed the code was ~3 years old. i'll check out top/vladg/smb. > smb_com_tree_connect_andx event not receiving correct parameters from analyzer > ------------------------------------------------------------------------------ > > Key: BIT-1501 > URL: https://bro-tracker.atlassian.net/browse/BIT-1501 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: David Smith > Priority: Low > Attachments: smb.patch > > > smb_com_tree_connect_andx(c: connection, hdr: smb_hdr, path: string, service: string) > in SMB.cc: SMB_Session::ParseTreeConnectAndx > the C++ function tries to pass a record as the third argument to the event and doesn't pass the fourth at all. instead it should simply pass two strings for the third and fourth arguments. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Wed Nov 4 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 4 Nov 2015 00:00:32 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511040800.tA480WdT031385@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Nov 4 08:15:00 2015 From: jira at bro-tracker.atlassian.net (Gavin Spearhead (JIRA)) Date: Wed, 4 Nov 2015 10:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: Gavin Spearhead created BIT-1502: ------------------------------------ Summary: X509 doesn't log all certificates Key: BIT-1502 URL: https://bro-tracker.atlassian.net/browse/BIT-1502 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: test setup Reporter: Gavin Spearhead I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 4 09:11:00 2015 From: jira at bro-tracker.atlassian.net (dop (JIRA)) Date: Wed, 4 Nov 2015 11:11:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: dop created BIT-1503: ------------------------ Summary: vlan-logging.bro assumes c$conn exists Key: BIT-1503 URL: https://bro-tracker.atlassian.net/browse/BIT-1503 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Environment: git/master, CentOS 7, vlan tagged pcap. Reporter: dop policy/protocols/conn/vlan-logging.bro When testing against random pcaps you'll get tons of errors like: 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] Adding a c?$conn condition removes that annoyance. -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 4 10:30:00 2015 From: jira at bro-tracker.atlassian.net (Mark Fernandez (JIRA)) Date: Wed, 4 Nov 2015 12:30:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22803#comment-22803 ] Mark Fernandez commented on BIT-1500: ------------------------------------- Yes, that solved the problem. By creating a separate record, the auto-generated C++ code now calls FlowBuffer::NewFrame with a zero instead of -1. Now the call to FlowBuffer::ready() returns successfully, and the ParseBuffer code actually parses the Chunk buffer. Thank you for your help! > BinPAC Call to FlowBuffer::NewFrame with frame_length -1 > -------------------------------------------------------- > > Key: BIT-1500 > URL: https://bro-tracker.atlassian.net/browse/BIT-1500 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Reporter: Mark Fernandez > Labels: analyzer > Attachments: test.pac > > > I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.? The auto-generated C++ code does not parse the chunked data correctly.? I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().? The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.? Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.? This is very frustrating.? Please review and let me know what you think. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 4 10:37:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 4 Nov 2015 12:37:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22804#comment-22804 ] Daniel Thayer commented on BIT-1503: ------------------------------------ Rather than adding a c?$conn condition (which could prevent the vlan info from being logged), you could just remove the &priority attribute on the event handler. This would ensure that the "conn" field is initialized before the vlan info is added. > vlan-logging.bro assumes c$conn exists > -------------------------------------- > > Key: BIT-1503 > URL: https://bro-tracker.atlassian.net/browse/BIT-1503 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: git/master, CentOS 7, vlan tagged pcap. > Reporter: dop > Labels: vlan > > policy/protocols/conn/vlan-logging.bro > When testing against random pcaps you'll get tons of errors like: > 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] > Adding a c?$conn condition removes that annoyance. > -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From j.paulovic at gmail.com Wed Nov 4 14:03:45 2015 From: j.paulovic at gmail.com (Jakub S. Paulovic) Date: Wed, 4 Nov 2015 23:03:45 +0100 Subject: [Bro-Dev] Multiple logs in one SQLite database Message-ID: Hello, I am trying to setup Bro to log all the events to a SQLite database. In my local.bro file, I have added an event bro_init() with filters specifying the writer to be WRITER_SQLITE like this: local filter_conn: Log::Filter = [ $name="sqlite", $path="/var/db/conn", $config=table(["tablename"] = "conn"), $writer=Log::WRITER_SQLITE ]; Log::add_filter(Conn::LOG, filter_conn); local filter_notice: Log::Filter = [ $name="sqlite", $path="/var/db/conn", $config=table(["tablename"] = "notice"), $writer=Log::WRITER_SQLITE ]; Log::add_filter(Notice::LOG, filter_notice); ... + other filters for http, dhcp and weird set accordingly. I want the logs to be written to separate tables in one SQLite database. However, when I run bro with this configuration, I almost immediately get SQLite errors: error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: SQLite call failed: database is locked error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: terminating thread After that, nothing else is written to affected table. Please can You suggest me what should I do to achieve logging to one database with multiple tables? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151104/6640d95c/attachment.html From jira at bro-tracker.atlassian.net Wed Nov 4 15:07:01 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Nov 2015 17:07:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1502: ---------------------------------- Assignee: Johanna Amann > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 4 15:33:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Nov 2015 17:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22805#comment-22805 ] Johanna Amann commented on BIT-1502: ------------------------------------ Hi, I just tried this and I cannot reproduce the issue --- certificates, e.g. for facebook.com seem to show up fine for me. Could you please attach a trace that shows the issue to this ticket (or send it to me at johanna at bro.org)? Thanks, Johanna > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 4 15:35:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Nov 2015 17:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1502: ------------------------------- Fix Version/s: 2.5 > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 4 15:41:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Nov 2015 17:41:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1503: ------------------------------- Fix Version/s: 2.5 > vlan-logging.bro assumes c$conn exists > -------------------------------------- > > Key: BIT-1503 > URL: https://bro-tracker.atlassian.net/browse/BIT-1503 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: git/master, CentOS 7, vlan tagged pcap. > Reporter: dop > Labels: vlan > Fix For: 2.5 > > > policy/protocols/conn/vlan-logging.bro > When testing against random pcaps you'll get tons of errors like: > 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] > Adding a c?$conn condition removes that annoyance. > -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 4 15:41:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 4 Nov 2015 17:41:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1499: ------------------------------- Fix Version/s: 2.5 > Updates for newer version of OpenSSL/LibreSSL > --------------------------------------------- > > Key: BIT-1499 > URL: https://bro-tracker.atlassian.net/browse/BIT-1499 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broccoli > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc > > > A comment from Christoph Pietsch: > {quote}Currently bro fails to build when openssl libraries have been built > without SSLv3 (configure --no-ssl2 --nossl3). This has > surfaced when building with the latest LibreSSL 2.3. > Attached patches address all these issues. These can be improved upon > by using only SSLv23_ methods or even TLS_ methods and setting > SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've > tried to make the patches minimally intrusive. OpenSSL 1.1.0 will > deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote} > The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. > Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From johanna at icir.org Wed Nov 4 15:43:20 2015 From: johanna at icir.org (Johanna Amann) Date: Thu, 05 Nov 2015 08:43:20 +0900 Subject: [Bro-Dev] Multiple logs in one SQLite database In-Reply-To: References: Message-ID: Hello Jakub, this is a known bug at the moment - tracked in https://bro-tracker.atlassian.net/browse/BIT-1325 At the moment there is no workaround to this, besides writing to separate sqlite database files -- sorry. Johanna On 5 Nov 2015, at 7:03, Jakub S. Paulovic wrote: > Hello, > > I am trying to setup Bro to log all the events to a SQLite database. > In my > local.bro file, I have added an event bro_init() with filters > specifying > the writer to be WRITER_SQLITE like this: > > local filter_conn: Log::Filter = > [ > $name="sqlite", > $path="/var/db/conn", > $config=table(["tablename"] = "conn"), > $writer=Log::WRITER_SQLITE > ]; > > Log::add_filter(Conn::LOG, filter_conn); > > local filter_notice: Log::Filter = > [ > $name="sqlite", > $path="/var/db/conn", > $config=table(["tablename"] = "notice"), > $writer=Log::WRITER_SQLITE > ]; > > Log::add_filter(Notice::LOG, filter_notice); > > ... + other filters for http, dhcp and weird set accordingly. > > I want the logs to be written to separate tables in one SQLite > database. > However, when I run bro with this configuration, I almost immediately > get > SQLite errors: > error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: SQLite > call > failed: database is locked > error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: > terminating > thread > > After that, nothing else is written to affected table. Please can You > suggest me what should I do to achieve logging to one database with > multiple tables? > > Thanks > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From johanna at icir.org Wed Nov 4 15:56:57 2015 From: johanna at icir.org (Johanna Amann) Date: Thu, 05 Nov 2015 08:56:57 +0900 Subject: [Bro-Dev] Multiple logs in one SQLite database In-Reply-To: References: Message-ID: <3531D07F-D0DD-47E8-BCE7-62B0C28DE4B2@icir.org> Actually - there is a patch in that bug that you might want to try - I forgot about that. I am not completely sure about the performance implications it might have though. Johanna On 5 Nov 2015, at 8:43, Johanna Amann wrote: > Hello Jakub, > > this is a known bug at the moment - tracked in > https://bro-tracker.atlassian.net/browse/BIT-1325 > > At the moment there is no workaround to this, besides writing to > separate sqlite database files -- sorry. > > Johanna > > On 5 Nov 2015, at 7:03, Jakub S. Paulovic wrote: > >> Hello, >> >> I am trying to setup Bro to log all the events to a SQLite database. >> In my >> local.bro file, I have added an event bro_init() with filters >> specifying >> the writer to be WRITER_SQLITE like this: >> >> local filter_conn: Log::Filter = >> [ >> $name="sqlite", >> $path="/var/db/conn", >> $config=table(["tablename"] = "conn"), >> $writer=Log::WRITER_SQLITE >> ]; >> >> Log::add_filter(Conn::LOG, filter_conn); >> >> local filter_notice: Log::Filter = >> [ >> $name="sqlite", >> $path="/var/db/conn", >> $config=table(["tablename"] = "notice"), >> $writer=Log::WRITER_SQLITE >> ]; >> >> Log::add_filter(Notice::LOG, filter_notice); >> >> ... + other filters for http, dhcp and weird set accordingly. >> >> I want the logs to be written to separate tables in one SQLite >> database. >> However, when I run bro with this configuration, I almost immediately >> get >> SQLite errors: >> error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: SQLite >> call >> failed: database is locked >> error: /root/bakalarka/capture/bro/sql/log/Log::WRITER_SQLITE: >> terminating >> thread >> >> After that, nothing else is written to affected table. Please can You >> suggest me what should I do to achieve logging to one database with >> multiple tables? >> >> Thanks >> _______________________________________________ >> bro-dev mailing list >> bro-dev at bro.org >> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From noreply at bro.org Thu Nov 5 00:00:35 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 5 Nov 2015 00:00:35 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511050800.tA580ZQA002941@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Thu Nov 5 08:49:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 5 Nov 2015 10:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1503: ---------------------------------- Assignee: Daniel Thayer > vlan-logging.bro assumes c$conn exists > -------------------------------------- > > Key: BIT-1503 > URL: https://bro-tracker.atlassian.net/browse/BIT-1503 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: git/master, CentOS 7, vlan tagged pcap. > Reporter: dop > Assignee: Daniel Thayer > Labels: vlan > Fix For: 2.5 > > > policy/protocols/conn/vlan-logging.bro > When testing against random pcaps you'll get tons of errors like: > 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] > Adding a c?$conn condition removes that annoyance. > -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 09:20:00 2015 From: jira at bro-tracker.atlassian.net (Gavin Spearhead (JIRA)) Date: Thu, 5 Nov 2015 11:20:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22806#comment-22806 ] Gavin Spearhead commented on BIT-1502: -------------------------------------- I tried to make a pcap and run bro on it, and it seems to work fine. However, when running bro through broctl > start etc in parallel with the pcap, the certificates do not show up there. > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 10:05:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 5 Nov 2015 12:05:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1499: --------------------------------- Assignee: Robin Sommer > Updates for newer version of OpenSSL/LibreSSL > --------------------------------------------- > > Key: BIT-1499 > URL: https://bro-tracker.atlassian.net/browse/BIT-1499 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broccoli > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc > > > A comment from Christoph Pietsch: > {quote}Currently bro fails to build when openssl libraries have been built > without SSLv3 (configure --no-ssl2 --nossl3). This has > surfaced when building with the latest LibreSSL 2.3. > Attached patches address all these issues. These can be improved upon > by using only SSLv23_ methods or even TLS_ methods and setting > SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've > tried to make the patches minimally intrusive. OpenSSL 1.1.0 will > deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote} > The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. > Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 10:05:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 5 Nov 2015 12:05:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1499: ------------------------------ Status: Merge Request (was: Open) Assignee: (was: Robin Sommer) > Updates for newer version of OpenSSL/LibreSSL > --------------------------------------------- > > Key: BIT-1499 > URL: https://bro-tracker.atlassian.net/browse/BIT-1499 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broccoli > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc > > > A comment from Christoph Pietsch: > {quote}Currently bro fails to build when openssl libraries have been built > without SSLv3 (configure --no-ssl2 --nossl3). This has > surfaced when building with the latest LibreSSL 2.3. > Attached patches address all these issues. These can be improved upon > by using only SSLv23_ methods or even TLS_ methods and setting > SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've > tried to make the patches minimally intrusive. OpenSSL 1.1.0 will > deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote} > The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. > Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 10:27:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 5 Nov 2015 12:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1503: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Daniel Thayer) > vlan-logging.bro assumes c$conn exists > -------------------------------------- > > Key: BIT-1503 > URL: https://bro-tracker.atlassian.net/browse/BIT-1503 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: git/master, CentOS 7, vlan tagged pcap. > Reporter: dop > Labels: vlan > Fix For: 2.5 > > > policy/protocols/conn/vlan-logging.bro > When testing against random pcaps you'll get tons of errors like: > 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] > Adding a c?$conn condition removes that annoyance. > -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 10:27:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 5 Nov 2015 12:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22807#comment-22807 ] Daniel Thayer commented on BIT-1503: ------------------------------------ In branch "topic/dnthayer/ticket1503", I've lowered the priority of the event handler to prevent this race condition. > vlan-logging.bro assumes c$conn exists > -------------------------------------- > > Key: BIT-1503 > URL: https://bro-tracker.atlassian.net/browse/BIT-1503 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: git/master, CentOS 7, vlan tagged pcap. > Reporter: dop > Assignee: Daniel Thayer > Labels: vlan > Fix For: 2.5 > > > policy/protocols/conn/vlan-logging.bro > When testing against random pcaps you'll get tons of errors like: > 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] > Adding a c?$conn condition removes that annoyance. > -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 12:53:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Thu, 5 Nov 2015 14:53:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1504) The facility to serialize tables to a log In-Reply-To: References: Message-ID: Aaron Eppert created BIT-1504: --------------------------------- Summary: The facility to serialize tables to a log Key: BIT-1504 URL: https://bro-tracker.atlassian.net/browse/BIT-1504 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Aaron Eppert Priority: High ```@load base/protocols/http/main @load base/protocols/http/utils module HTTP; redef record Info += { cookies: table[string] of string &optional &log; }; event http_header(c: connection, is_orig: bool, name: string, value: string) { if ( is_orig && name == "COOKIE" ) { if ( ! c$http?$cookies ) { c$http$cookies = table(); } local cookie_vec = split_string(value, /;[[:blank:]]*/); for (cookie in cookie_vec) { local kv = split_string(value, /=/); if (|kv| == 2) { c$http$cookies[kv[0]] = kv[1]; } } } } ``` Simple example. The ability to serialize the above to a log file, given it uses simple string indices and values would seem to be straight forward per looking at the Ascii and JSON writers, which appear to support TYPE_TABLE natively. I spent some time looking at how to implement this at the layers above, but the (!t->IsSet()) in SerialTypes.cc's Value::IsCompatibleType(...) is an obvious blocker and I ran out of time to deduce the rest. I would assume I am not alone in this want as it would make proper downstream referencing of the resulting KV pairs from the table especially easy to navigate. This is, again, very much the case when using the JSON writer given it should natively serialize into very easily usable KV pair notation. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 15:27:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Nov 2015 17:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1504) The facility to serialize tables to a log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1504?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1504: ------------------------------- Priority: Low (was: High) > The facility to serialize tables to a log > ----------------------------------------- > > Key: BIT-1504 > URL: https://bro-tracker.atlassian.net/browse/BIT-1504 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Aaron Eppert > Priority: Low > > ```@load base/protocols/http/main > @load base/protocols/http/utils > module HTTP; > redef record Info += { > cookies: table[string] of string &optional &log; > }; > event http_header(c: connection, is_orig: bool, name: string, value: string) > { > if ( is_orig && name == "COOKIE" ) { > if ( ! c$http?$cookies ) { > c$http$cookies = table(); > } > > local cookie_vec = split_string(value, /;[[:blank:]]*/); > > for (cookie in cookie_vec) { > local kv = split_string(value, /=/); > if (|kv| == 2) { > c$http$cookies[kv[0]] = kv[1]; > } > } > } > } > ``` > Simple example. The ability to serialize the above to a log file, given it uses simple string indices and values would seem to be straight forward per looking at the Ascii and JSON writers, which appear to support TYPE_TABLE natively. I spent some time looking at how to implement this at the layers above, but the (!t->IsSet()) in SerialTypes.cc's Value::IsCompatibleType(...) is an obvious blocker and I ran out of time to deduce the rest. > I would assume I am not alone in this want as it would make proper downstream referencing of the resulting KV pairs from the table especially easy to navigate. This is, again, very much the case when using the JSON writer given it should natively serialize into very easily usable KV pair notation. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 15:27:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Nov 2015 17:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1504) The facility to serialize tables to a log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22808#comment-22808 ] Johanna Amann commented on BIT-1504: ------------------------------------ Hi, sorry, it will not be easily possible to support this use-case. Basically, when the logging and input frameworks were first designed, the feature set was cut off at tables -- we wanted to be able to --at a maximum--log arrays of data in a single "line" of log output, no tables; while this might be easy for formats like JSON, for other formats like just ASCII text, etc. it gets complicated quite soon. Also - what do you want to do if someone tries to log a table of a table --- (json once again has not a problem with that, but in a pure ascii format this just gets ugly). Because of this, the underlying data types that are used to exchange data between the logging framework and the input framework and the main Bro thread do not support tables at all. The reason why you see support for TYPE_TABLE in some places of the logging and input framework are sets. These are loggable and usable as input - and are internally represented as tables in Bro. > The facility to serialize tables to a log > ----------------------------------------- > > Key: BIT-1504 > URL: https://bro-tracker.atlassian.net/browse/BIT-1504 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Aaron Eppert > Priority: High > > ```@load base/protocols/http/main > @load base/protocols/http/utils > module HTTP; > redef record Info += { > cookies: table[string] of string &optional &log; > }; > event http_header(c: connection, is_orig: bool, name: string, value: string) > { > if ( is_orig && name == "COOKIE" ) { > if ( ! c$http?$cookies ) { > c$http$cookies = table(); > } > > local cookie_vec = split_string(value, /;[[:blank:]]*/); > > for (cookie in cookie_vec) { > local kv = split_string(value, /=/); > if (|kv| == 2) { > c$http$cookies[kv[0]] = kv[1]; > } > } > } > } > ``` > Simple example. The ability to serialize the above to a log file, given it uses simple string indices and values would seem to be straight forward per looking at the Ascii and JSON writers, which appear to support TYPE_TABLE natively. I spent some time looking at how to implement this at the layers above, but the (!t->IsSet()) in SerialTypes.cc's Value::IsCompatibleType(...) is an obvious blocker and I ran out of time to deduce the rest. > I would assume I am not alone in this want as it would make proper downstream referencing of the resulting KV pairs from the table especially easy to navigate. This is, again, very much the case when using the JSON writer given it should natively serialize into very easily usable KV pair notation. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 15:28:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Nov 2015 17:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1504) The facility to serialize tables to a log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1504?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1504: ------------------------------- Affects Version/s: 2.4 > The facility to serialize tables to a log > ----------------------------------------- > > Key: BIT-1504 > URL: https://bro-tracker.atlassian.net/browse/BIT-1504 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Aaron Eppert > Priority: Low > > ```@load base/protocols/http/main > @load base/protocols/http/utils > module HTTP; > redef record Info += { > cookies: table[string] of string &optional &log; > }; > event http_header(c: connection, is_orig: bool, name: string, value: string) > { > if ( is_orig && name == "COOKIE" ) { > if ( ! c$http?$cookies ) { > c$http$cookies = table(); > } > > local cookie_vec = split_string(value, /;[[:blank:]]*/); > > for (cookie in cookie_vec) { > local kv = split_string(value, /=/); > if (|kv| == 2) { > c$http$cookies[kv[0]] = kv[1]; > } > } > } > } > ``` > Simple example. The ability to serialize the above to a log file, given it uses simple string indices and values would seem to be straight forward per looking at the Ascii and JSON writers, which appear to support TYPE_TABLE natively. I spent some time looking at how to implement this at the layers above, but the (!t->IsSet()) in SerialTypes.cc's Value::IsCompatibleType(...) is an obvious blocker and I ran out of time to deduce the rest. > I would assume I am not alone in this want as it would make proper downstream referencing of the resulting KV pairs from the table especially easy to navigate. This is, again, very much the case when using the JSON writer given it should natively serialize into very easily usable KV pair notation. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Thu Nov 5 15:30:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 5 Nov 2015 17:30:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22809#comment-22809 ] Johanna Amann commented on BIT-1502: ------------------------------------ Since it works when running it directly through Bro, this means that this is not a problem of the Bro parsing of X.509 but a different problem of the process you use to replay your pcap file or capture your life traffic :). What are the exact steps with which you tried using it through broctl? Are you using standalone mode or cluster mode? Could you see is the missed_bytes column of conn.log contains a number > 0 in the case where x.509 log does not contain data? This would mean that Bro did not see all bytes of the underlying TLS connection, which makes it stop processing. > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Fri Nov 6 00:00:39 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 6 Nov 2015 00:00:39 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511060800.tA680dBk013984@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- --------------------------------------------- BIT-1503 [1] Bro dop - 2015-11-05 2.5 Normal vlan-logging.bro assumes c$conn exists BIT-1499 [2] Bro,Broccoli Seth Hall - 2015-11-05 2.5 Normal Updates for newer version of OpenSSL/LibreSSL BIT-1489 [3] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [4] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [5] bro albertzaharovits [6] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #1 [8] broctl J-Gras [9] 2015-10-24 Added support for Pcap options [10] [1] BIT-1503 https://bro-tracker.atlassian.net/browse/BIT-1503 [2] BIT-1499 https://bro-tracker.atlassian.net/browse/BIT-1499 [3] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [4] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #1 https://github.com/bro/broctl/pull/1 [9] J-Gras https://github.com/J-Gras [10] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Nov 6 05:33:00 2015 From: jira at bro-tracker.atlassian.net (Aaron Eppert (JIRA)) Date: Fri, 6 Nov 2015 07:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1504) The facility to serialize tables to a log In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22810#comment-22810 ] Aaron Eppert commented on BIT-1504: ----------------------------------- First, thank you very much Johanna for your reply and the detailed information. After digging for awhile and testing a few theories, I realized it was a design issue and was likely around the original ascii conventions of Bro, but it is always very helpful to know the details from someone far more familiar with the code base. I do stand by the original feature request given the complexity of protocols aren't decreasing and the importance of various metadata for detection of attacks is only increasing it becomes even more important to have more dense logs. Representing them in a tabular, ascii format is non-trivial I fully respect and understand that problem, however I would propose an exception flag of some form that if an underlying writer supports the extended attributes, they be allowed to pass, otherwise they are ignored and logged as being dropped. This, I would hope would meet everyone's needs mostly in the middle and I would assume, perhaps incorrectly, that it wouldn't be too difficult to architect in this manner. With all that said, I realize the priority on this is low, even for me overall at the moment. But if we're adding "nice to haves" and vision casting for future functionality in Bro, this would certainly be a helpful change that would likely be very well received. > The facility to serialize tables to a log > ----------------------------------------- > > Key: BIT-1504 > URL: https://bro-tracker.atlassian.net/browse/BIT-1504 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Aaron Eppert > Priority: Low > > ```@load base/protocols/http/main > @load base/protocols/http/utils > module HTTP; > redef record Info += { > cookies: table[string] of string &optional &log; > }; > event http_header(c: connection, is_orig: bool, name: string, value: string) > { > if ( is_orig && name == "COOKIE" ) { > if ( ! c$http?$cookies ) { > c$http$cookies = table(); > } > > local cookie_vec = split_string(value, /;[[:blank:]]*/); > > for (cookie in cookie_vec) { > local kv = split_string(value, /=/); > if (|kv| == 2) { > c$http$cookies[kv[0]] = kv[1]; > } > } > } > } > ``` > Simple example. The ability to serialize the above to a log file, given it uses simple string indices and values would seem to be straight forward per looking at the Ascii and JSON writers, which appear to support TYPE_TABLE natively. I spent some time looking at how to implement this at the layers above, but the (!t->IsSet()) in SerialTypes.cc's Value::IsCompatibleType(...) is an obvious blocker and I ran out of time to deduce the rest. > I would assume I am not alone in this want as it would make proper downstream referencing of the resulting KV pairs from the table especially easy to navigate. This is, again, very much the case when using the JSON writer given it should natively serialize into very easily usable KV pair notation. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 6 06:24:00 2015 From: jira at bro-tracker.atlassian.net (Gavin Spearhead (JIRA)) Date: Fri, 6 Nov 2015 08:24:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22811#comment-22811 ] Gavin Spearhead commented on BIT-1502: -------------------------------------- Basically I installed the .deb package as on website, fiddled a bit with to configuration: Using this for node.cfg [bro] type=standalone host=localhost interface=eth0 Tried disabling some bits and pieces in /opt/bro/share/bro/site/local.bro to no avail. run sudo broctl > install > start Bro takes about 19% cpu. zcat conn.17\:00\:00-18\:00\:00.log.gz | ../../bin/bro-cut missed_bytes id.resp_h|grep face 0 2a03:2880:1010:df05:face:b00c:0:2 17578 2a03:2880:1010:df05:face:b00c:0:2 4488 2a03:2880:2040:7f01:face:b00c:0:1 2820 2a03:2880:11:1f04:face:b00c:0:1 4653 2a03:2880:1010:df05:face:b00c:0:2 4343 2a03:2880:1010:df05:face:b00c:0:2 77198 2a03:2880:f013:8:face:b00c:0:1 50374 2a03:2880:1010:df05:face:b00c:0:2 3198 2a03:2880:f022:b:face:b00c:0:3 0 2a03:2880:f022:b:face:b00c:0:3 124697 2a03:2880:f022:b:face:b00c:0:3 68810 2a03:2880:f022:b:face:b00c:0:3 21575 2a03:2880:1010:df05:face:b00c:0:2 0 2a03:2880:f013:8:face:b00c:0:1 146790 2a03:2880:f013:8:face:b00c:0:1 85210 2a03:2880:f013:8:face:b00c:0:1 77505 2a03:2880:1010:df05:face:b00c:0:2 0 2a03:2880:f012:8:face:b00c:0:1 433464 2a03:2880:f012:8:face:b00c:0:1 242946 2a03:2880:f012:8:face:b00c:0:1 55640 2a03:2880:1010:df05:face:b00c:0:2 237749 2a03:2880:f013:8:face:b00c:0:1 428592 2a03:2880:f013:8:face:b00c:0:1 93314 2a03:2880:1010:6f03:face:b00c:0:2 And for twitter zcat conn.17\:00\:00-18\:00\:00.log.gz | ../../bin/bro-cut missed_bytes id.resp_h|grep 199.16.156 14510 199.16.156.70 5477 199.16.156.8 2626 199.16.156.72 2625 199.16.156.8 0 199.16.156.8 0 199.16.156.199 0 199.16.156.72 1477 199.16.156.72 1752 199.16.156.198 2880 199.16.156.120 3025 199.16.156.9 1752 199.16.156.38 48034 199.16.156.38 7197 199.16.156.72 2625 199.16.156.8 0 199.16.156.72 0 199.16.156.104 > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 6 10:26:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 6 Nov 2015 12:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1505) topic/jsiwek/sse2-config-check In-Reply-To: References: Message-ID: Jon Siwek created BIT-1505: ------------------------------ Summary: topic/jsiwek/sse2-config-check Key: BIT-1505 URL: https://bro-tracker.atlassian.net/browse/BIT-1505 Project: Bro Issue Tracker Issue Type: Improvement Components: Broker Reporter: Jon Siwek A couple places in Broker used SSE2 intrinsics without actually checking if the platform supports it, this branch adds a config-time check to preprocess them out. And unrelated, also fixed a unit test failure I never noticed before (maybe I'm the first one to test on OS X 10.11). -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 6 10:27:00 2015 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 6 Nov 2015 12:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1505) topic/jsiwek/sse2-config-check In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1505: --------------------------- Status: Merge Request (was: Open) > topic/jsiwek/sse2-config-check > ------------------------------ > > Key: BIT-1505 > URL: https://bro-tracker.atlassian.net/browse/BIT-1505 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Broker > Reporter: Jon Siwek > > A couple places in Broker used SSE2 intrinsics without actually checking if the platform supports it, this branch adds a config-time check to preprocess them out. > And unrelated, also fixed a unit test failure I never noticed before (maybe I'm the first one to test on OS X 10.11). -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Sat Nov 7 00:00:24 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 7 Nov 2015 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511070800.tA780O09004549@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- --------------------------------------------- BIT-1505 [1] Broker Jon Siwek - 2015-11-06 - Normal topic/jsiwek/sse2-config-check [2] BIT-1503 [3] Bro dop - 2015-11-05 2.5 Normal vlan-logging.bro assumes c$conn exists BIT-1499 [4] Bro,Broccoli Seth Hall - 2015-11-05 2.5 Normal Updates for newer version of OpenSSL/LibreSSL BIT-1489 [5] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [6] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1505 https://bro-tracker.atlassian.net/browse/BIT-1505 [2] sse2-config-check https://github.com/bro/broker/tree/topic/jsiwek/sse2-config-check [3] BIT-1503 https://bro-tracker.atlassian.net/browse/BIT-1503 [4] BIT-1499 https://bro-tracker.atlassian.net/browse/BIT-1499 [5] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [6] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Nov 8 00:00:21 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 8 Nov 2015 00:00:21 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511080800.tA880Leh026112@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- --------------------------------------------- BIT-1505 [1] Broker Jon Siwek - 2015-11-06 - Normal topic/jsiwek/sse2-config-check [2] BIT-1503 [3] Bro dop - 2015-11-05 2.5 Normal vlan-logging.bro assumes c$conn exists BIT-1499 [4] Bro,Broccoli Seth Hall - 2015-11-05 2.5 Normal Updates for newer version of OpenSSL/LibreSSL BIT-1489 [5] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [6] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1505 https://bro-tracker.atlassian.net/browse/BIT-1505 [2] sse2-config-check https://github.com/bro/broker/tree/topic/jsiwek/sse2-config-check [3] BIT-1503 https://bro-tracker.atlassian.net/browse/BIT-1503 [4] BIT-1499 https://bro-tracker.atlassian.net/browse/BIT-1499 [5] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [6] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Nov 9 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 9 Nov 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511090800.tA980Qk6027433@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- --------------------------------------------- BIT-1505 [1] Broker Jon Siwek - 2015-11-06 - Normal topic/jsiwek/sse2-config-check [2] BIT-1503 [3] Bro dop - 2015-11-05 2.5 Normal vlan-logging.bro assumes c$conn exists BIT-1499 [4] Bro,Broccoli Seth Hall - 2015-11-05 2.5 Normal Updates for newer version of OpenSSL/LibreSSL BIT-1489 [5] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [6] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1505 https://bro-tracker.atlassian.net/browse/BIT-1505 [2] sse2-config-check https://github.com/bro/broker/tree/topic/jsiwek/sse2-config-check [3] BIT-1503 https://bro-tracker.atlassian.net/browse/BIT-1503 [4] BIT-1499 https://bro-tracker.atlassian.net/browse/BIT-1499 [5] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [6] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Tue Nov 10 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 10 Nov 2015 00:00:23 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511100800.tAA80Nkr018201@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- --------------------------------------------- BIT-1505 [1] Broker Jon Siwek - 2015-11-06 - Normal topic/jsiwek/sse2-config-check [2] BIT-1503 [3] Bro dop - 2015-11-05 2.5 Normal vlan-logging.bro assumes c$conn exists BIT-1499 [4] Bro,Broccoli Seth Hall - 2015-11-05 2.5 Normal Updates for newer version of OpenSSL/LibreSSL BIT-1489 [5] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [6] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [7] bro albertzaharovits [8] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [9] #1 [10] broctl J-Gras [11] 2015-10-24 Added support for Pcap options [12] [1] BIT-1505 https://bro-tracker.atlassian.net/browse/BIT-1505 [2] sse2-config-check https://github.com/bro/broker/tree/topic/jsiwek/sse2-config-check [3] BIT-1503 https://bro-tracker.atlassian.net/browse/BIT-1503 [4] BIT-1499 https://bro-tracker.atlassian.net/browse/BIT-1499 [5] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [6] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [7] Pull Request #46 https://github.com/bro/bro/pull/46 [8] albertzaharovits https://github.com/albertzaharovits [9] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [10] Pull Request #1 https://github.com/bro/broctl/pull/1 [11] J-Gras https://github.com/J-Gras [12] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Nov 10 10:00:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Tue, 10 Nov 2015 12:00:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: Vlad Grigorescu created BIT-1506: ------------------------------------ Summary: Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal Key: BIT-1506 URL: https://bro-tracker.atlassian.net/browse/BIT-1506 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X 10.11), and now Bro fails to build on OS X. Apple's recommendation is that we either include a copy of OpenSSL ourselves or we use their Secure Transport API. [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 10 13:19:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Nov 2015 15:19:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1505) topic/jsiwek/sse2-config-check In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1505: --------------------------------- Assignee: Robin Sommer > topic/jsiwek/sse2-config-check > ------------------------------ > > Key: BIT-1505 > URL: https://bro-tracker.atlassian.net/browse/BIT-1505 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Broker > Reporter: Jon Siwek > Assignee: Robin Sommer > > A couple places in Broker used SSE2 intrinsics without actually checking if the platform supports it, this branch adds a config-time check to preprocess them out. > And unrelated, also fixed a unit test failure I never noticed before (maybe I'm the first one to test on OS X 10.11). -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 10 13:21:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Nov 2015 15:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1503: --------------------------------- Assignee: Robin Sommer > vlan-logging.bro assumes c$conn exists > -------------------------------------- > > Key: BIT-1503 > URL: https://bro-tracker.atlassian.net/browse/BIT-1503 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: git/master, CentOS 7, vlan tagged pcap. > Reporter: dop > Assignee: Robin Sommer > Labels: vlan > Fix For: 2.5 > > > policy/protocols/conn/vlan-logging.bro > When testing against random pcaps you'll get tons of errors like: > 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] > Adding a c?$conn condition removes that annoyance. > -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 10 13:22:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Nov 2015 15:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1499: --------------------------------- Assignee: Robin Sommer > Updates for newer version of OpenSSL/LibreSSL > --------------------------------------------- > > Key: BIT-1499 > URL: https://bro-tracker.atlassian.net/browse/BIT-1499 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broccoli > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc > > > A comment from Christoph Pietsch: > {quote}Currently bro fails to build when openssl libraries have been built > without SSLv3 (configure --no-ssl2 --nossl3). This has > surfaced when building with the latest LibreSSL 2.3. > Attached patches address all these issues. These can be improved upon > by using only SSLv23_ methods or even TLS_ methods and setting > SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've > tried to make the patches minimally intrusive. OpenSSL 1.1.0 will > deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote} > The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. > Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 10 13:37:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Nov 2015 15:37:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22812#comment-22812 ] Robin Sommer commented on BIT-1499: ----------------------------------- configure time option for the old communication framework wouldn't be easy to do. Don't think it's worth the effort (just disabling the SSL piece would be easier, but still) > Updates for newer version of OpenSSL/LibreSSL > --------------------------------------------- > > Key: BIT-1499 > URL: https://bro-tracker.atlassian.net/browse/BIT-1499 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broccoli > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc > > > A comment from Christoph Pietsch: > {quote}Currently bro fails to build when openssl libraries have been built > without SSLv3 (configure --no-ssl2 --nossl3). This has > surfaced when building with the latest LibreSSL 2.3. > Attached patches address all these issues. These can be improved upon > by using only SSLv23_ methods or even TLS_ methods and setting > SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've > tried to make the patches minimally intrusive. OpenSSL 1.1.0 will > deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote} > The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. > Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 10 13:58:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Nov 2015 15:58:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1503) vlan-logging.bro assumes c$conn exists In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1503: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > vlan-logging.bro assumes c$conn exists > -------------------------------------- > > Key: BIT-1503 > URL: https://bro-tracker.atlassian.net/browse/BIT-1503 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: git/master, CentOS 7, vlan tagged pcap. > Reporter: dop > Assignee: Robin Sommer > Labels: vlan > Fix For: 2.5 > > > policy/protocols/conn/vlan-logging.bro > When testing against random pcaps you'll get tons of errors like: > 1446562801.530502 expression error in /usr/local/bro/share/bro/policy/protocols/conn/vlan-logging.bro, line 21: field value missing [Conn::c$conn] > Adding a c?$conn condition removes that annoyance. > -Dop -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 10 13:59:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 10 Nov 2015 15:59:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1505) topic/jsiwek/sse2-config-check In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1505: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/jsiwek/sse2-config-check > ------------------------------ > > Key: BIT-1505 > URL: https://bro-tracker.atlassian.net/browse/BIT-1505 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Broker > Reporter: Jon Siwek > Assignee: Robin Sommer > > A couple places in Broker used SSE2 intrinsics without actually checking if the platform supports it, this branch adds a config-time check to preprocess them out. > And unrelated, also fixed a unit test failure I never noticed before (maybe I'm the first one to test on OS X 10.11). -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Wed Nov 11 00:00:28 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 11 Nov 2015 00:00:28 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511110800.tAB80Sjs004161@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ------------ ------------- ------------ ---------- ------------- ---------- --------------------------------------------- BIT-1499 [1] Bro,Broccoli Seth Hall Robin Sommer 2015-11-10 2.5 Normal Updates for newer version of OpenSSL/LibreSSL BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1499 https://bro-tracker.atlassian.net/browse/BIT-1499 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Nov 11 00:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 11 Nov 2015 02:06:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22813#comment-22813 ] Johanna Amann commented on BIT-1506: ------------------------------------ I think this actually is not really a problem - we already require the installation of 3rd party utilities if you want to build Bro on os-x (at least cmake and swig). So - all we really have to do is to add openssl to that list in https://www.bro.org/sphinx-git/install/install.html. I really do not think that we want to do either of shipping OpenSSL to bro or using their secure transport API. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 11 00:06:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 11 Nov 2015 02:06:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1506: ------------------------------- Fix Version/s: 2.5 > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 11 02:44:00 2015 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Wed, 11 Nov 2015 04:44:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1507) Intel framework does not match mail addresses properly In-Reply-To: References: Message-ID: Jan Grashoefer created BIT-1507: ----------------------------------- Summary: Intel framework does not match mail addresses properly Key: BIT-1507 URL: https://bro-tracker.atlassian.net/browse/BIT-1507 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: All Reporter: Jan Grashoefer Priority: Low Some time ago someone in #bro asked for matching mail addresses using the intel-framework. We realized, that the [seen-script|https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/smtp.bro] seems to contain a bug: Using {code}split_string_n(mail_address, /<.+>/, T, 1){code} to extract a mail address misses the last character and does not respect the possibility of multiple addresses. I will add a pcap later. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 11 07:56:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 11 Nov 2015 09:56:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1499) Updates for newer version of OpenSSL/LibreSSL In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1499: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Updates for newer version of OpenSSL/LibreSSL > --------------------------------------------- > > Key: BIT-1499 > URL: https://bro-tracker.atlassian.net/browse/BIT-1499 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, Broccoli > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: patch-aux_broccoli_src_bro__openssl.c, patch-src_ChunkedIO.cc > > > A comment from Christoph Pietsch: > {quote}Currently bro fails to build when openssl libraries have been built > without SSLv3 (configure --no-ssl2 --nossl3). This has > surfaced when building with the latest LibreSSL 2.3. > Attached patches address all these issues. These can be improved upon > by using only SSLv23_ methods or even TLS_ methods and setting > SSL_CTX_set_options(ctx, SSL_OP_NO_SSL2 | SSL_OP_NO_SSL3) but I've > tried to make the patches minimally intrusive. OpenSSL 1.1.0 will > deprecate SSLv23_ methods and introduces compatible TLS_ methods.{quote} > The patches are attached. Fortunately all of this code is slated to be removed but it does introduce the question how we manage this moving forward. I'd like to avoid having to add compiler directives to use alternate implementations and detect which version of OpenSSL someone has installed. > Alternately, what does everyone think about deprecating the existing communication mechanism by making it a configure-time option? We can just not compile those by default which means that almost everyone would just see everything work correctly and our effort would be minimal. People that need the existing built in communication still can deal with the complications of compiling Bro with the option and having the correct version of OpenSSL. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 11 10:08:00 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Wed, 11 Nov 2015 12:08:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22814#comment-22814 ] Adam Slagell commented on BIT-1506: ----------------------------------- I think it is actually more complicated, and we have several options. First, they still ship openssl 0.9.8 and maintain updates to it. This is what ssh on 10.11 uses. So if we have someone bring in their own version, they have to deal with multiple versions and keep openssl up-to-date themselves. I don't worry about that for SWIG, but I do worry about it openssl's track record on security. Especially since most of these package managers like fink, mac ports, and homebrew don't stay on top of updates. We could bring our own 0.9.8 headers and rely on Apple to update openssl the next time there is a critical update. We could also compile statically for the binaries we provide and leaving those who compile on their own, but that is owning someone else's problem in a not very maintainable way. I don't know, I kind of lean towards bringing our own header for Mac, but I don't like any of the solutions. Maybe it is just the users problem to install and update openssl. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Wed Nov 11 14:41:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 11 Nov 2015 16:41:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22815#comment-22815 ] Johanna Amann commented on BIT-1506: ------------------------------------ Atually, just from my experience, the package-managers are really unproblematic with openssl. I have only used brew and macports -- but they both seem to always update openssl rapidly - and I have so far not really have had problems with the several different versions simultaneously existing (but my pain threshold might be higher than other peoples). In any case - apple themselves seemed to be way slower in applying updates than any of the package managers. We do not provide mac binaries anymore, so we do not have a problem in that regard. We could potentially provide headers for the mac version of OpenSSL - but I am really not sure I like that an what kind of breaking it could entail if versions change... > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Thu Nov 12 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 12 Nov 2015 00:00:32 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511120800.tAC80WTv022888@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Thu Nov 12 10:08:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 12 Nov 2015 12:08:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1508) Only identify Teredo connections once both sides have talked In-Reply-To: References: Message-ID: Seth Hall created BIT-1508: ------------------------------ Summary: Only identify Teredo connections once both sides have talked Key: BIT-1508 URL: https://bro-tracker.atlassian.net/browse/BIT-1508 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Seth Hall Currently Bro will create a tunnel.log if a host sends a teredo packet. I think we should make it require more than a single packet from a single host before we indicate in the tunnel.log that a Teredo connection is established (both sides should be required to talk before the identification is made). -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Fri Nov 13 00:00:34 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 13 Nov 2015 00:00:34 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511130800.tAD80YEO006346@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Nov 13 08:28:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 13 Nov 2015 10:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1509) Library search problem with make-rpm-packages In-Reply-To: References: Message-ID: Robin Sommer created BIT-1509: --------------------------------- Summary: Library search problem with make-rpm-packages Key: BIT-1509 URL: https://bro-tracker.atlassian.net/browse/BIT-1509 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Reporter: Robin Sommer Fix For: 2.5 The "full Bro" RPM that make-rpm-packages builds, puts broccoli.so into /opt/bro/lib, but doesn't make sure that BroControl can actually find it there, letting the "import broccoli" fail. It sounds like this used to work in 2.3, but not anymore in 2.4. I don't know if we want to support the RPM script going forward, given that we've switched to the SuSE build service. But as long as we keep shipping it, it would be nice if it "just worked". -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 13 12:28:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Nov 2015 14:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: Seth Hall created BIT-1510: ------------------------------ Summary: Crash reports when no crash happened Key: BIT-1510 URL: https://bro-tracker.atlassian.net/browse/BIT-1510 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Seth Hall We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. The crash report typically has the following text and no backtrace: {{==== stderr.log KILLED received termination signal }} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 13 12:30:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Nov 2015 14:30:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1510: --------------------------- Description: We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. The crash report typically has the following text and no backtrace: ==== stderr.log KILLED received termination signal was: We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. The crash report typically has the following text and no backtrace: {{==== stderr.log KILLED received termination signal}} > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 13 12:30:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Nov 2015 14:30:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1510: --------------------------- Description: We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. The crash report typically has the following text and no backtrace: {{==== stderr.log KILLED received termination signal}} was: We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. The crash report typically has the following text and no backtrace: {{==== stderr.log KILLED received termination signal }} > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > {{==== stderr.log > KILLED > received termination signal}} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 13 12:33:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 13 Nov 2015 14:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22816#comment-22816 ] Seth Hall commented on BIT-1506: -------------------------------- I agree with Johanna. I've never had any trouble and I think we should just close this ticket since Mac OS X isn't exactly a formally supported OS anyway. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 13 12:39:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Fri, 13 Nov 2015 14:39:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22817#comment-22817 ] Vlad Grigorescu commented on BIT-1506: -------------------------------------- Realistically, no one really runs Bro on OS X. But it is prominently labelled as a supported OS. From the downloads page: "Bro requires a Unix platform. We support Linux, FreeBSD, and Mac OS X, both 32-bit and 64-bit." Really, I think this just requires an update to our requirements: https://www.bro.org/sphinx/install/install.html#required-dependencies At the same time, it might be worth expanding on what exactly we support (e.g. Linux kernel versions > X, do we still need 32-bit support, etc?) > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Fri Nov 13 12:46:00 2015 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Fri, 13 Nov 2015 14:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22818#comment-22818 ] Adam Slagell commented on BIT-1506: ----------------------------------- Agreed, just update the dependencies. People probably won't keep openssl updated well on Mac, but not really our problem. And Mac isn't exactly where it is run in productions I don't think we want to say 32 or 64-bit. I would instead keep it general and not go into specific version or distributions because we won't be good about maintaining that. Just say FreeBSD, Mac, And Linux (GNU/Linux if you want to make RMS happy :-) If we provide binaries on Mac still, we might want to statically link openssl. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Sat Nov 14 00:00:33 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 14 Nov 2015 00:00:33 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511140800.tAE80XSD002411@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Nov 15 00:00:32 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 15 Nov 2015 00:00:32 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511150800.tAF80Wn1027599@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Sun Nov 15 17:12:00 2015 From: jira at bro-tracker.atlassian.net (Nicolas Merle (JIRA)) Date: Sun, 15 Nov 2015 19:12:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize adr in ifconfig In-Reply-To: References: Message-ID: Nicolas Merle created BIT-1511: ---------------------------------- Summary: BroControl unable to recognize adr in ifconfig Key: BIT-1511 URL: https://bro-tracker.atlassian.net/browse/BIT-1511 Project: Bro Issue Tracker Issue Type: Problem Components: BroControl Affects Versions: 2.3 Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie Reporter: Nicolas Merle Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Mon Nov 16 00:00:28 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 16 Nov 2015 00:00:28 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511160800.tAG80St1019537@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] #2 [9] btest fabaff [10] 2015-11-15 Update to match PEP3110 [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [9] Pull Request #2 https://github.com/bro/btest/pull/2 [10] fabaff https://github.com/fabaff [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/fabaff/btest.git master From jira at bro-tracker.atlassian.net Mon Nov 16 13:40:00 2015 From: jira at bro-tracker.atlassian.net (Vern Paxson (JIRA)) Date: Mon, 16 Nov 2015 15:40:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1506) Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22900#comment-22900 ] Vern Paxson commented on BIT-1506: ---------------------------------- @Vlad: _au contraire_. Maybe no one runs Bro on OS X for live traffic, but certainly there are those of us who routinely use it offline under OS X both for development and to munch on traces. > Bro fails to build on OS X 10.11 (El Capitan) due to OpenSSL header removal > --------------------------------------------------------------------------- > > Key: BIT-1506 > URL: https://bro-tracker.atlassian.net/browse/BIT-1506 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Reporter: Vlad Grigorescu > Fix For: 2.5 > > > It looks like Apple removed the OpenSSL headers with El Capitan[1] (OS X > 10.11), and now Bro fails to build on OS X. Apple's recommendation is > that we either include a copy of OpenSSL ourselves or we use their > Secure Transport API. > [1] - -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Tue Nov 17 00:00:31 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 17 Nov 2015 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511170800.tAH80V7g021838@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] #2 [9] btest fabaff [10] 2015-11-15 Update to match PEP3110 [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [9] Pull Request #2 https://github.com/bro/btest/pull/2 [10] fabaff https://github.com/fabaff [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/fabaff/btest.git master From jira at bro-tracker.atlassian.net Tue Nov 17 07:03:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 17 Nov 2015 09:03:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1512) make package installs broken broccoli bindings In-Reply-To: References: Message-ID: Justin Azoff created BIT-1512: --------------------------------- Summary: make package installs broken broccoli bindings Key: BIT-1512 URL: https://bro-tracker.atlassian.net/browse/BIT-1512 Project: Bro Issue Tracker Issue Type: Problem Components: broccoli-python Affects Versions: 2.4 Reporter: Justin Azoff Priority: Low Installed via make install {code} [jazoff at bro-dev broctl]$ ldd _broccoli_intern.so |grep bro libbroccoli.so.5 => /usr/local/bro/lib/libbroccoli.so.5 (0x00007fcc56b7b000) [jazoff at bro-dev broctl]$ readelf -d _broccoli_intern.so |grep -i rpath 0x000000000000000f (RPATH) Library rpath: [/usr/local/bro/lib] [jazoff at bro-dev broctl]$ {code} Installed via rpm via make package {code} [jazoff at bro-prod broctl]$ ldd _broccoli_intern.so |grep bro libbroccoli.so.5 => not found [jazoff at bro-prod broctl]$ readelf -d _broccoli_intern.so|grep -i rpath {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 17 10:50:00 2015 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 17 Nov 2015 12:50:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1512) make package installs broken broccoli bindings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22901#comment-22901 ] Robin Sommer commented on BIT-1512: ----------------------------------- Looks like the same as BIT-1509 > make package installs broken broccoli bindings > ---------------------------------------------- > > Key: BIT-1512 > URL: https://bro-tracker.atlassian.net/browse/BIT-1512 > Project: Bro Issue Tracker > Issue Type: Problem > Components: broccoli-python > Affects Versions: 2.4 > Reporter: Justin Azoff > Priority: Low > Labels: broccoli, broctl, build, packaging > > Installed via make install > {code} > [jazoff at bro-dev broctl]$ ldd _broccoli_intern.so |grep bro > libbroccoli.so.5 => /usr/local/bro/lib/libbroccoli.so.5 (0x00007fcc56b7b000) > [jazoff at bro-dev broctl]$ readelf -d _broccoli_intern.so |grep -i rpath > 0x000000000000000f (RPATH) Library rpath: [/usr/local/bro/lib] > [jazoff at bro-dev broctl]$ > {code} > Installed via rpm via make package > {code} > [jazoff at bro-prod broctl]$ ldd _broccoli_intern.so |grep bro > libbroccoli.so.5 => not found > [jazoff at bro-prod broctl]$ readelf -d _broccoli_intern.so|grep -i rpath > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From jira at bro-tracker.atlassian.net Tue Nov 17 10:56:00 2015 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 17 Nov 2015 12:56:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1512) make package installs broken broccoli bindings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22902#comment-22902 ] Justin Azoff commented on BIT-1512: ----------------------------------- Gah, yeah, it's the same issue. > make package installs broken broccoli bindings > ---------------------------------------------- > > Key: BIT-1512 > URL: https://bro-tracker.atlassian.net/browse/BIT-1512 > Project: Bro Issue Tracker > Issue Type: Problem > Components: broccoli-python > Affects Versions: 2.4 > Reporter: Justin Azoff > Priority: Low > Labels: broccoli, broctl, build, packaging > > Installed via make install > {code} > [jazoff at bro-dev broctl]$ ldd _broccoli_intern.so |grep bro > libbroccoli.so.5 => /usr/local/bro/lib/libbroccoli.so.5 (0x00007fcc56b7b000) > [jazoff at bro-dev broctl]$ readelf -d _broccoli_intern.so |grep -i rpath > 0x000000000000000f (RPATH) Library rpath: [/usr/local/bro/lib] > [jazoff at bro-dev broctl]$ > {code} > Installed via rpm via make package > {code} > [jazoff at bro-prod broctl]$ ldd _broccoli_intern.so |grep bro > libbroccoli.so.5 => not found > [jazoff at bro-prod broctl]$ readelf -d _broccoli_intern.so|grep -i rpath > {code} -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Wed Nov 18 00:00:37 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 18 Nov 2015 00:00:37 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511180800.tAI80bL4023806@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] #2 [9] btest fabaff [10] 2015-11-15 Update to match PEP3110 [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [9] Pull Request #2 https://github.com/bro/btest/pull/2 [10] fabaff https://github.com/fabaff [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/fabaff/btest.git master From asharma at lbl.gov Wed Nov 18 10:58:54 2015 From: asharma at lbl.gov (Aashish Sharma) Date: Wed, 18 Nov 2015 10:58:54 -0800 Subject: [Bro-Dev] current_time() vs network_time() Message-ID: <20151118185851.GC15059@yaksha.lbl.gov> So, I am trying to have bro send me report/alerts at specific timeslots. Given current_time is the wall-clock time, I am relying on current_time() function to get time and then, my code is : if (hh:mm:ss == desired time), run a report. I noticed inconsistencies so here is more detailed debug log: I notice, jumps in the current_time: Report time is 1447869593.121702, report hour is 9:59:53 Report time is 1447869595.234395, report hour is 9:59:55 Report time is 1447869596.45385, report hour is 9:59:56 Report time is 1447869597.636261, report hour is 9:59:57 Report time is 1447869598.597632, report hour is 9:59:58 Report time is 1447869599.628088, report hour is 9:59:59 Report time is 1447869601.926001, report hour is 10:0:1 <----- no 10:0:0 ? Report time is 1447869603.182218, report hour is 10:0:3 <--- jump Report time is 1447869604.166191, report hour is 10:0:4 Report time is 1447869605.647308, report hour is 10:0:5 Report time is 1447869606.499426, report hour is 10:0:6 Report time is 1447869607.383869, report hour is 10:0:7 Report time is 1447869617.52706, report hour is 10:0:17 <----- big jump Report time is 1447869618.188414, report hour is 10:0:18 Report time is 1447869619.04252, report hour is 10:0:19 <- stall ? Report time is 1447869619.733979, report hour is 10:0:19 <--- stall ? Report time is 1447869622.635545, report hour is 10:0:22 Report time is 1447869623.28335, report hour is 10:0:23 I believe network_time would be somewhat better probably and will try to see how that fares for my usecase. Any idea why I see such jumps on the wall-clock times ? I'd think this should be rather more reliable ? Thanks, Aashish From leres at ee.lbl.gov Wed Nov 18 11:34:39 2015 From: leres at ee.lbl.gov (Craig Leres) Date: Wed, 18 Nov 2015 11:34:39 -0800 Subject: [Bro-Dev] current_time() vs network_time() In-Reply-To: <20151118185851.GC15059@yaksha.lbl.gov> References: <20151118185851.GC15059@yaksha.lbl.gov> Message-ID: <564CD2CF.60701@ee.lbl.gov> On 11/18/2015 10:58 AM, Aashish Sharma wrote: > So, I am trying to have bro send me report/alerts at specific timeslots. > > Given current_time is the wall-clock time, I am relying on current_time() function to get time and then, my code is : if (hh:mm:ss == desired time), run a report. My recommendation for how to implement this would be to calculate a unix timestamp (seconds since 1970) that corresponds to the next time you want send a report and then poll for when time() is >= this value. After sending the report, calculate the next timestamp. I'm not sure what you have available but to generate the unix timestamp I would use localtime() or gmtime() (using gmtime() avoids daylight saving time issues) to break out the fields, set the H, M and S to the desired values and then use mktime() (or timegm()) to convert back to a unix timestamp. Craig From asharma at lbl.gov Wed Nov 18 11:50:46 2015 From: asharma at lbl.gov (Aashish Sharma) Date: Wed, 18 Nov 2015 11:50:46 -0800 Subject: [Bro-Dev] current_time() vs network_time() In-Reply-To: <564CD2CF.60701@ee.lbl.gov> References: <20151118185851.GC15059@yaksha.lbl.gov> <564CD2CF.60701@ee.lbl.gov> Message-ID: <20151118195044.GD15059@yaksha.lbl.gov> > My recommendation for how to implement this would be to calculate a unix > timestamp (seconds since 1970) that corresponds to the next time you > want send a report and then poll for when time() is >= this value. After > sending the report, calculate the next timestamp. ah! Much better way! Thanks Craig! Aashish On Wed, Nov 18, 2015 at 11:34:39AM -0800, Craig Leres wrote: > On 11/18/2015 10:58 AM, Aashish Sharma wrote: > > So, I am trying to have bro send me report/alerts at specific timeslots. > > > > Given current_time is the wall-clock time, I am relying on current_time() function to get time and then, my code is : if (hh:mm:ss == desired time), run a report. > > My recommendation for how to implement this would be to calculate a unix > timestamp (seconds since 1970) that corresponds to the next time you > want send a report and then poll for when time() is >= this value. After > sending the report, calculate the next timestamp. > > I'm not sure what you have available but to generate the unix timestamp > I would use localtime() or gmtime() (using gmtime() avoids daylight > saving time issues) to break out the fields, set the H, M and S to the > desired values and then use mktime() (or timegm()) to convert back to a > unix timestamp. > > Craig From noreply at bro.org Thu Nov 19 00:00:35 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 19 Nov 2015 00:00:35 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511190800.tAJ80ZdU015158@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] #2 [9] btest fabaff [10] 2015-11-15 Update to match PEP3110 [11] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config [9] Pull Request #2 https://github.com/bro/btest/pull/2 [10] fabaff https://github.com/fabaff [11] Merge Pull Request #2 with git pull --no-ff --no-commit https://github.com/fabaff/btest.git master From jira at bro-tracker.atlassian.net Thu Nov 19 07:59:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 19 Nov 2015 09:59:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize adr in ifconfig In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22903#comment-22903 ] Daniel Thayer commented on BIT-1511: ------------------------------------ I've just updated to debian 8.2, and I cannot reproduce this problem. What does the output of "/sbin/ifconfig -a" look like on your system? > BroControl unable to recognize adr in ifconfig > ---------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Labels: broctl, ifconfig > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From slagell at illinois.edu Thu Nov 19 12:12:51 2015 From: slagell at illinois.edu (Slagell, Adam J) Date: Thu, 19 Nov 2015 20:12:51 +0000 Subject: [Bro-Dev] Brokerization of iSSHD Message-ID: I?m checking to see if anyone is already working on converting the ssllogmux script used by iSSHD to use Broker? I don?t think the corresponding bro scripts will need to be updated unless they are using &synchronized, right? :Adam ------ Adam J. Slagell Chief Information Security Officer Director, Cybersecurity Division National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." From jira at bro-tracker.atlassian.net Thu Nov 19 13:51:00 2015 From: jira at bro-tracker.atlassian.net (Nicolas Merle (JIRA)) Date: Thu, 19 Nov 2015 15:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize adr in ifconfig In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22904#comment-22904 ] Nicolas Merle commented on BIT-1511: ------------------------------------ eth0 Link encap:Ethernet HWaddr 00:22:19:5a:65:7d inet adr:192.168.102.238 Bcast:192.168.102.255 Masque:255.255.255.0 adr inet6: fe80::222:19ff:fe5a:657d/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3432444 errors:0 dropped:0 overruns:0 frame:0 TX packets:3434353 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 RX bytes:302265646 (288.2 MiB) TX bytes:848376555 (809.0 MiB) eth1 Link encap:Ethernet HWaddr 00:22:19:5a:65:7f inet adr:192.168.103.200 Bcast:192.168.103.255 Masque:255.255.255.0 UP BROADCAST RUNNING NOARP PROMISC MULTICAST MTU:1500 Metric:1 RX packets:16163355404 errors:0 dropped:85 overruns:0 frame:0 TX packets:8297 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 RX bytes:13468131399162 (12.2 TiB) TX bytes:3867134 (3.6 MiB) eth2 Link encap:Ethernet HWaddr 00:15:17:b2:5f:d8 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interruption:16 M?moire:fc3e0000-fc400000 eth3 Link encap:Ethernet HWaddr 00:15:17:b2:5f:d9 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interruption:17 M?moire:fc3a0000-fc3c0000 eth0.111 Link encap:Ethernet HWaddr 00:22:19:5a:65:7d inet adr:192.168.111.238 Bcast:192.168.111.255 Masque:255.255.255.0 adr inet6: fe80::222:19ff:fe5a:657d/64 Scope:Lien UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:2940 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 RX bytes:92 (92.0 B) TX bytes:286263 (279.5 KiB) lo Link encap:Boucle locale inet adr:127.0.0.1 Masque:255.0.0.0 adr inet6: ::1/128 Scope:H?te UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:65514313 errors:0 dropped:0 overruns:0 frame:0 TX packets:65514313 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 lg file transmission:0 RX bytes:168200729284 (156.6 GiB) TX bytes:168200729284 (156.6 GiB) > BroControl unable to recognize adr in ifconfig > ---------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Labels: broctl, ifconfig > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From asharma at lbl.gov Thu Nov 19 14:42:37 2015 From: asharma at lbl.gov (Aashish Sharma) Date: Thu, 19 Nov 2015 14:42:37 -0800 Subject: [Bro-Dev] current_time() vs network_time() In-Reply-To: <564CD2CF.60701@ee.lbl.gov> References: <20151118185851.GC15059@yaksha.lbl.gov> <564CD2CF.60701@ee.lbl.gov> Message-ID: <20151119224234.GL19252@yaksha.lbl.gov> > I'm not sure what you have available but to generate the unix timestamp > I would use localtime() or gmtime() (using gmtime() avoids daylight Here is the function I am now using (sharing - might be useful to improve upon) Index: ../../all-check.bro =================================================================== --- ../../all-check.bro (revision 819) +++ ../../all-check.bro (working copy) +function next_report_time():time +{ + local kv_splitter: pattern = /[\ \t]+/; + local one_space: string = " "; + local _report_hours: vector of count = {0, 10, 12, 14, 16, 23}; + + local t = current_time(); + local _now_h = to_count(strftime("%H", t)); + + local _next_report_hour : count = 0 ; + + for (h in _report_hours) + { + print fmt ("now_h is %s, H is %s", _now_h, _report_hours[h]) ; + if (_now_h < _report_hours[h]) + { + _next_report_hour = _report_hours[h] ; break; + } + } + + local t_year = strftime("%Y",t); + local t_zone = strftime("%Z",t); + local zone_year_month_day = strftime("%Z %Y %b %d", t); + + local _hour = _next_report_hour ; + local _min = "00" ; + local _sec = "00" ; + + local _t_string = fmt ("%s %s:%s:%s", zone_year_month_day, _hour,_min,_sec ); + + local _next_report_time = fmt ("time is : %s, %s", strftime("%Z %Y %b %d %T", t), _t_string) ; + + local parse_string: string = "%Z %Y %b %d %H:%M:%S"; + local date_mod = fmt("%s", _t_string); + local date_mod_p = gsub(date_mod, kv_splitter, one_space); + local ret_val = strptime(parse_string, date_mod_p); + + return ret_val ; +} + And then basically: event bro_init() &priority=10 { + nrt = next_report_time() ; } event report_allcheck() { + #if((report_hour == 0 || report_hour == 10 || report_hour == 12 || report_hour == 14 + ##|| report_hour == 16 || report_hour == 23) && report_min == 0 && report_sec == 0) + +if (current_time() > nrt) { + nrt = next_report_time(); } } On Wed, Nov 18, 2015 at 11:34:39AM -0800, Craig Leres wrote: > On 11/18/2015 10:58 AM, Aashish Sharma wrote: > > So, I am trying to have bro send me report/alerts at specific timeslots. > > > > Given current_time is the wall-clock time, I am relying on current_time() function to get time and then, my code is : if (hh:mm:ss == desired time), run a report. > > My recommendation for how to implement this would be to calculate a unix > timestamp (seconds since 1970) that corresponds to the next time you > want send a report and then poll for when time() is >= this value. After > sending the report, calculate the next timestamp. > > I'm not sure what you have available but to generate the unix timestamp > I would use localtime() or gmtime() (using gmtime() avoids daylight > saving time issues) to break out the fields, set the H, M and S to the > desired values and then use mktime() (or timegm()) to convert back to a > unix timestamp. > > Craig From vern at icir.org Thu Nov 19 15:12:29 2015 From: vern at icir.org (Vern Paxson) Date: Thu, 19 Nov 2015 15:12:29 -0800 Subject: [Bro-Dev] current_time() vs network_time() In-Reply-To: <20151118185851.GC15059@yaksha.lbl.gov> (Wed, 18 Nov 2015 10:58:54 PST). Message-ID: <20151119231228.C46222C4007@rock.ICSI.Berkeley.EDU> For the script you sent me, the 1-second skips aren't that surprising. Bro's "schedule" sets a minimum time in the future for when the event will occur. The actual time will be a tad later, depending on how long it takes the event engine to process the buffer of packets that leads to the clock advancing past the scheduled time. So for example if at network time 1.95 you schedule an event for one second in the future, that won't be looked at until a set of packets arrives for which one of them has a network time of >= 2.95. Those packets will first be processed before doing the scheduled event. In addition, network-time will lag current-time by an amount proportional to the packet capture buffer. If the buffer is a few hundred msec's worth, then you will not infrequently get a mismatch regarding times of one-second granularity. OTOH, this: > Report time is 1447869607.383869, report hour is 10:0:7 > Report time is 1447869617.52706, report hour is 10:0:17 <----- big jump is definitely not good. I'm not seeing how your script could lead to that behavior other than the event engine going away (= spending time processing packets) for around 10 seconds. Regarding this: > Report time is 1447869618.188414, report hour is 10:0:18 > Report time is 1447869619.04252, report hour is 10:0:19 <- stall ? > Report time is 1447869619.733979, report hour is 10:0:19 <--- stall ? I can at least construct a theory. Suppose the event was supposed to happen at 10:0:18.8. A packet comes in with that network time, so the event fires, but only 200 msec later, so current-time shows 10:0:19. The script schedules based on network-time rather than current-time, so it'll set the next event for 10:0:19.8. When that packet arrives, there's less to process, so the script runs before the current-time advances to 10:0:20. In any case, I agree that Craig's proposed fix is a good way to deal with this. In addtion, I think this points up the utility of Bro providing cron-style event scheduling in addition to relative-time scheduling. Vern From seth at icir.org Thu Nov 19 22:34:59 2015 From: seth at icir.org (Seth Hall) Date: Fri, 20 Nov 2015 01:34:59 -0500 Subject: [Bro-Dev] current_time() vs network_time() In-Reply-To: <20151119231228.C46222C4007@rock.ICSI.Berkeley.EDU> References: <20151119231228.C46222C4007@rock.ICSI.Berkeley.EDU> Message-ID: <99AF606C-6337-4C47-92D1-9871E98F078A@icir.org> > On Nov 19, 2015, at 6:12 PM, Vern Paxson wrote: > > In any case, I agree that Craig's proposed fix is a good way to deal > with this. In addtion, I think this points up the utility of Bro > providing cron-style event scheduling in addition to relative-time > scheduling. I actually have a plugin mostly working that does this called approxidate. https://github.com/sethhall/bro-approxidate It lets you write code like this... schedule approxidate("tomorrow at 8pm EDT?) { some_event() }; .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From noreply at bro.org Fri Nov 20 00:00:43 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 20 Nov 2015 00:00:43 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511200800.tAK80hSR020888@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Fri Nov 20 18:17:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 20 Nov 2015 20:17:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize adr in ifconfig In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22905#comment-22905 ] Daniel Thayer commented on BIT-1511: ------------------------------------ Try running this command: LANG=C /sbin/ifconfig -a Does the output contain "inet addr:" and "inet6 addr:" (instead of "inet adr:" and "adr inet6:")? > BroControl unable to recognize adr in ifconfig > ---------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Labels: broctl, ifconfig > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-005#70107) From noreply at bro.org Sat Nov 21 00:00:33 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 21 Nov 2015 00:00:33 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511210800.tAL80XXQ014120@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Nov 22 00:00:29 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 22 Nov 2015 00:00:29 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511220800.tAM80Tma017383@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Nov 23 00:00:31 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 23 Nov 2015 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511230800.tAN80VEq022097@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Mon Nov 23 08:14:00 2015 From: jira at bro-tracker.atlassian.net (Mark Fernandez (JIRA)) Date: Mon, 23 Nov 2015 10:14:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-939) HTTP parser refact & redesign required In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-939?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23000#comment-23000 ] Mark Fernandez commented on BIT-939: ------------------------------------ I was just reviewing the weird logs and found 'unescaped_special_URI_char' entries. Curious, I reviewed HTTP.cc to determine what is considered a special character. When I reviewed the routines 'analyzer::http::is_reserved_URI_char' and 'analyzer::http::is_unreserved_URI_char', I had the same concern as the person who originally posted this issue. The character defined as 'reserved' changed from RFC 2396 (dated 1998), on which the http analyzer is based, to the newest publication RFC 3986 (dated 2005). Ditto for 'unreserved' characters. Comparison between the two RFCs is contained below. RFC 2396 Unreserved: alphanum - . _ ~ ! * ' ( ) RFC 3986 Unreserved: alphanum - . _ ~ RFC 2396 Reserved: ; / ? : @ & = + $ , RFC 3986 Reserved: : / ? # [ ] @ // Called General Delimiters ! $ & ' ( ) * + , ; = // Called Sub-Delimiters You can see that some characters were moved from 'unreserved' to 'reserved', as well as many new characters being deemed 'reserved'. Should the code in HTTP.cc be updated to reflect the changes from RFC 2396 to RFC 3986? Thanks! > HTTP parser refact & redesign required > -------------------------------------- > > Key: BIT-939 > URL: https://bro-tracker.atlassian.net/browse/BIT-939 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: drmckay > Fix For: 2.5 > > > Hi, > In the HTTP parser implementation you following an old, obsoleted rfc from 1999. There is a newer version: http://tools.ietf.org/html/rfc3986 > Please, review and refact your code (unescapeURI() redesign also needed, to minimalize false positives). > Thanks. -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Mon Nov 23 08:34:00 2015 From: jira at bro-tracker.atlassian.net (Mark Fernandez (JIRA)) Date: Mon, 23 Nov 2015 10:34:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mark Fernandez updated BIT-1500: -------------------------------- Resolution: Solved Status: Closed (was: Open) Mr. Grigorescu's recommendation was sufficient to solve the problem. Thank you. > BinPAC Call to FlowBuffer::NewFrame with frame_length -1 > -------------------------------------------------------- > > Key: BIT-1500 > URL: https://bro-tracker.atlassian.net/browse/BIT-1500 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Reporter: Mark Fernandez > Labels: analyzer > Attachments: test.pac > > > I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.? The auto-generated C++ code does not parse the chunked data correctly.? I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().? The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.? Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.? This is very frustrating.? Please review and let me know what you think. -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Mon Nov 23 08:35:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 23 Nov 2015 10:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23002#comment-23002 ] Vlad Grigorescu commented on BIT-1500: -------------------------------------- I'd like to revisit this and see if we can get the issue fixed, so you don't have to do the workaround. > BinPAC Call to FlowBuffer::NewFrame with frame_length -1 > -------------------------------------------------------- > > Key: BIT-1500 > URL: https://bro-tracker.atlassian.net/browse/BIT-1500 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Reporter: Mark Fernandez > Labels: analyzer > Attachments: test.pac > > > I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.? The auto-generated C++ code does not parse the chunked data correctly.? I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().? The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.? Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.? This is very frustrating.? Please review and let me know what you think. -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Mon Nov 23 08:44:00 2015 From: jira at bro-tracker.atlassian.net (Mark Fernandez (JIRA)) Date: Mon, 23 Nov 2015 10:44:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23003#comment-23003 ] Mark Fernandez commented on BIT-1500: ------------------------------------- OK, that would be great. I apologize for closing the ticket prematurely, but I am honestly satisfied with the workaround and didn't want to burden BIT with a lingering OPEN ticket. Shall we re-open it? > BinPAC Call to FlowBuffer::NewFrame with frame_length -1 > -------------------------------------------------------- > > Key: BIT-1500 > URL: https://bro-tracker.atlassian.net/browse/BIT-1500 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Reporter: Mark Fernandez > Labels: analyzer > Attachments: test.pac > > > I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.? The auto-generated C++ code does not parse the chunked data correctly.? I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().? The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.? Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.? This is very frustrating.? Please review and let me know what you think. -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Mon Nov 23 09:15:00 2015 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 23 Nov 2015 11:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1500) BinPAC Call to FlowBuffer::NewFrame with frame_length -1 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23004#comment-23004 ] Vlad Grigorescu commented on BIT-1500: -------------------------------------- We can leave it closed. I'll keep it on my backburner. > BinPAC Call to FlowBuffer::NewFrame with frame_length -1 > -------------------------------------------------------- > > Key: BIT-1500 > URL: https://bro-tracker.atlassian.net/browse/BIT-1500 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC > Affects Versions: 2.4 > Reporter: Mark Fernandez > Labels: analyzer > Attachments: test.pac > > > I am creating a protocol analyzer using BinPAC. I created a type record for chunked data, very similar to HTTP chunked data.? The auto-generated C++ code does not parse the chunked data correctly.? I tracked it down to the ParseBuffer code where there is a combination of calls to FlowBuffer::NewFrame and soon thereafter a condition check against FlowBuffer::ready().? The call to NewFrame passes '-1' as the frame_length value. NewFrame calls FlowBuffer::MarkOrCopyFrame, and because the frame_length is set to -1, MarkOrCopyFrame sets message_complete_ to false.? Therefore, when FlowBuffer::ready() is called, it returns message_complete_, which is false, and then ParseBuffer exits via 'goto need_more_data' without ever parsing the chunked data.? This is very frustrating.? Please review and let me know what you think. -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Mon Nov 23 23:55:00 2015 From: jira at bro-tracker.atlassian.net (Homayan Ahamed (JIRA)) Date: Tue, 24 Nov 2015 01:55:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1422) Lack of Sanity Check in file 'broccoli_intern.i' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Homayan Ahamed updated BIT-1422: -------------------------------- Status: Reopened (was: Closed) Resolution: (was: Won't Fix) > Lack of Sanity Check in file 'broccoli_intern.i' > ------------------------------------------------ > > Key: BIT-1422 > URL: https://bro-tracker.atlassian.net/browse/BIT-1422 > Project: Bro Issue Tracker > Issue Type: Patch > Components: broccoli-python > Affects Versions: 2.3 > Environment: Operating System (Linux/Unix/Windows/All) > Reporter: Bill Parker > Labels: Checking, Sanity > Fix For: 2.5 > > Attachments: broccoli_intern.i.patch > > > Hello All, > In file 'broccoli_intern.i', in directory 'aux/broccoli/bindings/broccoli-python', I found a number of instances where calls to malloc() are made without a corresponding check for a return value of NULL, indicating failure. The patch file below corrects/addresses this issue: > --- broccoli_intern.i.orig 2015-06-06 09:02:11.949122426 -0700 > +++ broccoli_intern.i 2015-06-06 09:23:00.187767139 -0700 > @@ -229,6 +229,11 @@ > case BRO_TYPE_BOOL: > case BRO_TYPE_INT: { > int64_t* tmp = (int64_t *)malloc(sizeof(int64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro BOOL/INT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > + > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -237,6 +242,10 @@ > case BRO_TYPE_COUNT: > case BRO_TYPE_COUNTER: { > uint64_t* tmp = (uint64_t *)malloc(sizeof(uint64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro COUNT/COUNTER"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -247,6 +256,10 @@ > return 0; > > BroAddr* addr = (BroAddr*)malloc(sizeof(BroAddr)); > + if (addr == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_IPADDR"); > + return 0; /* should we return ENOMEM here instead? */ > + } > parseAddrTuple(val, addr); > *data = addr; > break; > @@ -256,6 +269,10 @@ > case BRO_TYPE_TIME: > case BRO_TYPE_INTERVAL: { > double* tmp = (double *)malloc(sizeof(double)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE DOUBLE/TIME/INTERVAL"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyFloat_AsDouble(val); > *data = tmp; > break; > @@ -269,6 +286,10 @@ > return 0; > > str = (BroString *)malloc(sizeof(BroString)); > + if (str == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_STRING"); > + return 0; /* should we return ENOMEM here instead? */ > + } > str->str_len = strlen(tmp); > str->str_val = (uchar*)strdup(tmp); > *data = str; > @@ -282,6 +303,10 @@ > } > > int* tmp = (int *)malloc(sizeof(int)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_ENUM"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0)); > *data = tmp; > > @@ -300,6 +325,10 @@ > } > > BroPort* port = (BroPort *)malloc(sizeof(BroPort)); > + if (port == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_PORT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0)); > port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1)); > *data = port; > @@ -316,6 +345,10 @@ > return 0; > > BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet)); > + if (subnet == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_SUBNET"); > + return 0; > + } > > parseAddrTuple(addr, &subnet->sn_net); > > I am attaching the patch file to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Mon Nov 23 23:59:00 2015 From: jira at bro-tracker.atlassian.net (Homayan Ahamed (JIRA)) Date: Tue, 24 Nov 2015 01:59:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1422) Lack of Sanity Check in file 'broccoli_intern.i' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23005#comment-23005 ] Homayan Ahamed commented on BIT-1422: ------------------------------------- I miss all of my friend. > Lack of Sanity Check in file 'broccoli_intern.i' > ------------------------------------------------ > > Key: BIT-1422 > URL: https://bro-tracker.atlassian.net/browse/BIT-1422 > Project: Bro Issue Tracker > Issue Type: Patch > Components: broccoli-python > Affects Versions: 2.3 > Environment: Operating System (Linux/Unix/Windows/All) > Reporter: Bill Parker > Labels: Checking, Sanity > Fix For: 2.5 > > Attachments: broccoli_intern.i.patch > > > Hello All, > In file 'broccoli_intern.i', in directory 'aux/broccoli/bindings/broccoli-python', I found a number of instances where calls to malloc() are made without a corresponding check for a return value of NULL, indicating failure. The patch file below corrects/addresses this issue: > --- broccoli_intern.i.orig 2015-06-06 09:02:11.949122426 -0700 > +++ broccoli_intern.i 2015-06-06 09:23:00.187767139 -0700 > @@ -229,6 +229,11 @@ > case BRO_TYPE_BOOL: > case BRO_TYPE_INT: { > int64_t* tmp = (int64_t *)malloc(sizeof(int64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro BOOL/INT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > + > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -237,6 +242,10 @@ > case BRO_TYPE_COUNT: > case BRO_TYPE_COUNTER: { > uint64_t* tmp = (uint64_t *)malloc(sizeof(uint64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro COUNT/COUNTER"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -247,6 +256,10 @@ > return 0; > > BroAddr* addr = (BroAddr*)malloc(sizeof(BroAddr)); > + if (addr == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_IPADDR"); > + return 0; /* should we return ENOMEM here instead? */ > + } > parseAddrTuple(val, addr); > *data = addr; > break; > @@ -256,6 +269,10 @@ > case BRO_TYPE_TIME: > case BRO_TYPE_INTERVAL: { > double* tmp = (double *)malloc(sizeof(double)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE DOUBLE/TIME/INTERVAL"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyFloat_AsDouble(val); > *data = tmp; > break; > @@ -269,6 +286,10 @@ > return 0; > > str = (BroString *)malloc(sizeof(BroString)); > + if (str == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_STRING"); > + return 0; /* should we return ENOMEM here instead? */ > + } > str->str_len = strlen(tmp); > str->str_val = (uchar*)strdup(tmp); > *data = str; > @@ -282,6 +303,10 @@ > } > > int* tmp = (int *)malloc(sizeof(int)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_ENUM"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0)); > *data = tmp; > > @@ -300,6 +325,10 @@ > } > > BroPort* port = (BroPort *)malloc(sizeof(BroPort)); > + if (port == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_PORT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0)); > port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1)); > *data = port; > @@ -316,6 +345,10 @@ > return 0; > > BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet)); > + if (subnet == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_SUBNET"); > + return 0; > + } > > parseAddrTuple(addr, &subnet->sn_net); > > I am attaching the patch file to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From noreply at bro.org Tue Nov 24 00:00:30 2015 From: noreply at bro.org (Merge Tracker) Date: Tue, 24 Nov 2015 00:00:30 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511240800.tAO80UYt031461@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Tue Nov 24 13:46:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Nov 2015 15:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1422) Lack of Sanity Check in file 'broccoli_intern.i' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1422: ------------------------------- Resolution: Won't Fix Status: Closed (was: Reopened) > Lack of Sanity Check in file 'broccoli_intern.i' > ------------------------------------------------ > > Key: BIT-1422 > URL: https://bro-tracker.atlassian.net/browse/BIT-1422 > Project: Bro Issue Tracker > Issue Type: Patch > Components: broccoli-python > Affects Versions: 2.3 > Environment: Operating System (Linux/Unix/Windows/All) > Reporter: Bill Parker > Labels: Checking, Sanity > Fix For: 2.5 > > Attachments: broccoli_intern.i.patch > > > Hello All, > In file 'broccoli_intern.i', in directory 'aux/broccoli/bindings/broccoli-python', I found a number of instances where calls to malloc() are made without a corresponding check for a return value of NULL, indicating failure. The patch file below corrects/addresses this issue: > --- broccoli_intern.i.orig 2015-06-06 09:02:11.949122426 -0700 > +++ broccoli_intern.i 2015-06-06 09:23:00.187767139 -0700 > @@ -229,6 +229,11 @@ > case BRO_TYPE_BOOL: > case BRO_TYPE_INT: { > int64_t* tmp = (int64_t *)malloc(sizeof(int64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro BOOL/INT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > + > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -237,6 +242,10 @@ > case BRO_TYPE_COUNT: > case BRO_TYPE_COUNTER: { > uint64_t* tmp = (uint64_t *)malloc(sizeof(uint64_t)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro COUNT/COUNTER"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(val); > *data = tmp; > break; > @@ -247,6 +256,10 @@ > return 0; > > BroAddr* addr = (BroAddr*)malloc(sizeof(BroAddr)); > + if (addr == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_IPADDR"); > + return 0; /* should we return ENOMEM here instead? */ > + } > parseAddrTuple(val, addr); > *data = addr; > break; > @@ -256,6 +269,10 @@ > case BRO_TYPE_TIME: > case BRO_TYPE_INTERVAL: { > double* tmp = (double *)malloc(sizeof(double)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE DOUBLE/TIME/INTERVAL"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyFloat_AsDouble(val); > *data = tmp; > break; > @@ -269,6 +286,10 @@ > return 0; > > str = (BroString *)malloc(sizeof(BroString)); > + if (str == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_STRING"); > + return 0; /* should we return ENOMEM here instead? */ > + } > str->str_len = strlen(tmp); > str->str_val = (uchar*)strdup(tmp); > *data = str; > @@ -282,6 +303,10 @@ > } > > int* tmp = (int *)malloc(sizeof(int)); > + if (tmp == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_ENUM"); > + return 0; /* should we return ENOMEM here instead? */ > + } > *tmp = PyInt_AsLong(PyTuple_GetItem(val, 0)); > *data = tmp; > > @@ -300,6 +325,10 @@ > } > > BroPort* port = (BroPort *)malloc(sizeof(BroPort)); > + if (port == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_PORT"); > + return 0; /* should we return ENOMEM here instead? */ > + } > port->port_num = PyInt_AsLong(PyTuple_GetItem(val, 0)); > port->port_proto = PyInt_AsLong(PyTuple_GetItem(val, 1)); > *data = port; > @@ -316,6 +345,10 @@ > return 0; > > BroSubnet* subnet = (BroSubnet *)malloc(sizeof(BroSubnet)); > + if (subnet == NULL) { /* memory allocation failed... */ > + PyErr_SetString(PyExc_RuntimeError, "Unable to allocate memory for Bro TYPE_SUBNET"); > + return 0; > + } > > parseAddrTuple(addr, &subnet->sn_net); > > I am attaching the patch file to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Tue Nov 24 14:31:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Nov 2015 16:31:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23006#comment-23006 ] Johanna Amann commented on BIT-1502: ------------------------------------ Ok, it is really difficult to see what exactly is going on here - but basically, Bro is not seeing all bytes in the connections (and hence can not decode the TLS sessions). Which is probably actually a different underlying problem that has not much to do with Bro (which only uses libpcap to get traffic from eth0 in your case). How exactly are you replaying the traffic? Is it replayed from a different machine? Are you employing some kind of rate limiting, or is it simply sent at the full speed the interface is capable of? Could you potentially try just replaying your traffic while running tcpdump on the receiving side, to see if tcpdump misses packets too? > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Tue Nov 24 15:21:00 2015 From: jira at bro-tracker.atlassian.net (Gavin Spearhead (JIRA)) Date: Tue, 24 Nov 2015 17:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23007#comment-23007 ] Gavin Spearhead commented on BIT-1502: -------------------------------------- The machine is just my workstation. Bro is running on a live capture. It's not particularly busy, nor is there really a lot of traffic actually it's just browsing. There is no ratelimiting. I've been running tcpdump and wireshark as well and it doesn't look like there is anything missing. I ran a tcpdump for a bit and pulled it through bro, then everything just works fine. .cmdline says -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto I don't see anything particularly interesting in the logs. apart from send-mail: SENDMAIL-NOTFOUND not found > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Tue Nov 24 15:27:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 24 Nov 2015 17:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1510: ------------------------------- Fix Version/s: 2.5 > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From noreply at bro.org Wed Nov 25 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Wed, 25 Nov 2015 00:00:23 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511250800.tAP80NNO017196@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- ----------------------------- BIT-1489 [1] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [2] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [3] bro albertzaharovits [4] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [5] #1 [6] broctl J-Gras [7] 2015-10-24 Added support for Pcap options [8] [1] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [2] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [3] Pull Request #46 https://github.com/bro/bro/pull/46 [4] albertzaharovits https://github.com/albertzaharovits [5] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [6] Pull Request #1 https://github.com/bro/broctl/pull/1 [7] J-Gras https://github.com/J-Gras [8] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Wed Nov 25 06:43:00 2015 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Wed, 25 Nov 2015 08:43:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23008#comment-23008 ] Seth Hall commented on BIT-1502: -------------------------------- Gavin, are you using the -C command line option when you run Bro on the packets on the command line? > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Wed Nov 25 10:22:01 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 25 Nov 2015 12:22:01 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize ifconfig output in some locales In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1511: ------------------------------- Fix Version/s: 2.5 Summary: BroControl unable to recognize ifconfig output in some locales (was: BroControl unable to recognize adr in ifconfig) > BroControl unable to recognize ifconfig output in some locales > -------------------------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Labels: broctl, ifconfig > Fix For: 2.5 > > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Wed Nov 25 10:24:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 25 Nov 2015 12:24:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize ifconfig output in some locales In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1511: ------------------------------- Status: Merge Request (was: Open) > BroControl unable to recognize ifconfig output in some locales > -------------------------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Labels: broctl, ifconfig > Fix For: 2.5 > > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Wed Nov 25 10:24:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 25 Nov 2015 12:24:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize ifconfig output in some locales In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer reassigned BIT-1511: ---------------------------------- Assignee: Justin Azoff > BroControl unable to recognize ifconfig output in some locales > -------------------------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Assignee: Justin Azoff > Labels: broctl, ifconfig > Fix For: 2.5 > > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Wed Nov 25 10:24:00 2015 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 25 Nov 2015 12:24:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize ifconfig output in some locales In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23009#comment-23009 ] Daniel Thayer commented on BIT-1511: ------------------------------------ Branch "topic/dnthayer/ticket1511" in the broctl git repo fixes this issue. > BroControl unable to recognize ifconfig output in some locales > -------------------------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Labels: broctl, ifconfig > Fix For: 2.5 > > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Wed Nov 25 10:42:00 2015 From: jira at bro-tracker.atlassian.net (Nicolas Merle (JIRA)) Date: Wed, 25 Nov 2015 12:42:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1511) BroControl unable to recognize ifconfig output in some locales In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23010#comment-23010 ] Nicolas Merle commented on BIT-1511: ------------------------------------ Sorry for not responding earlier, I missed the previous notification. As you said, adding the LANG=C is showing the addr field. But as I have seen, you are already on it so thanks for your help :) > BroControl unable to recognize ifconfig output in some locales > -------------------------------------------------------------- > > Key: BIT-1511 > URL: https://bro-tracker.atlassian.net/browse/BIT-1511 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 2.3 > Environment: Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u6 (2015-11-09) x86_64 GNU/Linux Debian Jessie > Reporter: Nicolas Merle > Assignee: Justin Azoff > Labels: broctl, ifconfig > Fix For: 2.5 > > > Since recently, ifconfig in debian show ip address starting with "adr" and not "addr" as before and so when using ''BroCtl check'' in a local cluster configuration, it doesn't work and you get the error : "Error: must run broctl only on manager node broctl check" -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From zakahili at gmail.com Wed Nov 25 10:44:10 2015 From: zakahili at gmail.com (Zakaria Hili) Date: Wed, 25 Nov 2015 19:44:10 +0100 Subject: [Bro-Dev] Parse LDAP messages from a pcap Message-ID: Hello, I need to parse LDAP messages from a pcap. So what I did is I tried to search for some Bro's events of LDAP but I failed. So I was wondering if there's some and that I missed them. If no, how can I then code a dissector of ldap easily so I could use it in events that I have to implement? Thank you for your help and keep up the good work! ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20151125/694bdbc6/attachment.html From jira at bro-tracker.atlassian.net Wed Nov 25 14:53:00 2015 From: jira at bro-tracker.atlassian.net (Gavin Spearhead (JIRA)) Date: Wed, 25 Nov 2015 16:53:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23011#comment-23011 ] Gavin Spearhead commented on BIT-1502: -------------------------------------- I guess not. It's started through broctl bash /opt/bro/share/broctl/scripts/run-bro -1 -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto /opt/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Wed Nov 25 14:57:00 2015 From: jira at bro-tracker.atlassian.net (Gavin Spearhead (JIRA)) Date: Wed, 25 Nov 2015 16:57:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1502) X509 doesn't log all certificates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23012#comment-23012 ] Gavin Spearhead commented on BIT-1502: -------------------------------------- Adding it seems to give much better results. Thanx > X509 doesn't log all certificates > --------------------------------- > > Key: BIT-1502 > URL: https://bro-tracker.atlassian.net/browse/BIT-1502 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: test setup > Reporter: Gavin Spearhead > Assignee: Johanna Amann > Labels: ssl > Fix For: 2.5 > > > I'm trying to use bro to log all X509 certificate information for SSL / HTTPS connections. It seems however that not all certificates are logged in the x509.log. (or in files.log). However the connections are visible in the ssl.log. The setup is a basic install. > E.g. https://facebook.com and https://twitter.com are not logged, whereas https://tweakers.net or https://api.twitter.com are logged. Is this a bug, feature? Any idea how to ensure all the certificates are stored? -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From jira at bro-tracker.atlassian.net Wed Nov 25 19:49:00 2015 From: jira at bro-tracker.atlassian.net (Homayan Ahamed (JIRA)) Date: Wed, 25 Nov 2015 21:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1442) Prevent possible segmentation violation/faults in Bro-2.3.2 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Homayan Ahamed updated BIT-1442: -------------------------------- Status: Reopened (was: Closed) Resolution: (was: Invalid) > Prevent possible segmentation violation/faults in Bro-2.3.2 > ----------------------------------------------------------- > > Key: BIT-1442 > URL: https://bro-tracker.atlassian.net/browse/BIT-1442 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux, Broccoli > Affects Versions: 2.3 > Environment: Linux/Windows/BSD, etc > Reporter: Bill Parker > Labels: Segmentation, Violation, fault > Attachments: bro.c.patch, SubnetTree_wrap.cc.patch > > > Hello All, > In reviewing calls to memset() in Bro-2.3.2, I came across a > pair of instances where memset could POSSIBLY be called with a > address area pointing to NULL, which would generate a segmentation > violation/fault during execution. The patch files below should > address these issues: > In directory 'bro-2.3.2/aux/broctl/aux/pysubnettree', file > 'SubnetTree_wrap.cc': > --- SubnetTree_wrap.cc.orig 2015-08-02 18:56:24.034212101 -0400 > +++ SubnetTree_wrap.cc 2015-08-02 18:59:11.242212101 -0400 > @@ -719,6 +719,8 @@ > SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) { > if (*c != '_') { > if (strcmp(c,"NULL") == 0) { > + if (ptr == NULL) /* on off chance that ptr is NULL, memset() */ > + return 0; /* will segment violation/fault, so return 0 */ > memset(ptr,0,sz); > return name; > } else { > In directory 'bro-2.3.2/aux/broccoli/src', file 'bro.c': > --- bro.c.orig 2015-08-02 19:04:00.161212101 -0400 > +++ bro.c 2015-08-02 19:05:15.608212101 -0400 > @@ -367,6 +367,9 @@ > void > bro_ctx_init(BroCtx *ctx) > { > + if (! ctx) /* paranoid, ctx must NOT be NULL */ > + return; > + > memset(ctx, 0, sizeof(BroCtx)); > } > > Comments, Questions, Suggestions, Complaints :) > I am attaching the patch file(s) to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.1.0-OD-01-053#71000) From noreply at bro.org Thu Nov 26 00:00:27 2015 From: noreply at bro.org (Merge Tracker) Date: Thu, 26 Nov 2015 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511260800.tAQ80RZC024031@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Fri Nov 27 00:00:28 2015 From: noreply at bro.org (Merge Tracker) Date: Fri, 27 Nov 2015 00:00:28 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511270800.tAR80Smu009366@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sat Nov 28 00:00:26 2015 From: noreply at bro.org (Merge Tracker) Date: Sat, 28 Nov 2015 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511280800.tAS80QlG002237@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Sun Nov 29 00:00:23 2015 From: noreply at bro.org (Merge Tracker) Date: Sun, 29 Nov 2015 00:00:23 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511290800.tAT80NDD024928@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From noreply at bro.org Mon Nov 30 00:00:37 2015 From: noreply at bro.org (Merge Tracker) Date: Mon, 30 Nov 2015 00:00:37 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201511300800.tAU80bDs007559@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- -------------------------------------------------------------- BIT-1511 [1] BroControl Nicolas Merle Justin Azoff 2015-11-25 2.5 Normal BroControl unable to recognize ifconfig output in some locales BIT-1489 [2] BroControl Daniel Thayer Justin Azoff 2015-10-07 2.5 Normal topic/dnthayer/ticket1396 [3] Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #46 [4] bro albertzaharovits [5] 2015-11-03 HTTP Content-Disposition header updates filename field in HTTP::Info [6] #1 [7] broctl J-Gras [8] 2015-10-24 Added support for Pcap options [9] [1] BIT-1511 https://bro-tracker.atlassian.net/browse/BIT-1511 [2] BIT-1489 https://bro-tracker.atlassian.net/browse/BIT-1489 [3] ticket1396 https://github.com/bro/brocontrol/tree/topic/dnthayer/ticket1396 [4] Pull Request #46 https://github.com/bro/bro/pull/46 [5] albertzaharovits https://github.com/albertzaharovits [6] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [7] Pull Request #1 https://github.com/bro/broctl/pull/1 [8] J-Gras https://github.com/J-Gras [9] Merge Pull Request #1 with git pull --no-ff --no-commit https://github.com/J-Gras/broctl.git topic/jgras/pcap-config From jira at bro-tracker.atlassian.net Mon Nov 30 15:27:00 2015 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 30 Nov 2015 17:27:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1442) Prevent possible segmentation violation/faults in Bro-2.3.2 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1442: ------------------------------- Resolution: Invalid Status: Closed (was: Reopened) > Prevent possible segmentation violation/faults in Bro-2.3.2 > ----------------------------------------------------------- > > Key: BIT-1442 > URL: https://bro-tracker.atlassian.net/browse/BIT-1442 > Project: Bro Issue Tracker > Issue Type: Patch > Components: bro-aux, Broccoli > Affects Versions: 2.3 > Environment: Linux/Windows/BSD, etc > Reporter: Bill Parker > Labels: Segmentation, Violation, fault > Attachments: bro.c.patch, SubnetTree_wrap.cc.patch > > > Hello All, > In reviewing calls to memset() in Bro-2.3.2, I came across a > pair of instances where memset could POSSIBLY be called with a > address area pointing to NULL, which would generate a segmentation > violation/fault during execution. The patch files below should > address these issues: > In directory 'bro-2.3.2/aux/broctl/aux/pysubnettree', file > 'SubnetTree_wrap.cc': > --- SubnetTree_wrap.cc.orig 2015-08-02 18:56:24.034212101 -0400 > +++ SubnetTree_wrap.cc 2015-08-02 18:59:11.242212101 -0400 > @@ -719,6 +719,8 @@ > SWIG_UnpackDataName(const char *c, void *ptr, size_t sz, const char *name) { > if (*c != '_') { > if (strcmp(c,"NULL") == 0) { > + if (ptr == NULL) /* on off chance that ptr is NULL, memset() */ > + return 0; /* will segment violation/fault, so return 0 */ > memset(ptr,0,sz); > return name; > } else { > In directory 'bro-2.3.2/aux/broccoli/src', file 'bro.c': > --- bro.c.orig 2015-08-02 19:04:00.161212101 -0400 > +++ bro.c 2015-08-02 19:05:15.608212101 -0400 > @@ -367,6 +367,9 @@ > void > bro_ctx_init(BroCtx *ctx) > { > + if (! ctx) /* paranoid, ctx must NOT be NULL */ > + return; > + > memset(ctx, 0, sizeof(BroCtx)); > } > > Comments, Questions, Suggestions, Complaints :) > I am attaching the patch file(s) to this bug report... > Bill Parker (wp02855 at gmail dot com) -- This message was sent by Atlassian JIRA (v7.1.0-OD-02-025#71001)