From noreply at bro.org Fri Jan 1 00:00:23 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 1 Jan 2016 00:00:23 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601010800.u0180NaP009498@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From noreply at bro.org Sat Jan 2 00:00:23 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 2 Jan 2016 00:00:23 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601020800.u0280N6t011749@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From noreply at bro.org Sun Jan 3 00:00:22 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 3 Jan 2016 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601030800.u0380MHR001409@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From noreply at bro.org Mon Jan 4 00:00:27 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 4 Jan 2016 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601040800.u0480RYW011897@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Mon Jan 4 16:38:00 2016 From: jira at bro-tracker.atlassian.net (Anonymous (JIRA)) Date: Mon, 4 Jan 2016 18:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23600#comment-23600 ] Anonymous commented on BIT-1337: -------------------------------- christian louboutin pigalle christian louboutin online store http://canadachristianlouboutin.blogspot.com/ > Bro worker crash - terminate after 'std::length_error' > ------------------------------------------------------ > > Key: BIT-1337 > URL: https://bro-tracker.atlassian.net/browse/BIT-1337 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Josh Liburdi > Assignee: Seth Hall > Fix For: 2.4 > > > Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: > terminate called after throwing an instance of 'std::length_error' > what(): basic_string::_S_create > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro "$@" -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Mon Jan 4 16:43:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 4 Jan 2016 18:43:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1337) Bro worker crash - terminate after 'std::length_error' In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1337: ------------------------------ Comment: was deleted (was: christian louboutin pigalle christian louboutin online store http://canadachristianlouboutin.blogspot.com/) > Bro worker crash - terminate after 'std::length_error' > ------------------------------------------------------ > > Key: BIT-1337 > URL: https://bro-tracker.atlassian.net/browse/BIT-1337 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Josh Liburdi > Assignee: Seth Hall > Fix For: 2.4 > > > Running Bro master with the Kerberos and RDP analyzer branches resulted in one crashed worker on a pf_ring cluster. BroControl diag results below: > terminate called after throwing an instance of 'std::length_error' > what(): basic_string::_S_create > /usr/local/bro/share/broctl/scripts/run-bro: line 85: 195850 Aborted (core dumped) nohup $mybro "$@" -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Mon Jan 4 17:47:00 2016 From: jira at bro-tracker.atlassian.net (Anonymous (JIRA)) Date: Mon, 4 Jan 2016 19:47:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1108) Add broctl option to set PF_RING cluster type In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23601#comment-23601 ] Anonymous commented on BIT-1108: -------------------------------- christian louboutin bianca sale christian louboutin sale http://canadachristianlouboutinoutlet.blogspot.com/ > Add broctl option to set PF_RING cluster type > --------------------------------------------- > > Key: BIT-1108 > URL: https://bro-tracker.atlassian.net/browse/BIT-1108 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.3 > > > Currently, when using PF_RING, broctl chooses the PF_RING > cluster type by setting the environment variable > PCAP_PF_RING_USE_CLUSTER_PER_FLOW. In order to use a > different cluster type, we would need to set a different > environment variable (the PF_RING-aware libpcap does not > look at the actual value of the environment variable, > just whether the variable is defined or not), but there is > no option in broctl to do this. > To address this issue, a new broctl option PFRINGClusterType > can be added, then a user could change the value of this > option to choose a different PF_RING cluster type (and the > broctl pf_ring plugin would set the appropriate env. variable). > The allowed values of this new broctl option would be: > "2-tuple", "4-tuple", "5-tuple", "tcp-5-tuple", "round-robin", > or "6-tuple" (this one corresponds to the current > cluster type used by broctl). By default, PFRINGClusterType > would be set to "6-tuple". -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From noreply at bro.org Tue Jan 5 00:00:25 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 5 Jan 2016 00:00:25 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601050800.u0580Pvt020817@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Tue Jan 5 06:22:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Tue, 5 Jan 2016 08:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1108) Add broctl option to set PF_RING cluster type In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1108: ------------------------------------ Comment: was deleted (was: christian louboutin bianca sale christian louboutin sale http://canadachristianlouboutinoutlet.blogspot.com/) > Add broctl option to set PF_RING cluster type > --------------------------------------------- > > Key: BIT-1108 > URL: https://bro-tracker.atlassian.net/browse/BIT-1108 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.3 > > > Currently, when using PF_RING, broctl chooses the PF_RING > cluster type by setting the environment variable > PCAP_PF_RING_USE_CLUSTER_PER_FLOW. In order to use a > different cluster type, we would need to set a different > environment variable (the PF_RING-aware libpcap does not > look at the actual value of the environment variable, > just whether the variable is defined or not), but there is > no option in broctl to do this. > To address this issue, a new broctl option PFRINGClusterType > can be added, then a user could change the value of this > option to choose a different PF_RING cluster type (and the > broctl pf_ring plugin would set the appropriate env. variable). > The allowed values of this new broctl option would be: > "2-tuple", "4-tuple", "5-tuple", "tcp-5-tuple", "round-robin", > or "6-tuple" (this one corresponds to the current > cluster type used by broctl). By default, PFRINGClusterType > would be set to "6-tuple". -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 06:43:00 2016 From: jira at bro-tracker.atlassian.net (Anonymous (JIRA)) Date: Tue, 5 Jan 2016 08:43:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1222) topic/robin/reader-writer-plugins In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23602#comment-23602 ] Anonymous commented on BIT-1222: -------------------------------- louboutin red bottoms christian louboutin sale outlet http://canadachristianlouboutin.blogspot.com/ > topic/robin/reader-writer-plugins > --------------------------------- > > Key: BIT-1222 > URL: https://bro-tracker.atlassian.net/browse/BIT-1222 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > Fix For: 2.4 > > > This moves log writers and input readers to the new plugin API. No functional differences, except that one can now implement them via external plugins as well. Test cases for that included. > Most of the change is just moving stuff around, plus adapting to the new API. There are a few changes to defining/handling of the corresponding builtin types, as they now have to be dynamic. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 06:45:00 2016 From: jira at bro-tracker.atlassian.net (Anonymous (JIRA)) Date: Tue, 5 Jan 2016 08:45:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-562) SWIG version trouble In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23603#comment-23603 ] Anonymous commented on BIT-562: ------------------------------- sold out sneakers christian louboutin shoes online http://christianlouboutincanadaoutlet.blogspot.com/ > SWIG version trouble > -------------------- > > Key: BIT-562 > URL: https://bro-tracker.atlassian.net/browse/BIT-562 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > Labels: beta > Fix For: 2.0 > > > Looks like we need a "minimum SWIG version" check. With 1.3.29, I get > the errors below. Updating to 1.3.40 solves it. > {noformat} > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?int SWIG_Python_ConvertFunctionPtr(PyObject*, void**, swig_type_info*)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2051: error: invalid conversion from ?const char*? to ?char*? > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?int SWIG_AsCharPtrAndSize(PyObject*, char**, size_t*, int*)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2575: error: cannot convert ?int*? to ?Py_ssize_t*? for argument ?3? to ?int PyString_AsStringAndSize(PyObject*, char**, Py_ssize_t*)? > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?PyObject* SubnetTree___contains____SWIG_0(SubnetTree*, char*, int)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2849: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2849: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2851: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2851: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?void SWIG_Python_FixMethods(PyMethodDef*, swig_const_info*, swig_type_info**, swig_type_info**)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:4141: error: invalid conversion from ?const char*? to ?char*? > make[2]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/SubnetTreePYTHON_wrap.cxx.o] Error 1 > make[1]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/all] Error 2 > make: *** [all] Error 2 > > swig -version > SWIG Version 1.3.29 > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 06:52:00 2016 From: jira at bro-tracker.atlassian.net (Anonymous (JIRA)) Date: Tue, 5 Jan 2016 08:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-642) Configure only checks presence of swig and not of swig-python In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23604#comment-23604 ] Anonymous commented on BIT-642: ------------------------------- christian louboutin outlet canada cheap christian louboutin shoes canada http://christianlouboutincanadaoutlet.blogspot.com/ > Configure only checks presence of swig and not of swig-python > ------------------------------------------------------------- > > Key: BIT-642 > URL: https://bro-tracker.atlassian.net/browse/BIT-642 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Johanna Amann > Fix For: 2.0 > > > On Mac OS X, macports usually installs swig without the python bindings (they are in a separate package). > When only swig and not swig-python is installed, the configure script runs ok, but the build fails with > {noformat} > ... > [ 78%] Building C object src/CMakeFiles/bro.dir/strsep.c.o > [ 78%] Building C object src/CMakeFiles/bro.dir/modp_numtoa.c.o > [ 78%] Building C object src/CMakeFiles/bro.dir/nb_dns.c.o > Linking CXX executable bro > [ 78%] Built target bro > [ 78%] Swig source > :3: Error: Unable to find 'python.swg' > make[3]: *** [aux/broctl/aux/pysubnettree/SubnetTreePYTHON_wrap.cxx] Error 1 > make[2]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/all] Error 2 > make[1]: *** [all] Error 2 > make: *** [all] Error 2 > {noformat} > the same is true for ruby: > {noformat} > [ 97%] Building C object aux/broccoli/test/CMakeFiles/brotable.dir/brotable.c.o > Linking C executable brotable > [ 97%] Built target brotable > [ 97%] Swig source > Scanning dependencies of target _broccoli_intern > [ 98%] Building C object aux/broccoli/bindings/broccoli-python/CMakeFiles/_broccoli_intern.dir/broccoli_internPYTHON_wrap.c.o > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c: In function ?valToPyObj?: > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c:3057: warning: pointer targets in passing argument 1 of ?PyString_FromStringAndSize? differ in signedness > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c: In function ?pyObjToVal?: > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c:3154: warning: pointer targets in assignment differ in signedness > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c: In function ?_wrap_bro_event_add_val?: > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c:3734: warning: assignment discards qualifiers from pointer target type > Linking C shared module _broccoli_intern.so > [ 98%] Built target _broccoli_intern > [100%] Swig source > :3: Error: Unable to find 'ruby.swg' > /Users/bernhard/bro/bro/aux/broccoli/bindings/broccoli-ruby/ext/broccoli_ext/broccoli_intern.i:4: Error: Unable to find 'typemaps.i' > make[3]: *** [aux/broccoli/bindings/broccoli-ruby/ext/broccoli_ext/broccoli_internRUBY_wrap.c] Error 1 > make[2]: *** [aux/broccoli/bindings/broccoli-ruby/CMakeFiles/broccoli_ext.dir/all] Error 2 > make[1]: *** [all] Error 2 > make: *** [all] Error 2 > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 06:57:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Tue, 5 Jan 2016 08:57:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-562) SWIG version trouble In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-562: ----------------------------------- Comment: was deleted (was: sold out sneakers christian louboutin shoes online http://christianlouboutincanadaoutlet.blogspot.com/) > SWIG version trouble > -------------------- > > Key: BIT-562 > URL: https://bro-tracker.atlassian.net/browse/BIT-562 > Project: Bro Issue Tracker > Issue Type: Problem > Components: pysubnettree > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > Labels: beta > Fix For: 2.0 > > > Looks like we need a "minimum SWIG version" check. With 1.3.29, I get > the errors below. Updating to 1.3.40 solves it. > {noformat} > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?int SWIG_Python_ConvertFunctionPtr(PyObject*, void**, swig_type_info*)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2051: error: invalid conversion from ?const char*? to ?char*? > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?int SWIG_AsCharPtrAndSize(PyObject*, char**, size_t*, int*)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2575: error: cannot convert ?int*? to ?Py_ssize_t*? for argument ?3? to ?int PyString_AsStringAndSize(PyObject*, char**, Py_ssize_t*)? > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?PyObject* SubnetTree___contains____SWIG_0(SubnetTree*, char*, int)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2849: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2849: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2851: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:2851: warning: dereferencing type-punned pointer will break strict-aliasing rules > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx: In function ?void SWIG_Python_FixMethods(PyMethodDef*, swig_const_info*, swig_type_info**, swig_type_info**)?: > .../aux/pysubnettree/SubnetTreePYTHON_wrap.cxx:4141: error: invalid conversion from ?const char*? to ?char*? > make[2]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/SubnetTreePYTHON_wrap.cxx.o] Error 1 > make[1]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/all] Error 2 > make: *** [all] Error 2 > > swig -version > SWIG Version 1.3.29 > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 06:57:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Tue, 5 Jan 2016 08:57:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-642) Configure only checks presence of swig and not of swig-python In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-642?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-642: ----------------------------------- Comment: was deleted (was: christian louboutin outlet canada cheap christian louboutin shoes canada http://christianlouboutincanadaoutlet.blogspot.com/) > Configure only checks presence of swig and not of swig-python > ------------------------------------------------------------- > > Key: BIT-642 > URL: https://bro-tracker.atlassian.net/browse/BIT-642 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Johanna Amann > Fix For: 2.0 > > > On Mac OS X, macports usually installs swig without the python bindings (they are in a separate package). > When only swig and not swig-python is installed, the configure script runs ok, but the build fails with > {noformat} > ... > [ 78%] Building C object src/CMakeFiles/bro.dir/strsep.c.o > [ 78%] Building C object src/CMakeFiles/bro.dir/modp_numtoa.c.o > [ 78%] Building C object src/CMakeFiles/bro.dir/nb_dns.c.o > Linking CXX executable bro > [ 78%] Built target bro > [ 78%] Swig source > :3: Error: Unable to find 'python.swg' > make[3]: *** [aux/broctl/aux/pysubnettree/SubnetTreePYTHON_wrap.cxx] Error 1 > make[2]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/all] Error 2 > make[1]: *** [all] Error 2 > make: *** [all] Error 2 > {noformat} > the same is true for ruby: > {noformat} > [ 97%] Building C object aux/broccoli/test/CMakeFiles/brotable.dir/brotable.c.o > Linking C executable brotable > [ 97%] Built target brotable > [ 97%] Swig source > Scanning dependencies of target _broccoli_intern > [ 98%] Building C object aux/broccoli/bindings/broccoli-python/CMakeFiles/_broccoli_intern.dir/broccoli_internPYTHON_wrap.c.o > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c: In function ?valToPyObj?: > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c:3057: warning: pointer targets in passing argument 1 of ?PyString_FromStringAndSize? differ in signedness > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c: In function ?pyObjToVal?: > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c:3154: warning: pointer targets in assignment differ in signedness > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c: In function ?_wrap_bro_event_add_val?: > /Users/bernhard/bro/bro/build/aux/broccoli/bindings/broccoli-python/broccoli_internPYTHON_wrap.c:3734: warning: assignment discards qualifiers from pointer target type > Linking C shared module _broccoli_intern.so > [ 98%] Built target _broccoli_intern > [100%] Swig source > :3: Error: Unable to find 'ruby.swg' > /Users/bernhard/bro/bro/aux/broccoli/bindings/broccoli-ruby/ext/broccoli_ext/broccoli_intern.i:4: Error: Unable to find 'typemaps.i' > make[3]: *** [aux/broccoli/bindings/broccoli-ruby/ext/broccoli_ext/broccoli_internRUBY_wrap.c] Error 1 > make[2]: *** [aux/broccoli/bindings/broccoli-ruby/CMakeFiles/broccoli_ext.dir/all] Error 2 > make[1]: *** [all] Error 2 > make: *** [all] Error 2 > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 06:58:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Tue, 5 Jan 2016 08:58:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1222) topic/robin/reader-writer-plugins In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1222: ------------------------------------ Comment: was deleted (was: louboutin red bottoms christian louboutin sale outlet http://canadachristianlouboutin.blogspot.com/) > topic/robin/reader-writer-plugins > --------------------------------- > > Key: BIT-1222 > URL: https://bro-tracker.atlassian.net/browse/BIT-1222 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Robin Sommer > Assignee: Jon Siwek > Fix For: 2.4 > > > This moves log writers and input readers to the new plugin API. No functional differences, except that one can now implement them via external plugins as well. Test cases for that included. > Most of the change is just moving stuff around, plus adapting to the new API. There are a few changes to defining/handling of the corresponding builtin types, as they now have to be dynamic. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 11:51:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 5 Jan 2016 13:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-474) &raw_output turns null values into \0 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-474: -------------------------------- Assignee: Seth Hall (was: Jon Siwek) > &raw_output turns null values into \0 > ------------------------------------- > > Key: BIT-474 > URL: https://bro-tracker.atlassian.net/browse/BIT-474 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Seth Hall > Labels: preview > Fix For: 2.5 > > > Files with the raw_output attribute shouldn't do any interpretation to the data. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 12:02:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 5 Jan 2016 14:02:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1472) Bif for a new function to calculates haversine distance between two geoip locations In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1472: ------------------------------ Priority: Low (was: Normal) > Bif for a new function to calculates haversine distance between two geoip locations > ----------------------------------------------------------------------------------- > > Key: BIT-1472 > URL: https://bro-tracker.atlassian.net/browse/BIT-1472 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Aashish Sharma > Assignee: Daniel Thayer > Priority: Low > Labels: bif, function > Fix For: 2.5 > > > Merge request for: > topic/aashish/haversine > ## ## Calculates haversine distance between two geoip locations > ## > ## > ## lat1, long1, lat2, long2 > ## > ## Returns: distance in miles > ## function haversine_distance%(lat1:double, long1:double, lat2:double, long2:double %): double > accompanying bro policy in base/utils/haversine_distance_ip.bro > module GLOBAL; > ## Returns the haversine distance between two IP addresses based on GeoIP > ## database locations > ## > ## > ## orig: the address of orig connection > ## resp: the address of resp server > ## Returns: the GeoIP distance between orig and resp in miles > function haversine_distance_ip(orig: addr, resp: addr): double -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 12:03:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 5 Jan 2016 14:03:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1515: ------------------------------ Priority: Low (was: Normal) > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 12:04:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 5 Jan 2016 14:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1469) dpd.log contains lots of binpac exceptions for RDP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1469: ------------------------------ Priority: Low (was: Normal) > dpd.log contains lots of binpac exceptions for RDP > -------------------------------------------------- > > Key: BIT-1469 > URL: https://bro-tracker.atlassian.net/browse/BIT-1469 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BinPAC, Bro > Affects Versions: git/master > Environment: RHEL 6.6, 2.4-10 bro build from git > Reporter: Gary Faulkner > Assignee: Vlad Grigorescu > Priority: Low > Labels: analyzer > Fix For: 2.5 > > Attachments: bad-rdp-04SEP15-2.pcap, bad-rdp-04SEP15.pcap, rdp-31AUG15.pcap > > > RDP scanners seem to generate a lot of binpac errors in dpd.log for RDP connections. > The following log line is an example of the error that repeats continuously during the activity: > 1441031469.413008 CPNcey4q2i8mGVUvEg 74.91.23.83 62082 10.10.81.207 3389 tcp RDP Binpac exception: binpac exception: out_of_bound: DT_Data:application_type: 3 > 2 > The 10.x.x.x IP is the redacted local IP. The other IP is the scanner. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 12:05:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 5 Jan 2016 14:05:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1033) add script based on BBN's ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1033: ------------------------------ Priority: Low (was: Normal) > add script based on BBN's ICMP analyzer > --------------------------------------- > > Key: BIT-1033 > URL: https://bro-tracker.atlassian.net/browse/BIT-1033 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Assignee: Vlad Grigorescu > Priority: Low > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-ICMP-analyzer.patch > > -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From jira at bro-tracker.atlassian.net Tue Jan 5 14:33:00 2016 From: jira at bro-tracker.atlassian.net (dop (JIRA)) Date: Tue, 5 Jan 2016 16:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1517) Variable rollover in bytes_recv in stats.log In-Reply-To: References: Message-ID: dop created BIT-1517: ------------------------ Summary: Variable rollover in bytes_recv in stats.log Key: BIT-1517 URL: https://bro-tracker.atlassian.net/browse/BIT-1517 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: CentOS release 6.7 (Final) Reporter: dop I noticed that bytes_recv in stats.log was looking occasionally really high (like 2^64 high) and mentioned it to Justin. He proposed a quick patch to stats.bro (below) to identify the source of the problem which looks like the raw bytes_recv variable: cat current/stats.log | /usr/local/bro/bin/bro-cut -u peer bytes_recv bytes_recv_raw | grep pg-worker-1-9 pg-worker-1-9 17654180 4261583324 pg-worker-1-9 21442649 4283025973 pg-worker-1-9 18446744069439617937 13092294 pg-worker-1-9 15969954 29062248 pg-worker-1-9 23215479 52277727 --- stats.bro.orig 2016-01-05 14:31:33.000000000 -0500 +++ stats.bro 2016-01-05 14:32:04.000000000 -0500 @@ -42,6 +42,8 @@ ## Number of bytes received since the last stats interval if ## reading live traffic. bytes_recv: count &log &optional; + + bytes_recv_raw: count &log &optional; }; ## Event to catch stats as they are written to the logging stream. @@ -78,6 +80,7 @@ info$pkts_dropped = ns$pkts_dropped - last_ns$pkts_dropped; info$pkts_link = ns$pkts_link - last_ns$pkts_link; info$bytes_recv = ns$bytes_recvd - last_ns$bytes_recvd; + info$bytes_recv_raw = ns$bytes_recvd; } Log::write(Stats::LOG, info); -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-048#71001) From zakahili at gmail.com Tue Jan 5 23:52:30 2016 From: zakahili at gmail.com (Zakaria Hili) Date: Wed, 6 Jan 2016 08:52:30 +0100 Subject: [Bro-Dev] [Bro_Configuration]Problem with RPC Analyzer Message-ID: Hello, I am working on a sniffer based on bro (for educational purpose) and I am facing problems with the RPC Analyzer configuration. In fact it is not activated by default on Bro: Todo Bro?s current default configuration does not activate the protocol analyzer that generates thisevent; the corresponding script has not yet been ported to Bro 2.x. To still enable this event, one needs to register a port for it or add a DPD payload signature. with regard to this Todo section in the Bro::RPC analyzer, i tried to register a port for rpc and nfs with the following script: const ports = {111/tcp, 111/udp, 747/udp, 759/tcp, 762/udp, 764/tcp, 2049/udp}; redef likely_server_ports += {ports}; event bro_init() &priority=5 { Analyzer::register_for_ports(Analyzer::ANALYZER_NFS, ports); } event nfs_proc_getattr(c: connection, info: NFS3::info_t, fh: string, attrs: NFS3::fattr_t){ print "hi"; } but I have got this error: 944207397.280000 internal error: unknown analyzer name RPC; mismatch with tag analyzer::Component? Please could you help me with any hint to undrestand what I am supposed to do. Thank you in advance. Best Regards, Zakaria ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160106/148033bd/attachment.html From noreply at bro.org Wed Jan 6 00:00:37 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 6 Jan 2016 00:00:37 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601060800.u0680bbg029394@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From noreply at bro.org Thu Jan 7 00:00:30 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 7 Jan 2016 00:00:30 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601070800.u0780UiL000751@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Thu Jan 7 10:04:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 7 Jan 2016 12:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1498) add '-q' to ssh execution in ssh_runner.py In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1498: ------------------------------- Priority: Trivial (was: Normal) > add '-q' to ssh execution in ssh_runner.py > ------------------------------------------ > > Key: BIT-1498 > URL: https://bro-tracker.atlassian.net/browse/BIT-1498 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BroControl > Affects Versions: 2.4 > Reporter: scampbell > Assignee: Daniel Thayer > Priority: Trivial > Labels: broctl > Fix For: 2.5 > > > When using broctl in an environment with login banners, they will be displayed in the broctl command. In the event that they can not be configured away on the sshd end using '-q' avoids displaying the banner on the client side. > The patch is trivial: > --- a/BroControl/ssh_runner.py > +++ b/BroControl/ssh_runner.py > @@ -108,6 +108,7 @@ class SSHMaster: > self.base_cmd = [ > "ssh", > "-o", "BatchMode=yes", > + "-q", > host, > ] > self.need_connect = True -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Thu Jan 7 10:07:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 7 Jan 2016 12:07:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-253) Can't bind to port 47760, Address already in use In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-253: ------------------------------ Priority: Low (was: Normal) > Can't bind to port 47760, Address already in use > ------------------------------------------------ > > Key: BIT-253 > URL: https://bro-tracker.atlassian.net/browse/BIT-253 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: tyler.schoenke > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > > I ran into some strange behavior with the cluster. I was still receiving email alerts, but the log files on the manager contained only headers with no log messages. The connection summary emails had the columns and summaries with all of the values being empty. > I ran a dumpcap on my manager's eth0 filtering my worker IP, and saw that the logs were being sent to the manager. I could start the cluster run broctl stats, and diag with no errors. I finally saw "Can't bind to port 47760, Address already in use" in the remote.log on the manager. After stopping the cluster and looking for LISTENing processes, saw that something was bound to that port. I checked for running bro processes and saw that some hadn't terminated when the cluster was stopped. After killing those, the cluster started working properly. > My enhancement request is to have something added to the cluster startup script that reports an error if the manager or workers encounter an error binding to a port. This error could either prevent the cluster from starting, or just print some message to let the user know there is a problem with port binding. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Thu Jan 7 11:00:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 7 Jan 2016 13:00:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1047) Delete old scripts before installing new ones In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1047: ------------------------------- Priority: Trivial (was: Normal) > Delete old scripts before installing new ones > --------------------------------------------- > > Key: BIT-1047 > URL: https://bro-tracker.atlassian.net/browse/BIT-1047 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: Robin Sommer > Assignee: Daniel Thayer > Priority: Trivial > Fix For: 2.5 > > > People keep having problems when they install a new Bro version > over the installation of an old one because scripts that have disappeared in the new version will keep sticking around from the previous installation. > We should simply remove the old scripts/base and scripts/policy before installing anything new. People aren't supposed to edit in there so that should be safe. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Thu Jan 7 11:01:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 7 Jan 2016 13:01:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1378) Include extract_files in archives In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1378?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1378: ------------------------------- Priority: Low (was: Normal) > Include extract_files in archives > --------------------------------- > > Key: BIT-1378 > URL: https://bro-tracker.atlassian.net/browse/BIT-1378 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.3 > Environment: Linux > Reporter: james.lay > Assignee: Daniel Thayer > Priority: Low > Labels: cleanup, file > > Request to see about getting extract_files included in the 'normal' archiving process -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Thu Jan 7 11:33:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 7 Jan 2016 13:33:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-161) In standalone mode, broctl attempts to connect to wrong port. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23701#comment-23701 ] Adam Slagell commented on BIT-161: ---------------------------------- Review again after Broker integration > In standalone mode, broctl attempts to connect to wrong port. > ------------------------------------------------------------- > > Key: BIT-161 > URL: https://bro-tracker.atlassian.net/browse/BIT-161 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > > I have a standalone instance setup and the bro process is holding open port 47758/tcp, but the broctl interface is attempting to connect to port 47760/tcp when it tries to do anything with broccoli. > {noformat} > [BroControl] > netstats > bro: > {noformat} > {noformat} > seth at Blake3:~$ sudo lsof -i | grep LISTEN > bro 74156 root 0u IPv4 0xb3ad270 0t0 TCP *:47758 (LISTEN) > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Thu Jan 7 11:36:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 7 Jan 2016 13:36:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1301) Log::add_filter should have a transform func In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1301: ------------------------------ Priority: Low (was: Normal) > Log::add_filter should have a transform func > -------------------------------------------- > > Key: BIT-1301 > URL: https://bro-tracker.atlassian.net/browse/BIT-1301 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > Labels: logging > Fix For: 2.5 > > > One should be able to do something like > {code} > Log::add_filter(HTTP::LOG, [ > $transform=function(rec: HTTP:Info): HTTP::Info { > #modify rec somehow > } > ]); > {code} > Not sure if it should modify the record in place, or return the modified version. > This could allow the user to do similar things to include/exclude, but on a more granular level. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Thu Jan 7 11:43:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Thu, 7 Jan 2016 13:43:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1444) Connection logging for ESP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23703#comment-23703 ] Jeannette Dopheide commented on BIT-1444: ----------------------------------------- due 1/14/15 > Connection logging for ESP > -------------------------- > > Key: BIT-1444 > URL: https://bro-tracker.atlassian.net/browse/BIT-1444 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jimmy Jones > Assignee: Vlad Grigorescu > Priority: Low > > I'd like to be able to track ESP (IPSec) connections in conn.log. Although ESP is encrypted, the ability to track volumes and pattern of life etc would be beneficial when doing intrusion analysis. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Thu Jan 7 11:46:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Thu, 7 Jan 2016 13:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1444) Connection logging for ESP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1444?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jeannette Dopheide updated BIT-1444: ------------------------------------ Due Date: 14/Jan/16 > Connection logging for ESP > -------------------------- > > Key: BIT-1444 > URL: https://bro-tracker.atlassian.net/browse/BIT-1444 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jimmy Jones > Assignee: Vlad Grigorescu > Priority: Low > > I'd like to be able to track ESP (IPSec) connections in conn.log. Although ESP is encrypted, the ability to track volumes and pattern of life etc would be beneficial when doing intrusion analysis. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From noreply at bro.org Fri Jan 8 00:00:26 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 8 Jan 2016 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601080800.u0880QEg020964@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------ #49 [2] bro wglodek [3] 2015-12-23 update ParseRequest to handle missing uri [4] #46 [5] bro albertzaharovits [6] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [7] #3 [8] broctl aeppert [9] 2015-12-30 Wrap interface for running a custom plugin [10] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #49 https://github.com/bro/bro/pull/49 [3] wglodek https://github.com/wglodek [4] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [5] Pull Request #46 https://github.com/bro/bro/pull/46 [6] albertzaharovits https://github.com/albertzaharovits [7] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [8] Pull Request #3 https://github.com/bro/broctl/pull/3 [9] aeppert https://github.com/aeppert [10] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Fri Jan 8 12:00:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 8 Jan 2016 14:00:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1516) openbsd build issues In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23705#comment-23705 ] Daniel Thayer commented on BIT-1516: ------------------------------------ There is an entry in our FAQ that mentions OpenBSD: https://www.bro.org/documentation/faq.html#i-am-using-openbsd-and-having-problems-installing-bro > openbsd build issues > -------------------- > > Key: BIT-1516 > URL: https://bro-tracker.atlassian.net/browse/BIT-1516 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: OpenBSD > Reporter: Justin Azoff > Priority: Low > Labels: openbsd > Attachments: openbsd_diag.log.gz > > > Someone on IRC asked about bro on openbsd issues. I took a look and here is what I have found so far. There are 3 issues: > bro needs the libbind port installed to build, but cmake has trouble finding it > Changing FindBIND.cmake lets configure works: > {code} > - HINTS ${BIND_ROOT_DIR}/lib > + HINTS ${BIND_ROOT_DIR}/lib/libbind > {code} > This probably needs to be > {code} > HINTS ${BIND_ROOT_DIR}/lib ${BIND_ROOT_DIR}/lib/libbind > {code} > or such to not break other platforms > The second is that {code}pcap_offline_filter{code} does not exist in the version of pcap it has (though I did my testing on openbsd 5.5 so the latest (5.8) may be different) > Finally, openbsd does not have {code}wordexp{code} so src/broxygen/Manager.cc does not build. I ifdef'd it out most of {code}Manager::Manager{code} and bro built ok after that. I'm not sure what it is doing there anyway.. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From noreply at bro.org Sat Jan 9 00:00:24 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 9 Jan 2016 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601090800.u0980OgS028247@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------- #50 [2] bro aeppert [3] 2016-01-08 NOTIFY is a valid SIP message per RFC3265 [4] #49 [5] bro wglodek [6] 2015-12-23 update ParseRequest to handle missing uri [7] #46 [8] bro albertzaharovits [9] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [10] #3 [11] broctl aeppert [12] 2015-12-30 Wrap interface for running a custom plugin [13] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #50 https://github.com/bro/bro/pull/50 [3] aeppert https://github.com/aeppert [4] Merge Pull Request #50 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-2 [5] Pull Request #49 https://github.com/bro/bro/pull/49 [6] wglodek https://github.com/wglodek [7] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [8] Pull Request #46 https://github.com/bro/bro/pull/46 [9] albertzaharovits https://github.com/albertzaharovits [10] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [11] Pull Request #3 https://github.com/bro/broctl/pull/3 [12] aeppert https://github.com/aeppert [13] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From noreply at bro.org Sun Jan 10 00:00:18 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 10 Jan 2016 00:00:18 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601100800.u0A80Inn018442@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------- #50 [2] bro aeppert [3] 2016-01-08 NOTIFY is a valid SIP message per RFC3265 [4] #49 [5] bro wglodek [6] 2015-12-23 update ParseRequest to handle missing uri [7] #46 [8] bro albertzaharovits [9] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [10] #3 [11] broctl aeppert [12] 2015-12-30 Wrap interface for running a custom plugin [13] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #50 https://github.com/bro/bro/pull/50 [3] aeppert https://github.com/aeppert [4] Merge Pull Request #50 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-2 [5] Pull Request #49 https://github.com/bro/bro/pull/49 [6] wglodek https://github.com/wglodek [7] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [8] Pull Request #46 https://github.com/bro/bro/pull/46 [9] albertzaharovits https://github.com/albertzaharovits [10] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [11] Pull Request #3 https://github.com/bro/broctl/pull/3 [12] aeppert https://github.com/aeppert [13] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Sun Jan 10 08:03:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Sun, 10 Jan 2016 10:03:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1516) openbsd build issues In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1516?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23706#comment-23706 ] Justin Azoff commented on BIT-1516: ----------------------------------- Yeah, the problem is that installing libbind doesn't work because cmake can't find it. gfind should fix the plugin scripts though. Whatever is wrong with 'bifs.enable_raw_output' is likely what is breaking most of the other tests. We should be able to work out a few fixes that at least gets a clean checkout of bro to build on openbsd, then work on the test failures. They may be an indication that we are relying on some platform specific features without realizing it. The openbsd port of bro is still on 1.4 and hasn't been updated since 2011 > openbsd build issues > -------------------- > > Key: BIT-1516 > URL: https://bro-tracker.atlassian.net/browse/BIT-1516 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: OpenBSD > Reporter: Justin Azoff > Priority: Low > Labels: openbsd > Attachments: openbsd_diag.log.gz > > > Someone on IRC asked about bro on openbsd issues. I took a look and here is what I have found so far. There are 3 issues: > bro needs the libbind port installed to build, but cmake has trouble finding it > Changing FindBIND.cmake lets configure works: > {code} > - HINTS ${BIND_ROOT_DIR}/lib > + HINTS ${BIND_ROOT_DIR}/lib/libbind > {code} > This probably needs to be > {code} > HINTS ${BIND_ROOT_DIR}/lib ${BIND_ROOT_DIR}/lib/libbind > {code} > or such to not break other platforms > The second is that {code}pcap_offline_filter{code} does not exist in the version of pcap it has (though I did my testing on openbsd 5.5 so the latest (5.8) may be different) > Finally, openbsd does not have {code}wordexp{code} so src/broxygen/Manager.cc does not build. I ifdef'd it out most of {code}Manager::Manager{code} and bro built ok after that. I'm not sure what it is doing there anyway.. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:20:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:20:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-161) In standalone mode, broctl attempts to connect to wrong port. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-161: ----------------------------- Comment: was deleted (was: Review again after Broker integration) > In standalone mode, broctl attempts to connect to wrong port. > ------------------------------------------------------------- > > Key: BIT-161 > URL: https://bro-tracker.atlassian.net/browse/BIT-161 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > > I have a standalone instance setup and the bro process is holding open port 47758/tcp, but the broctl interface is attempting to connect to port 47760/tcp when it tries to do anything with broccoli. > {noformat} > [BroControl] > netstats > bro: > {noformat} > {noformat} > seth at Blake3:~$ sudo lsof -i | grep LISTEN > bro 74156 root 0u IPv4 0xb3ad270 0t0 TCP *:47758 (LISTEN) > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:21:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-161) In standalone mode, broctl attempts to connect to wrong port. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23707#comment-23707 ] Adam Slagell commented on BIT-161: ---------------------------------- Robin, Does this still make sense in a Broker world? > In standalone mode, broctl attempts to connect to wrong port. > ------------------------------------------------------------- > > Key: BIT-161 > URL: https://bro-tracker.atlassian.net/browse/BIT-161 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > > I have a standalone instance setup and the bro process is holding open port 47758/tcp, but the broctl interface is attempting to connect to port 47760/tcp when it tries to do anything with broccoli. > {noformat} > [BroControl] > netstats > bro: > {noformat} > {noformat} > seth at Blake3:~$ sudo lsof -i | grep LISTEN > bro 74156 root 0u IPv4 0xb3ad270 0t0 TCP *:47758 (LISTEN) > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:22:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:22:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-178) BroControl's check process should check for ability to set "ulimit -d" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-178?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23708#comment-23708 ] Adam Slagell commented on BIT-178: ---------------------------------- Seth, This is quite old. I don't see the problem on Mac. Can you see if this still is an issue on FreeBSD? > BroControl's check process should check for ability to set "ulimit -d" > ---------------------------------------------------------------------- > > Key: BIT-178 > URL: https://bro-tracker.atlassian.net/browse/BIT-178 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > Fix For: 2.5 > > > If the bro process(es) are run as a non-root user, the "ulimit \-d" call done during the run-bro script will fail (on freebsd at least) and cause obtuse failures when the Bro processes grow beyond the default 512M data segment size (on freebsd again). The check process could verify that setting can be set and possibly give recommendations for linux and freebsd on how to increase that setting globally. > For documentation purposes, to set it globally to the value set by the run-bro script put the following in the /boot/loader.conf file and reboot: > {noformat} > kern.maxdsiz=1610612736 > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:26:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-161) In standalone mode, broctl attempts to connect to wrong port. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23709#comment-23709 ] Adam Slagell commented on BIT-161: ---------------------------------- Or would https://bro-tracker.atlassian.net/browse/BIT-253 address this? > In standalone mode, broctl attempts to connect to wrong port. > ------------------------------------------------------------- > > Key: BIT-161 > URL: https://bro-tracker.atlassian.net/browse/BIT-161 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > > I have a standalone instance setup and the bro process is holding open port 47758/tcp, but the broctl interface is attempting to connect to port 47760/tcp when it tries to do anything with broccoli. > {noformat} > [BroControl] > netstats > bro: > {noformat} > {noformat} > seth at Blake3:~$ sudo lsof -i | grep LISTEN > bro 74156 root 0u IPv4 0xb3ad270 0t0 TCP *:47758 (LISTEN) > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:32:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:32:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1047) Delete old scripts before installing new ones In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1047?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23710#comment-23710 ] Adam Slagell commented on BIT-1047: ----------------------------------- I don't see a decision here, but what do people think about renaming rather than deleting. Say to .old or .$DATE We can push this off to implement till the next release, but it would be nice to have a clear decision. > Delete old scripts before installing new ones > --------------------------------------------- > > Key: BIT-1047 > URL: https://bro-tracker.atlassian.net/browse/BIT-1047 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: Robin Sommer > Assignee: Daniel Thayer > Priority: Trivial > Fix For: 2.5 > > > People keep having problems when they install a new Bro version > over the installation of an old one because scripts that have disappeared in the new version will keep sticking around from the previous installation. > We should simply remove the old scripts/base and scripts/policy before installing anything new. People aren't supposed to edit in there so that should be safe. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:35:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1472) Bif for a new function to calculates haversine distance between two geoip locations In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1472?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1472: --------------------------------- Assignee: Justin Azoff (was: Daniel Thayer) > Bif for a new function to calculates haversine distance between two geoip locations > ----------------------------------------------------------------------------------- > > Key: BIT-1472 > URL: https://bro-tracker.atlassian.net/browse/BIT-1472 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: 2.4 > Reporter: Aashish Sharma > Assignee: Justin Azoff > Priority: Low > Labels: bif, function > Fix For: 2.5 > > > Merge request for: > topic/aashish/haversine > ## ## Calculates haversine distance between two geoip locations > ## > ## > ## lat1, long1, lat2, long2 > ## > ## Returns: distance in miles > ## function haversine_distance%(lat1:double, long1:double, lat2:double, long2:double %): double > accompanying bro policy in base/utils/haversine_distance_ip.bro > module GLOBAL; > ## Returns the haversine distance between two IP addresses based on GeoIP > ## database locations > ## > ## > ## orig: the address of orig connection > ## resp: the address of resp server > ## Returns: the GeoIP distance between orig and resp in miles > function haversine_distance_ip(orig: addr, resp: addr): double -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:37:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:37:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1498) add '-q' to ssh execution in ssh_runner.py In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23711#comment-23711 ] Adam Slagell commented on BIT-1498: ----------------------------------- We will merge this before 2.5. > add '-q' to ssh execution in ssh_runner.py > ------------------------------------------ > > Key: BIT-1498 > URL: https://bro-tracker.atlassian.net/browse/BIT-1498 > Project: Bro Issue Tracker > Issue Type: Patch > Components: BroControl > Affects Versions: 2.4 > Reporter: scampbell > Assignee: Daniel Thayer > Priority: Trivial > Labels: broctl > Fix For: 2.5 > > > When using broctl in an environment with login banners, they will be displayed in the broctl command. In the event that they can not be configured away on the sshd end using '-q' avoids displaying the banner on the client side. > The patch is trivial: > --- a/BroControl/ssh_runner.py > +++ b/BroControl/ssh_runner.py > @@ -108,6 +108,7 @@ class SSHMaster: > self.base_cmd = [ > "ssh", > "-o", "BatchMode=yes", > + "-q", > host, > ] > self.need_connect = True -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:38:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-178) BroControl's check process should check for ability to set "ulimit -d" In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-178?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-178: ----------------------------- Issue Type: Problem (was: New Feature) > BroControl's check process should check for ability to set "ulimit -d" > ---------------------------------------------------------------------- > > Key: BIT-178 > URL: https://bro-tracker.atlassian.net/browse/BIT-178 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > Fix For: 2.5 > > > If the bro process(es) are run as a non-root user, the "ulimit \-d" call done during the run-bro script will fail (on freebsd at least) and cause obtuse failures when the Bro processes grow beyond the default 512M data segment size (on freebsd again). The check process could verify that setting can be set and possibly give recommendations for linux and freebsd on how to increase that setting globally. > For documentation purposes, to set it globally to the value set by the run-bro script put the following in the /boot/loader.conf file and reboot: > {noformat} > kern.maxdsiz=1610612736 > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:39:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:39:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-253) Can't bind to port 47760, Address already in use In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-253: ----------------------------- Issue Type: Problem (was: New Feature) > Can't bind to port 47760, Address already in use > ------------------------------------------------ > > Key: BIT-253 > URL: https://bro-tracker.atlassian.net/browse/BIT-253 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: tyler.schoenke > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > > I ran into some strange behavior with the cluster. I was still receiving email alerts, but the log files on the manager contained only headers with no log messages. The connection summary emails had the columns and summaries with all of the values being empty. > I ran a dumpcap on my manager's eth0 filtering my worker IP, and saw that the logs were being sent to the manager. I could start the cluster run broctl stats, and diag with no errors. I finally saw "Can't bind to port 47760, Address already in use" in the remote.log on the manager. After stopping the cluster and looking for LISTENing processes, saw that something was bound to that port. I checked for running bro processes and saw that some hadn't terminated when the cluster was stopped. After killing those, the cluster started working properly. > My enhancement request is to have something added to the cluster startup script that reports an error if the manager or workers encounter an error binding to a port. This error could either prevent the cluster from starting, or just print some message to let the user know there is a problem with port binding. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:40:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:40:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-161) In standalone mode, broctl attempts to connect to wrong port. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-161: ----------------------------- Issue Type: Problem (was: New Feature) > In standalone mode, broctl attempts to connect to wrong port. > ------------------------------------------------------------- > > Key: BIT-161 > URL: https://bro-tracker.atlassian.net/browse/BIT-161 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > > I have a standalone instance setup and the bro process is holding open port 47758/tcp, but the broctl interface is attempting to connect to port 47760/tcp when it tries to do anything with broccoli. > {noformat} > [BroControl] > netstats > bro: > {noformat} > {noformat} > seth at Blake3:~$ sudo lsof -i | grep LISTEN > bro 74156 root 0u IPv4 0xb3ad270 0t0 TCP *:47758 (LISTEN) > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:42:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:42:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23712#comment-23712 ] Adam Slagell commented on BIT-1515: ----------------------------------- Can we have a little blurb here to remind me what this is? > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:43:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:43:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1301) Log::add_filter should have a transform func In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1301: ------------------------------ Issue Type: Improvement (was: New Feature) > Log::add_filter should have a transform func > -------------------------------------------- > > Key: BIT-1301 > URL: https://bro-tracker.atlassian.net/browse/BIT-1301 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > Labels: logging > Fix For: 2.5 > > > One should be able to do something like > {code} > Log::add_filter(HTTP::LOG, [ > $transform=function(rec: HTTP:Info): HTTP::Info { > #modify rec somehow > } > ]); > {code} > Not sure if it should modify the record in place, or return the modified version. > This could allow the user to do similar things to include/exclude, but on a more granular level. -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:49:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1480) ERSPAN Supprt In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1480: ------------------------------ Issue Type: Improvement (was: New Feature) > ERSPAN Supprt > ------------- > > Key: BIT-1480 > URL: https://bro-tracker.atlassian.net/browse/BIT-1480 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.3 > Environment: Using vCenter virtual switch, frames from monitored VMs are encapsulated using GRE and forwarded to my sensor on a different broadcast domain. > Reporter: Matthew Domko > Assignee: Vlad Grigorescu > Labels: ERSPAN > Attachments: erspan, ERSPAN-info.xps > > > PCAP attached... Basically, bro recieves the erspan packet and doesn't recognize that it is just GRE with a slightly different format. All the packets get logged in bro with the ERSPAN source/dest addresses instead of the actual source/dest addresses. It seems like everything else is working. > There was a discussion about this on a mailing list in the past, but no one provided PCAP. > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-April/008347.html > And someone else released a tool to do the decapsulation on the side: > http://staff.washington.edu/corey/gulp/ -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:49:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1480) ERSPAN Supprt In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1480?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1480: ------------------------------ Priority: Low (was: Normal) > ERSPAN Supprt > ------------- > > Key: BIT-1480 > URL: https://bro-tracker.atlassian.net/browse/BIT-1480 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.3 > Environment: Using vCenter virtual switch, frames from monitored VMs are encapsulated using GRE and forwarded to my sensor on a different broadcast domain. > Reporter: Matthew Domko > Assignee: Vlad Grigorescu > Priority: Low > Labels: ERSPAN > Attachments: erspan, ERSPAN-info.xps > > > PCAP attached... Basically, bro recieves the erspan packet and doesn't recognize that it is just GRE with a slightly different format. All the packets get logged in bro with the ERSPAN source/dest addresses instead of the actual source/dest addresses. It seems like everything else is working. > There was a discussion about this on a mailing list in the past, but no one provided PCAP. > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-April/008347.html > And someone else released a tool to do the decapsulation on the side: > http://staff.washington.edu/corey/gulp/ -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:51:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1413: --------------------------------- Assignee: Jeannette Dopheide (was: Vlad Grigorescu) > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Jeannette Dopheide > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:51:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-1413: ------------------------------ Priority: Low (was: Normal) > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Vlad Grigorescu > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From jira at bro-tracker.atlassian.net Sun Jan 10 08:52:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Sun, 10 Jan 2016 10:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23714#comment-23714 ] Adam Slagell commented on BIT-1413: ----------------------------------- Jeannette can probably handle this one unless she objects. > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Jeannette Dopheide > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-03-049#71001) From noreply at bro.org Mon Jan 11 00:00:28 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 11 Jan 2016 00:00:28 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601110800.u0B80SSl011808@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------- #50 [2] bro aeppert [3] 2016-01-08 NOTIFY is a valid SIP message per RFC3265 [4] #49 [5] bro wglodek [6] 2015-12-23 update ParseRequest to handle missing uri [7] #46 [8] bro albertzaharovits [9] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [10] #3 [11] broctl aeppert [12] 2015-12-30 Wrap interface for running a custom plugin [13] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #50 https://github.com/bro/bro/pull/50 [3] aeppert https://github.com/aeppert [4] Merge Pull Request #50 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-2 [5] Pull Request #49 https://github.com/bro/bro/pull/49 [6] wglodek https://github.com/wglodek [7] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [8] Pull Request #46 https://github.com/bro/bro/pull/46 [9] albertzaharovits https://github.com/albertzaharovits [10] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [11] Pull Request #3 https://github.com/bro/broctl/pull/3 [12] aeppert https://github.com/aeppert [13] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Mon Jan 11 04:21:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 11 Jan 2016 06:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23800#comment-23800 ] Justin Azoff commented on BIT-1515: ----------------------------------- https://gist.github.com/JustinAzoff/4cfe3995013225d1d119 Need to update that a little, add freebsd support > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 06:38:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 11 Jan 2016 08:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23802#comment-23802 ] Seth Hall commented on BIT-1515: -------------------------------- Should probably port that to use "ip" since "ifconfig" is deprecated on Linux. > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 06:41:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 11 Jan 2016 08:41:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23803#comment-23803 ] Justin Azoff commented on BIT-1515: ----------------------------------- Yeah.. What do you think of the functionality in general though? Should it do anything else? > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 07:03:00 2016 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 11 Jan 2016 09:03:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1518) SSH analyzer doesn't handle non-conformant client version strings In-Reply-To: References: Message-ID: Vlad Grigorescu created BIT-1518: ------------------------------------ Summary: SSH analyzer doesn't handle non-conformant client version strings Key: BIT-1518 URL: https://bro-tracker.atlassian.net/browse/BIT-1518 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Vlad Grigorescu Assignee: Vlad Grigorescu Received a report that some SSH clients send a version identification string similar to 'SSH-2.0-FooBar_Client\n' which causes a protocol violation in the SSH analyzer. RFC 4253 states that this must be terminated by '\r\n', but that's not what's being observed. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 13:06:00 2016 From: jira at bro-tracker.atlassian.net (Vlad Grigorescu (JIRA)) Date: Mon, 11 Jan 2016 15:06:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23807#comment-23807 ] Vlad Grigorescu commented on BIT-1413: -------------------------------------- Here's what I was doing: {code} git clone ssh://git.bro.org/capstats.git cd capstats git checkout -b topic/bit-1413 ln -s README README.rst git add README.rst git commit -m "Add README.rst -> README symlink. Addresses BIT-1413" git push origin topic/bit-1413 cd .. {code} > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Jeannette Dopheide > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 13:15:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 11 Jan 2016 15:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23808#comment-23808 ] Johanna Amann commented on BIT-1413: ------------------------------------ I will just do the rest of them today - this should be quite quick and does not require someone merging the changes of Jeannette afterwards. > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Jeannette Dopheide > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 13:15:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 11 Jan 2016 15:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1413: ---------------------------------- Assignee: Johanna Amann (was: Jeannette Dopheide) > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 13:18:00 2016 From: jira at bro-tracker.atlassian.net (Jeannette Dopheide (JIRA)) Date: Mon, 11 Jan 2016 15:18:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23809#comment-23809 ] Jeannette Dopheide commented on BIT-1413: ----------------------------------------- Cool, thanks for helping. > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 13:37:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Mon, 11 Jan 2016 15:37:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23810#comment-23810 ] Johanna Amann commented on BIT-1413: ------------------------------------ This is done, but there is a slight problem with the bro-plugins repository. Github apparently does not support the toctree directive - it simply leaves the space occupied by it blank. That currently makes https://github.com/bro/bro-plugins look a bit... odd (the plugin list is simply missing). Does anyone by any change know a simple workaround for this? > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Mon Jan 11 13:44:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Mon, 11 Jan 2016 15:44:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23811#comment-23811 ] Daniel Thayer commented on BIT-1413: ------------------------------------ We could just remove that part of the README (one less thing we need to maintain). Each individual plugin has its own README anyway. > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From noreply at bro.org Tue Jan 12 00:00:26 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 12 Jan 2016 00:00:26 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601120800.u0C80QET006002@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- -------------------- ---------- ------------------------------------------------------------------------- #50 [2] bro aeppert [3] 2016-01-08 NOTIFY is a valid SIP message per RFC3265 [4] #49 [5] bro wglodek [6] 2015-12-23 update ParseRequest to handle missing uri [7] #46 [8] bro albertzaharovits [9] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [10] #3 [11] broctl aeppert [12] 2015-12-30 Wrap interface for running a custom plugin [13] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #50 https://github.com/bro/bro/pull/50 [3] aeppert https://github.com/aeppert [4] Merge Pull Request #50 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-2 [5] Pull Request #49 https://github.com/bro/bro/pull/49 [6] wglodek https://github.com/wglodek [7] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [8] Pull Request #46 https://github.com/bro/bro/pull/46 [9] albertzaharovits https://github.com/albertzaharovits [10] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [11] Pull Request #3 https://github.com/bro/broctl/pull/3 [12] aeppert https://github.com/aeppert [13] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Tue Jan 12 03:30:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Tue, 12 Jan 2016 05:30:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23812#comment-23812 ] Jan Grashoefer commented on BIT-1515: ------------------------------------- I am not sure whether this is necessary but I have also disabled "sg", "tso" and "ufo". Maybe setting the interface into promiscuous mode is also a good idea, because some of the plugins don't. > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 06:30:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 12 Jan 2016 08:30:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23813#comment-23813 ] Justin Azoff commented on BIT-1515: ----------------------------------- Hmm, some research may be needed to learn what exactly all of those features do. I'd like to be able to comment on why we are disabling each feature as in: XXX: If this is enabled the nic will merge smaller frames into larger ones which breaks reassembly in bro and causes packets to be larger than the expected MTU. > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 10:40:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Tue, 12 Jan 2016 12:40:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23814#comment-23814 ] Jan Grashoefer commented on BIT-1515: ------------------------------------- Form my understanding "gso" (Generic Segmentation Offload), "tso" (TCP Segmentation Offload) and "ufo" (UDP Segmentation Offload) are only relevant if the monitoring interface is also used to send packets. Furthermore "gso" seems to be Linux specific. [This reference|http://www.linuxfoundation.org/collaborate/workgroups/networking/] provides a good overview. For "sg" (scatter-gather) I am not sure. I did a quick search and from [what I found|http://www.makelinux.net/ldd3/chp-17-sect-5], I would say it has no effect on Bro. > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 13:24:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 12 Jan 2016 15:24:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1519: ---------------------------------- Summary: bro segfaults when trying to delete a record field that doesn't exist Key: BIT-1519 URL: https://bro-tracker.atlassian.net/browse/BIT-1519 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Daniel Thayer When using the "delete" statement on a record field that doesn't exist, Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 13:26:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 12 Jan 2016 15:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1519: ------------------------------- Attachment: test.bro > bro segfaults when trying to delete a record field that doesn't exist > --------------------------------------------------------------------- > > Key: BIT-1519 > URL: https://bro-tracker.atlassian.net/browse/BIT-1519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Attachments: test.bro > > > When using the "delete" statement on a record field that doesn't exist, > Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 13:29:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 12 Jan 2016 15:29:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23815#comment-23815 ] Daniel Thayer commented on BIT-1519: ------------------------------------ Added an attachment with example code that triggers this. > bro segfaults when trying to delete a record field that doesn't exist > --------------------------------------------------------------------- > > Key: BIT-1519 > URL: https://bro-tracker.atlassian.net/browse/BIT-1519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Attachments: test.bro > > > When using the "delete" statement on a record field that doesn't exist, > Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 13:52:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 12 Jan 2016 15:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1520) topic/dnthayer/doc-improvements In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1520: ---------------------------------- Summary: topic/dnthayer/doc-improvements Key: BIT-1520 URL: https://bro-tracker.atlassian.net/browse/BIT-1520 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Reporter: Daniel Thayer The branch "topic/dnthayer/doc-improvements" contains a collection of documentation fixes and improvements. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 14:17:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 12 Jan 2016 16:17:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23816#comment-23816 ] Johanna Amann commented on BIT-1413: ------------------------------------ Hm. We could, but I think having a list with a short explanation of what each plugin does is quite helpful. And - it should not really add a lot of maintenance overhead - it only has to be touched when adding / removing modules. > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 14:46:02 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 12 Jan 2016 16:46:02 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1519: ---------------------------------- Assignee: Johanna Amann > bro segfaults when trying to delete a record field that doesn't exist > --------------------------------------------------------------------- > > Key: BIT-1519 > URL: https://bro-tracker.atlassian.net/browse/BIT-1519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Johanna Amann > Attachments: test.bro > > > When using the "delete" statement on a record field that doesn't exist, > Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 15:04:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 12 Jan 2016 17:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1519: ------------------------------- Status: Merge Request (was: Open) Assignee: (was: Johanna Amann) > bro segfaults when trying to delete a record field that doesn't exist > --------------------------------------------------------------------- > > Key: BIT-1519 > URL: https://bro-tracker.atlassian.net/browse/BIT-1519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Attachments: test.bro > > > When using the "delete" statement on a record field that doesn't exist, > Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 15:04:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 12 Jan 2016 17:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23817#comment-23817 ] Johanna Amann commented on BIT-1519: ------------------------------------ fixed in topic/johanna/bit-1519 > bro segfaults when trying to delete a record field that doesn't exist > --------------------------------------------------------------------- > > Key: BIT-1519 > URL: https://bro-tracker.atlassian.net/browse/BIT-1519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Attachments: test.bro > > > When using the "delete" statement on a record field that doesn't exist, > Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Tue Jan 12 15:07:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 12 Jan 2016 17:07:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1520) topic/dnthayer/doc-improvements In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23818#comment-23818 ] Johanna Amann commented on BIT-1520: ------------------------------------ Can this be merged or are you still working on the branch? > topic/dnthayer/doc-improvements > ------------------------------- > > Key: BIT-1520 > URL: https://bro-tracker.atlassian.net/browse/BIT-1520 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > > The branch "topic/dnthayer/doc-improvements" contains a collection of > documentation fixes and improvements. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From noreply at bro.org Wed Jan 13 00:00:35 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 13 Jan 2016 00:00:35 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601130800.u0D80ZE8028701@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------- BIT-1519 [1] Bro Daniel Thayer - 2016-01-12 - Normal bro segfaults when trying to delete a record field that doesn't exist BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------------- ---------- ------------------------------------------------------------------------- #51 [3] bro aeppert [4] 2016-01-12 Add version to HTTP::Info [5] #50 [6] bro aeppert [7] 2016-01-08 NOTIFY is a valid SIP message per RFC3265 [8] #49 [9] bro wglodek [10] 2015-12-23 update ParseRequest to handle missing uri [11] #46 [12] bro albertzaharovits [13] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [14] #3 [15] broctl aeppert [16] 2015-12-30 Wrap interface for running a custom plugin [17] [1] BIT-1519 https://bro-tracker.atlassian.net/browse/BIT-1519 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #51 https://github.com/bro/bro/pull/51 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #51 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-3 [6] Pull Request #50 https://github.com/bro/bro/pull/50 [7] aeppert https://github.com/aeppert [8] Merge Pull Request #50 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-2 [9] Pull Request #49 https://github.com/bro/bro/pull/49 [10] wglodek https://github.com/wglodek [11] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [12] Pull Request #46 https://github.com/bro/bro/pull/46 [13] albertzaharovits https://github.com/albertzaharovits [14] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [15] Pull Request #3 https://github.com/bro/broctl/pull/3 [16] aeppert https://github.com/aeppert [17] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Wed Jan 13 06:28:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 13 Jan 2016 08:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff moved BSIT-5 to BIT-1521: -------------------------------------- Affects Version/s: (was: 2.4) 2.4 Component/s: (was: Bro) Bro Key: BIT-1521 (was: BSIT-5) Project: Bro Issue Tracker (was: Bro Security Issue Tracker) > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Wed Jan 13 06:54:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 13 Jan 2016 08:54:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23819#comment-23819 ] Justin Azoff commented on BIT-1521: ----------------------------------- Hmm, this may be a little harder than I thought. c$service is a set, and bro doesn't have a bif for comparing one set to another set.. i can do it with a loop like this, but is there a better way? function intersects(a: set[string], b: set[string]): bool{ for (one in a) { if (one in b) { return T; } } return F; } even though c$service is a set, it should only have 1 or 2 strings in it, so it is not a large loop. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Wed Jan 13 07:00:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 13 Jan 2016 09:00:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23819#comment-23819 ] Justin Azoff edited comment on BIT-1521 at 1/13/16 8:59 AM: ------------------------------------------------------------ Hmm, this may be a little harder than I thought. c$service is a set, and bro doesn't have a bif for comparing one set to another set.. i can do it with a loop like this, but is there a better way? {{function intersects(a: set[string], b: set[string]): bool{ for (one in a) { if (one in b) { return T; } } return F; }}} even though c$service is a set, it should only have 1 or 2 strings in it, so it is not a large loop. was (Author: jazoff): Hmm, this may be a little harder than I thought. c$service is a set, and bro doesn't have a bif for comparing one set to another set.. i can do it with a loop like this, but is there a better way? function intersects(a: set[string], b: set[string]): bool{ for (one in a) { if (one in b) { return T; } } return F; } even though c$service is a set, it should only have 1 or 2 strings in it, so it is not a large loop. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Wed Jan 13 07:00:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 13 Jan 2016 09:00:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23819#comment-23819 ] Justin Azoff edited comment on BIT-1521 at 1/13/16 8:59 AM: ------------------------------------------------------------ Hmm, this may be a little harder than I thought. c$service is a set, and bro doesn't have a bif for comparing one set to another set.. i can do it with a loop like this, but is there a better way? {code} function intersects(a: set[string], b: set[string]): bool{ for (one in a) { if (one in b) { return T; } } return F; {code} even though c$service is a set, it should only have 1 or 2 strings in it, so it is not a large loop. was (Author: jazoff): Hmm, this may be a little harder than I thought. c$service is a set, and bro doesn't have a bif for comparing one set to another set.. i can do it with a loop like this, but is there a better way? {{function intersects(a: set[string], b: set[string]): bool{ for (one in a) { if (one in b) { return T; } } return F; }}} even though c$service is a set, it should only have 1 or 2 strings in it, so it is not a large loop. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Wed Jan 13 07:01:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 13 Jan 2016 09:01:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23819#comment-23819 ] Justin Azoff edited comment on BIT-1521 at 1/13/16 9:00 AM: ------------------------------------------------------------ Hmm, this may be a little harder than I thought. c$service is a set, and bro doesn't have a bif for comparing one set to another set.. i can do it with a loop like this, but is there a better way? {code} function intersects(a: set[string], b: set[string]): bool{ for (one in a) { if (one in b) { return T; } } return F; } {code} even though c$service is a set, it should only have 1 or 2 strings in it, so it is not a large loop. was (Author: jazoff): Hmm, this may be a little harder than I thought. c$service is a set, and bro doesn't have a bif for comparing one set to another set.. i can do it with a loop like this, but is there a better way? {code} function intersects(a: set[string], b: set[string]): bool{ for (one in a) { if (one in b) { return T; } } return F; {code} even though c$service is a set, it should only have 1 or 2 strings in it, so it is not a large loop. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Wed Jan 13 07:31:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 13 Jan 2016 09:31:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1520) topic/dnthayer/doc-improvements In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23820#comment-23820 ] Daniel Thayer commented on BIT-1520: ------------------------------------ I plan to add more fixes/improvements when I notice any. So, the branch could be merged now, or later. Since it's just doc changes, there's nothing critical here. > topic/dnthayer/doc-improvements > ------------------------------- > > Key: BIT-1520 > URL: https://bro-tracker.atlassian.net/browse/BIT-1520 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > > The branch "topic/dnthayer/doc-improvements" contains a collection of > documentation fixes and improvements. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From noreply at bro.org Thu Jan 14 00:00:24 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 14 Jan 2016 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601140800.u0E80Ojg001348@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------- BIT-1519 [1] Bro Daniel Thayer - 2016-01-12 - Normal bro segfaults when trying to delete a record field that doesn't exist BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------------- ---------- ------------------------------------------------------------------------- #51 [3] bro aeppert [4] 2016-01-12 Add version to HTTP::Info [5] #50 [6] bro aeppert [7] 2016-01-08 NOTIFY is a valid SIP message per RFC3265 [8] #49 [9] bro wglodek [10] 2015-12-23 update ParseRequest to handle missing uri [11] #46 [12] bro albertzaharovits [13] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [14] #3 [15] broctl aeppert [16] 2015-12-30 Wrap interface for running a custom plugin [17] [1] BIT-1519 https://bro-tracker.atlassian.net/browse/BIT-1519 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #51 https://github.com/bro/bro/pull/51 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #51 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-3 [6] Pull Request #50 https://github.com/bro/bro/pull/50 [7] aeppert https://github.com/aeppert [8] Merge Pull Request #50 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-2 [9] Pull Request #49 https://github.com/bro/bro/pull/49 [10] wglodek https://github.com/wglodek [11] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [12] Pull Request #46 https://github.com/bro/bro/pull/46 [13] albertzaharovits https://github.com/albertzaharovits [14] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [15] Pull Request #3 https://github.com/bro/broctl/pull/3 [16] aeppert https://github.com/aeppert [17] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Thu Jan 14 06:38:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 14 Jan 2016 08:38:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23821#comment-23821 ] Seth Hall commented on BIT-1521: -------------------------------- Yeah, it would be great to be able to do set intersections in a performant way, but I think your assessment is right that this set should be short enough in all cases to go ahead and just do the loop here. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Thu Jan 14 07:08:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 14 Jan 2016 09:08:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23822#comment-23822 ] Justin Azoff commented on BIT-1521: ----------------------------------- Hmm.. it seems a little odd to put the intersects function in the known-services script, is there a better place for it? > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Thu Jan 14 07:14:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 14 Jan 2016 09:14:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23823#comment-23823 ] Seth Hall commented on BIT-1521: --------------------------------  Don?t put a set intersection function as a general utility function. We probably shouldn?t be offering that generally right now since it should be added to the language in a way that performs better. Since you?re only using it in a single location, just do a loop. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Thu Jan 14 08:07:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 14 Jan 2016 10:07:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23824#comment-23824 ] Justin Azoff commented on BIT-1521: ----------------------------------- Gah. It looks like coming up with a test case for this will be a pain. The existing pcap doesn't get detected as gridftp-data since the transfer size is too small: {code} jazoff at Justins-MacBook-Air /tmp/b $ bro -r ~/src/bro/testing/btest//Traces/globus-url-copy.trace local base/protocols/ftp/gridftp 'Known::service_tracking=ALL_HOSTS' WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks. 20000, 1 jazoff at Justins-MacBook-Air /tmp/b $ cat conn.log |bro-cut id.orig_h id.orig_p id.resp_h id.resp_p service 192.168.57.103 60108 192.168.57.101 2811 ssl,gridftp,ftp 192.168.57.103 35391 192.1 68.57.101 55968 ssl jazoff at Justins-MacBook-Air /tmp/b $ cat known_services.log |bro-cut host port_num service 192.168.57.101 2811 FTP 192.168.57.101 55968 SSL {code} Filtering the ephemeral ssl service running on port 55968 is what I am trying to accomplish here. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Thu Jan 14 08:18:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 14 Jan 2016 10:18:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23824#comment-23824 ] Justin Azoff edited comment on BIT-1521 at 1/14/16 10:17 AM: ------------------------------------------------------------- Gah. It looks like coming up with a test case for this will be a pain. The existing pcap doesn't get detected as gridftp-data since the transfer size is too small: {code} jazoff at Justins-MacBook-Air /tmp/b $ bro -r ~/src/bro/testing/btest//Traces/globus-url-copy.trace local base/protocols/ftp/gridftp 'Known::service_tracking=ALL_HOSTS' WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks. 20000, 1 jazoff at Justins-MacBook-Air /tmp/b $ cat conn.log |bro-cut id.orig_h id.orig_p id.resp_h id.resp_p service 192.168.57.103 60108 192.168.57.101 2811 ssl,gridftp,ftp 192.168.57.103 35391 192.168.57.101 55968 ssl jazoff at Justins-MacBook-Air /tmp/b $ cat known_services.log |bro-cut host port_num service 192.168.57.101 2811 FTP 192.168.57.101 55968 SSL {code} Filtering the ephemeral ssl service running on port 55968 is what I am trying to accomplish here. was (Author: jazoff): Gah. It looks like coming up with a test case for this will be a pain. The existing pcap doesn't get detected as gridftp-data since the transfer size is too small: {code} jazoff at Justins-MacBook-Air /tmp/b $ bro -r ~/src/bro/testing/btest//Traces/globus-url-copy.trace local base/protocols/ftp/gridftp 'Known::service_tracking=ALL_HOSTS' WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks. 20000, 1 jazoff at Justins-MacBook-Air /tmp/b $ cat conn.log |bro-cut id.orig_h id.orig_p id.resp_h id.resp_p service 192.168.57.103 60108 192.168.57.101 2811 ssl,gridftp,ftp 192.168.57.103 35391 192.1 68.57.101 55968 ssl jazoff at Justins-MacBook-Air /tmp/b $ cat known_services.log |bro-cut host port_num service 192.168.57.101 2811 FTP 192.168.57.101 55968 SSL {code} Filtering the ephemeral ssl service running on port 55968 is what I am trying to accomplish here. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From vlad at grigorescu.org Thu Jan 14 08:21:26 2016 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Thu, 14 Jan 2016 10:21:26 -0600 Subject: [Bro-Dev] Bro failing to build on OS X with XCode 7 Message-ID: I can't get Bro master to build with XCode 7 on OS X. For anyone trying to build Bro on a new OS X system, this is a problem, since I don't think old versions of XCode are still available. > $ cc -v > Apple LLVM version 7.0.2 (clang-700.1.81) > Target: x86_64-apple-darwin15.2.0 > Thread model: posix > $ ./configure > ... > ====================| Bro Build Summary |===================== > > Install prefix: /usr/local/bro > Bro Script Path: /usr/local/bro/share/bro > Debug mode: false > > CC: /usr/bin/cc > CFLAGS: -Wall -Wno-unused -O2 -g -DNDEBUG > CXX: /usr/bin/c++ > CXXFLAGS: -Wall -Wno-unused -std=c++11 -O2 -g -DNDEBUG > CPP: /usr/bin/c++ > > Broker: true > Broker Python: false > Broccoli: true > Broctl: true > Aux. Tools: true > > GeoIP: true > gperftools found: true > tcmalloc: false > debugging: false > jemalloc: false > > ================================================================ > ... > $ make > ... > /Users/vladg/src/bro/src/main.cc:865:10: error: no member named 'init' in namespace 'binpac' > binpac::init(); > ~~~~~~~~^ > 4 warnings and 1 error generated. > make[3]: *** [src/CMakeFiles/bro.dir/main.cc.o] Error 1 > $ make clean; ./configure --disable-broker > ... > /Users/vladg/src/bro/src/main.cc:865:10: error: no member named 'init' in namespace 'binpac' > binpac::init(); > ~~~~~~~~^ > 1 error generated. > make[3]: *** [src/CMakeFiles/bro.dir/main.cc.o] Error 1 Any ideas on how to fix this? This seems related: https://github.com/bro/binpac/commit/e42a18d8cbb1fffa9cec54b7893e72f113fdba8f --Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160114/31ec5095/attachment-0001.html From jira at bro-tracker.atlassian.net Thu Jan 14 10:35:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 14 Jan 2016 12:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23825#comment-23825 ] Johanna Amann commented on BIT-1521: ------------------------------------ If only the testcase is a problem - couldn't you just redef GridFTP::size_threshold for the test? > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Thu Jan 14 11:18:00 2016 From: jira at bro-tracker.atlassian.net (Stephen Hosom (JIRA)) Date: Thu, 14 Jan 2016 13:18:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: Stephen Hosom created BIT-1522: ----------------------------------- Summary: Broker listener takes a long time to shut down on cluster stop/restart Key: BIT-1522 URL: https://bro-tracker.atlassian.net/browse/BIT-1522 Project: Bro Issue Tracker Issue Type: Problem Components: Broker Affects Versions: 2.4 Environment: Ubuntu 14.04, Bro 2.4.1 with Broker Reporter: Stephen Hosom It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Thu Jan 14 11:46:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 14 Jan 2016 13:46:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23826#comment-23826 ] Justin Azoff commented on BIT-1521: ----------------------------------- Ah, yes that helped the protocol detection.. though I think it shows a bug in known services in general: {code} $ bro -r ~/src/bro/testing/btest//Traces/globus-url-copy.trace local base/protocols/ftp/gridftp 'Known::service_tracking=ALL_HOSTS' 'GridFTP::size_threshold=1' WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks. $ cat conn.log |bro-cut id.orig_h id.orig_p id.resp_h id.resp_p service192.168.57.103 60108 192.168.57.101 2811 gridftp,ssl,ftp 192.168.57.103 35391 192.168.57.101 55968 ssl,gridftp-data $ cat known_services.log |bro-cut host port_num service 192.168.57.101 2811 FTP 192.168.57.101 55968 SSL {code} Some of this is due to how it keeps track of services by ip,port. Since ssl is always detected first, that is the one that gets logged. It looks even if it was changed to ip,port,service gridftp may not show up because it never makes it into known services. The gridftp analyzer does {code} add c$service["gridftp-data"]; {code} But this doesn't trigger a protocol_confirmation (even though it would be too late anyway). since the (ip,port) would have been logged as ssl. So, I think known-services: * Needs to keep track of things by (ip,port,service) * Should possibly wait until a connection is closed and it has all the facts before trying to log the service. If I remove the protocol_confirmation event and use simply: {code} event connection_state_remove(c: connection) &priority=-5 { known_services_done(c); } {code} It mostly works: {code} $ cat known_services.log |bro-cut host port_num service 192.168.57.101 2811 FTP,SSL,gridftp 192.168.57.101 55968 gridftp-data,SSL {code} I'm not sure if it should log them once per line, and if we should do something about the mismatch in case. > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Thu Jan 14 19:15:00 2016 From: jira at bro-tracker.atlassian.net (Derek Ditch (JIRA)) Date: Thu, 14 Jan 2016 21:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1523) ActiveHTTP module is broken In-Reply-To: References: Message-ID: Derek Ditch created BIT-1523: -------------------------------- Summary: ActiveHTTP module is broken Key: BIT-1523 URL: https://bro-tracker.atlassian.net/browse/BIT-1523 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Environment: Mac OS X 10.11.2, Bro 2.4.1 (installed from Homebrew), curl 7.43.0 CentOS 7.1.1503, Bro 2.4.1 (installed from OpenSuSE build service), curl 7.29.0 Reporter: Derek Ditch When trying a very simple script found in Seth Hall's Bro Junk Drawer [1], I cannot get ActiveHTTP to even perform a successful GET request. I'd like to use ActiveHTTP to do RESTful POSTs for a notice or given behavior. CentOS output: {code} [vagrant at simplerockbuild ~]$ bro active-http-test.bro rm: cannot remove ?/tmp/bro-activehttp-0ZTaA97EcF9_body?: No such file or directory {code} Mac OS X output: {code} $ bro active-http-test.bro rm: /tmp/bro-activehttp-nuJUYIMCT4e_body: No such file or directory rm: /tmp/bro-activehttp-nuJUYIMCT4e_headers: No such file or directory {code} [1] https://github.com/sethhall/bro-junk-drawer/blob/master/active-http-test.bro -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From noreply at bro.org Fri Jan 15 00:00:49 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 15 Jan 2016 00:00:49 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601150800.u0F80nOS030046@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------ ---------- ------------- ---------- --------------------------------------------------------------------- BIT-1519 [1] Bro Daniel Thayer - 2016-01-12 - Normal bro segfaults when trying to delete a record field that doesn't exist BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title -------- ----------- --------------------- ---------- ------------------------------------------------------------------------- #51 [3] bro aeppert [4] 2016-01-14 Add version to HTTP::Info [5] #50 [6] bro aeppert [7] 2016-01-08 NOTIFY is a valid SIP message per RFC3265 [8] #49 [9] bro wglodek [10] 2015-12-23 update ParseRequest to handle missing uri [11] #46 [12] bro albertzaharovits [13] 2015-12-18 HTTP Content-Disposition header updates filename field in HTTP::Info [14] #3 [15] broctl aeppert [16] 2015-12-30 Wrap interface for running a custom plugin [17] [1] BIT-1519 https://bro-tracker.atlassian.net/browse/BIT-1519 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #51 https://github.com/bro/bro/pull/51 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #51 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-3 [6] Pull Request #50 https://github.com/bro/bro/pull/50 [7] aeppert https://github.com/aeppert [8] Merge Pull Request #50 with git pull --no-ff --no-commit https://github.com/aeppert/bro.git patch-2 [9] Pull Request #49 https://github.com/bro/bro/pull/49 [10] wglodek https://github.com/wglodek [11] Merge Pull Request #49 with git pull --no-ff --no-commit https://github.com/0xcc-labs/bro.git topic/http-missing-uri [12] Pull Request #46 https://github.com/bro/bro/pull/46 [13] albertzaharovits https://github.com/albertzaharovits [14] Merge Pull Request #46 with git pull --no-ff --no-commit https://github.com/albertzaharovits/bro.git master [15] Pull Request #3 https://github.com/bro/broctl/pull/3 [16] aeppert https://github.com/aeppert [17] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Fri Jan 15 07:11:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 15 Jan 2016 09:11:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1523) ActiveHTTP module is broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1523?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1523: --------------------------- Resolution: Invalid Status: Closed (was: Open) This is only a problem if you allow Bro to shutdown immediately. We don't always develop for that scenario since it represents such a minor use of Bro. bro active-http-test.bro exit_only_after_terminate=T > ActiveHTTP module is broken > --------------------------- > > Key: BIT-1523 > URL: https://bro-tracker.atlassian.net/browse/BIT-1523 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: Mac OS X 10.11.2, Bro 2.4.1 (installed from Homebrew), curl 7.43.0 > CentOS 7.1.1503, Bro 2.4.1 (installed from OpenSuSE build service), curl 7.29.0 > Reporter: Derek Ditch > Labels: bug, script > > When trying a very simple script found in Seth Hall's Bro Junk Drawer [1], I cannot get ActiveHTTP to even perform a successful GET request. I'd like to use ActiveHTTP to do RESTful POSTs for a notice or given behavior. > CentOS output: > {code} > [vagrant at simplerockbuild ~]$ bro active-http-test.bro > rm: cannot remove ?/tmp/bro-activehttp-0ZTaA97EcF9_body?: No such file or directory > {code} > Mac OS X output: > {code} > $ bro active-http-test.bro > rm: /tmp/bro-activehttp-nuJUYIMCT4e_body: No such file or directory > rm: /tmp/bro-activehttp-nuJUYIMCT4e_headers: No such file or directory > {code} > [1] https://github.com/sethhall/bro-junk-drawer/blob/master/active-http-test.bro -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 07:58:00 2016 From: jira at bro-tracker.atlassian.net (Derek Ditch (JIRA)) Date: Fri, 15 Jan 2016 09:58:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1523) ActiveHTTP module is broken In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1523?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23828#comment-23828 ] Derek Ditch commented on BIT-1523: ---------------------------------- That fixed the problem. Might add that the documentation of the ActiveHTTP module or other modules that have a race condition during interactive use of Bro. Thanks Seth! > ActiveHTTP module is broken > --------------------------- > > Key: BIT-1523 > URL: https://bro-tracker.atlassian.net/browse/BIT-1523 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: Mac OS X 10.11.2, Bro 2.4.1 (installed from Homebrew), curl 7.43.0 > CentOS 7.1.1503, Bro 2.4.1 (installed from OpenSuSE build service), curl 7.29.0 > Reporter: Derek Ditch > Labels: bug, script > > When trying a very simple script found in Seth Hall's Bro Junk Drawer [1], I cannot get ActiveHTTP to even perform a successful GET request. I'd like to use ActiveHTTP to do RESTful POSTs for a notice or given behavior. > CentOS output: > {code} > [vagrant at simplerockbuild ~]$ bro active-http-test.bro > rm: cannot remove ?/tmp/bro-activehttp-0ZTaA97EcF9_body?: No such file or directory > {code} > Mac OS X output: > {code} > $ bro active-http-test.bro > rm: /tmp/bro-activehttp-nuJUYIMCT4e_body: No such file or directory > rm: /tmp/bro-activehttp-nuJUYIMCT4e_headers: No such file or directory > {code} > [1] https://github.com/sethhall/bro-junk-drawer/blob/master/active-http-test.bro -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 10:10:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 15 Jan 2016 12:10:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1519: --------------------------------- Assignee: Robin Sommer > bro segfaults when trying to delete a record field that doesn't exist > --------------------------------------------------------------------- > > Key: BIT-1519 > URL: https://bro-tracker.atlassian.net/browse/BIT-1519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Robin Sommer > Attachments: test.bro > > > When using the "delete" statement on a record field that doesn't exist, > Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 10:16:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 15 Jan 2016 12:16:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1514) Test plugins.pktsrc fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1514?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23829#comment-23829 ] Robin Sommer commented on BIT-1514: ----------------------------------- Forgot to comment on this earlier: I had tried to reproduce it here, but no luck. valgrind also didn't flag anything. I also double-checked the code and didn't spot anything obvious. > Test plugins.pktsrc fails > ------------------------- > > Key: BIT-1514 > URL: https://bro-tracker.atlassian.net/browse/BIT-1514 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: Fedora 23 > Reporter: Jan Grashoefer > Assignee: Robin Sommer > > The plugins.pktsrc test fails for me. Bro crashes with: > {code} > *** Error in `bro': corrupted double-linked list: 0x0000000003ac10a0 *** > ======= Backtrace: ========= > /lib64/libc.so.6(+0x77e15)[0x7f5c5e23ae15] > /lib64/libc.so.6(+0x7eed8)[0x7f5c5e241ed8] > /lib64/libc.so.6(+0x807a8)[0x7f5c5e2437a8] > /lib64/libc.so.6(cfree+0x4c)[0x7f5c5e246cac] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x32)[0x5d3322] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZN8BrofilerD1Ev+0x22)[0x5d2162] > /lib64/libc.so.6(+0x39658)[0x7f5c5e1fc658] > /lib64/libc.so.6(+0x396a5)[0x7f5c5e1fc6a5] > /lib64/libc.so.6(__libc_start_main+0xf7)[0x7f5c5e1e3587] > bro(_start+0x29)[0x5ac359] > ======= Memory map: ======== > 00400000-00a35000 r-xp 00000000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c34000-00c36000 r--p 00634000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c36000-00c3a000 rw-p 00636000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c3a000-00c4e000 rw-p 00000000 00:00 0 > 01c02000-03cb7000 rw-p 00000000 00:00 0 [heap] > 7f5c50000000-7f5c50021000 rw-p 00000000 00:00 0 > 7f5c50021000-7f5c54000000 ---p 00000000 00:00 0 > 7f5c577ff000-7f5c57800000 ---p 00000000 00:00 0 > 7f5c57800000-7f5c58000000 rw-p 00000000 00:00 0 > 7f5c58000000-7f5c58021000 rw-p 00000000 00:00 0 > 7f5c58021000-7f5c5c000000 ---p 00000000 00:00 0 > 7f5c5c39c000-7f5c5c39d000 ---p 00000000 00:00 0 > 7f5c5c39d000-7f5c5cb9d000 rw-p 00000000 00:00 0 > 7f5c5cb9d000-7f5c5cba0000 r-xp 00000000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cba0000-7f5c5cda0000 ---p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda0000-7f5c5cda1000 r--p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda1000-7f5c5cda2000 rw-p 00004000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda2000-7f5c5cdad000 r-xp 00000000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cdad000-7f5c5cfac000 ---p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfac000-7f5c5cfad000 r--p 0000a000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfad000-7f5c5cfae000 rw-p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfae000-7f5c5cfb4000 rw-p 00000000 00:00 0 > 7f5c5cfb4000-7f5c5d023000 r-xp 00000000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d023000-7f5c5d222000 ---p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d222000-7f5c5d223000 r--p 0006e000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d223000-7f5c5d224000 rw-p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d224000-7f5c5d243000 r-xp 00000000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d243000-7f5c5d443000 ---p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d443000-7f5c5d444000 r--p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d444000-7f5c5d445000 rw-p 00020000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d445000-7f5c5d447000 rw-p 00000000 00:00 0 > 7f5c5d447000-7f5c5d44a000 r-xp 00000000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d44a000-7f5c5d649000 ---p 00003000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d649000-7f5c5d64a000 r--p 00002000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d64a000-7f5c5d64b000 rw-p 00000000 00:00 0 > 7f5c5d64b000-7f5c5d658000 r-xp 00000000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d658000-7f5c5d858000 ---p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d858000-7f5c5d859000 r--p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d859000-7f5c5d85a000 rw-p 0000e000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d85a000-7f5c5d889000 r-xp 00000000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5d889000-7f5c5da89000 ---p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da89000-7f5c5da8b000 r--p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8b000-7f5c5da8c000 rw-p 00031000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8c000-7f5c5da8f000 r-xp 00000000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5da8f000-7f5c5dc8e000 ---p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8e000-7f5c5dc8f000 r--p 00002000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8f000-7f5c5dc90000 rw-p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc90000-7f5c5dd65000 r-xp 00000000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5dd65000-7f5c5df64000 ---p 000d5000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df64000-7f5c5df73000 r--p 000d4000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df73000-7f5c5df75000 rw-p 000e3000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df75000-7f5c5dfc0000 r-xp 00000000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5dfc0000-7f5c5e1c0000 ---p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c0000-7f5c5e1c2000 r--p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c2000-7f5c5e1c3000 rw-p 0004d000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c3000-7f5c5e37a000 r-xp 00000000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e37a000-7f5c5e57a000 ---p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57a000-7f5c5e57e000 r--p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57e000-7f5c5e580000 rw-p 001bb000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e580000-7f5c5e584000 rw-p 00000000 00:00 0 > 7f5c5e584000-7f5c5e59a000 r-xp 00000000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e59a000-7f5c5e799000 ---p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e799000-7f5c5e79a000 r--p 00015000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79a000-7f5c5e79b000 rw-p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79b000-7f5c5e89c000 r-xp 00000000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5e89c000-7f5c5ea9b000 ---p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9b000-7f5c5ea9c000 r--p 00100000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9c000-7f5c5ea9d000 rw-p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9d000-7f5c5ec0f000 r-xp 00000000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ec0f000-7f5c5ee0f000 ---p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee0f000-7f5c5ee19000 r--p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee19000-7f5c5ee1b000 rw-p 0017c000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee1b000-7f5c5ee1f000 rw-p 00000000 00:00 0 > 7f5c5ee1f000-7f5c5eed2000 r-xp 00000000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5eed2000-7f5c5f0d1000 ---p 000b3000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d1000-7f5c5f0d7000 r--p 000b2000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d7000-7f5c5f0d9000 rw-p 000b8000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d9000-7f5c5f1d4000 r-xp 00000000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f1d4000-7f5c5f3d4000 ---p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3d4000-7f5c5f3dc000 r--p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3dc000-7f5c5f3de000 rw-p 00103000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3de000-7f5c5f3e1000 r-xp 00000000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f3e1000-7f5c5f5e0000 ---p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e0000-7f5c5f5e1000 r--p 00002000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e1000-7f5c5f5e2000 rw-p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e2000-7f5c5f5fa000 r-xp 00000000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f5fa000-7f5c5f7f9000 ---p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7f9000-7f5c5f7fa000 r--p 00017000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fa000-7f5c5f7fb000 rw-p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fb000-7f5c5f7ff000 rw-p 00000000 00:00 0 > 7f5c5f7ff000-7f5c5fb6f000 r-xp 00000000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fb6f000-7f5c5fd6e000 ---p 00370000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd6e000-7f5c5fd7d000 r--p 0036f000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd7d000-7f5c5fd81000 rw-p 0037e000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd81000-7f5c5fd82000 rw-p 00000000 00:00 0 > 7f5c5fd82000-7f5c5fdb1000 r-xp 00000000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5fdb1000-7f5c5ffb1000 ---p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb1000-7f5c5ffb2000 r--p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb2000-7f5c5ffb4000 rw-p 00030000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb4000-7f5c5ffc9000 r-xp 00000000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c5ffc9000-7f5c601c8000 ---p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c8000-7f5c601c9000 r--p 00014000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c9000-7f5c601ca000 rw-p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601ca000-7f5c601e1000 r-xp 00000000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c601e1000-7f5c603e1000 ---p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e1000-7f5c603e2000 r--p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e2000-7f5c603e3000 rw-p 00018000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e3000-7f5c603e5000 rw-p 00000000 00:00 0 > 7f5c603e5000-7f5c60606000 r-xp 00000000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60606000-7f5c60806000 ---p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60806000-7f5c60821000 r--p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60821000-7f5c6082e000 rw-p 0023c000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c6082e000-7f5c60832000 rw-p 00000000 00:00 0 > 7f5c60832000-7f5c6089f000 r-xp 00000000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c6089f000-7f5c60a9f000 ---p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60a9f000-7f5c60aa4000 r--p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aa4000-7f5c60aab000 rw-p 00072000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aab000-7f5c60aeb000 r-xp 00000000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60aeb000-7f5c60ceb000 ---p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ceb000-7f5c60ced000 r--p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ced000-7f5c60cee000 rw-p 00042000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60cee000-7f5c60d0f000 r-xp 00000000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60ee6000-7f5c60ef6000 rw-p 00000000 00:00 0 > 7f5c60f0c000-7f5c60f0e000 rw-p 00000000 00:00 0 > 7f5c60f0e000-7f5c60f0f000 r--p 00020000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f0f000-7f5c60f10000 rw-p 00021000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f10000-7f5c60f11000 rw-p 00000000 00:00 0 > 7ffd67281000-7ffd672a3000 rw-p 00000000 00:00 0 [stack] > 7ffd673ce000-7ffd673d0000 r--p 00000000 00:00 0 [vvar] > 7ffd673d0000-7ffd673d2000 r-xp 00000000 00:00 0 [vdso] > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] > {code} > The commit ["Use better data structure for storing BPF filters."|https://github.com/bro/bro/commit/6dd32c649b3dcb6ec652366ffaa90966549da008] seems to have introduced the issue. A quick google search indicated that it might be a threading issue. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 10:50:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 15 Jan 2016 12:50:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23830#comment-23830 ] Robin Sommer commented on BIT-1413: ----------------------------------- yeah would prefer to keep, make it easier to navigate. Would it work with github to do a bullet list with relative links instead of the toctree? (However, I'm not sure if then Sphinx would complain about the sub-directory README not being included anywhere.) > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 12:35:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Fri, 15 Jan 2016 14:35:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1515) Interface setup plug-in In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23831#comment-23831 ] Justin Azoff commented on BIT-1515: ----------------------------------- Doug Burks commented on the interface setup gist: Hi Justin, Regarding the ethtool invocation, I seem to remember an issue with certain NICs where the command might fail when trying to set multiple options at one time. http://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html "You can set multiple options in one "ethtool" command, but this can be problematic if your card doesn't support all of the settings." Here is what we do in Security Onion that has been working well for a few years now: for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done Hope that helps! > Interface setup plug-in > ----------------------- > > Key: BIT-1515 > URL: https://bro-tracker.atlassian.net/browse/BIT-1515 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Jeannette Dopheide > Assignee: Justin Azoff > Priority: Low > > Place holder ticket to remind Justin to finish the interface setup plug-in he has been working on. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 15:08:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 15 Jan 2016 17:08:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1519) bro segfaults when trying to delete a record field that doesn't exist In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1519: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > bro segfaults when trying to delete a record field that doesn't exist > --------------------------------------------------------------------- > > Key: BIT-1519 > URL: https://bro-tracker.atlassian.net/browse/BIT-1519 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Daniel Thayer > Assignee: Robin Sommer > Attachments: test.bro > > > When using the "delete" statement on a record field that doesn't exist, > Bro will (correctly) report an error message, but then it segfaults. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 17:31:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 15 Jan 2016 19:31:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1413: ------------------------------- Resolution: Fixed Status: Closed (was: Open) > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Fri Jan 15 17:31:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Fri, 15 Jan 2016 19:31:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1413) README files misidentified by GitHub In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1413?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23833#comment-23833 ] Johanna Amann commented on BIT-1413: ------------------------------------ After playing around for a bit - it is basically impossible to create something here that works in sphinx and in github (the links end up broken in one of the two cases). The current solution is to change the phrasing somewhat, so it does not look odd when the links are not present on GitHub and leave everything else as is. Besides this, everything in this ticket is done. Closing. > README files misidentified by GitHub > ------------------------------------ > > Key: BIT-1413 > URL: https://bro-tracker.atlassian.net/browse/BIT-1413 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Documentation > Reporter: Vlad Grigorescu > Assignee: Johanna Amann > Priority: Low > Fix For: 2.5 > > > If a README file doesn't have an extension, GitHub will parse it as Markdown. Because our README files are ReST, this results in some ugly (and not very useful) READMEs when visiting the repository on GitHub. > For example, see: https://github.com/bro/btest#readme > There are two options we could take to fix this: rename README to README.rst, or create a symlink. I tried out the symlink option here, and I think the result is much more useful: https://github.com/grigorescu/btest#readme > The affected repos are: > binpac > bro > bro-aux > bro-plugins > bro-scripts > broccoli > broccoli-perl > broccoli-python > broccoli-ruby > broctl (broctl's README just instructs users to see doc/broctl.rst. This could just be a symlink) > broker > bromagic (this can probably be deleted?) > btest > capstats > time-machine > trace-summary -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From noreply at bro.org Sat Jan 16 00:00:41 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 16 Jan 2016 00:00:41 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601160800.u0G80fVH010839@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1490 [1] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------- #3 [2] broctl aeppert [3] 2015-12-30 Wrap interface for running a custom plugin [4] [1] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [2] Pull Request #3 https://github.com/bro/broctl/pull/3 [3] aeppert https://github.com/aeppert [4] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Sat Jan 16 21:47:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Sat, 16 Jan 2016 23:47:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1524) Fixing compiler warnings In-Reply-To: References: Message-ID: Seth Hall created BIT-1524: ------------------------------ Summary: Fixing compiler warnings Key: BIT-1524 URL: https://bro-tracker.atlassian.net/browse/BIT-1524 Project: Bro Issue Tracker Issue Type: Task Components: Bro Reporter: Seth Hall The topic/seth/compiler-cleanup branch in the Bro repository and the Binpac repository fix a set of compiler warnings currently showing up in Bro. Some of them were introduced by moving to C++11. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From jira at bro-tracker.atlassian.net Sat Jan 16 21:47:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Sat, 16 Jan 2016 23:47:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1524) Fixing compiler warnings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1524?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1524: --------------------------- Status: Merge Request (was: Open) > Fixing compiler warnings > ------------------------ > > Key: BIT-1524 > URL: https://bro-tracker.atlassian.net/browse/BIT-1524 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Seth Hall > > The topic/seth/compiler-cleanup branch in the Bro repository and the Binpac repository fix a set of compiler warnings currently showing up in Bro. Some of them were introduced by moving to C++11. -- This message was sent by Atlassian JIRA (v7.1.0-OD-04-012#71001) From noreply at bro.org Sun Jan 17 00:00:28 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 17 Jan 2016 00:00:28 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601170800.u0H80ShO013604@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1524 [1] Bro Seth Hall - 2016-01-16 - Normal Fixing compiler warnings BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------- #3 [3] broctl aeppert [4] 2015-12-30 Wrap interface for running a custom plugin [5] [1] BIT-1524 https://bro-tracker.atlassian.net/browse/BIT-1524 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #3 https://github.com/bro/broctl/pull/3 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From barak.work.email at gmail.com Sun Jan 17 00:58:06 2016 From: barak.work.email at gmail.com (barak gilboa) Date: Sun, 17 Jan 2016 10:58:06 +0200 Subject: [Bro-Dev] bro manager stops writing logs - EINTR issue ? Message-ID: Hello, I would appreciate anyone's help on the following issue : setup: 24 workers,1 proxy, 1 manager. each worker has a bloomfilter of its own so eventually very few events are passed on to the manager for writing. there is only 1 log file being written (dns.log) which fills at a rate of about 10k lines per sec. problem: after a few hours, manager stops writing the log file though everything is still running. no errors on debug.log or stderr.log. I ran strace and found that the manager's child process has *EINTR* issue: ERESTARTNOHAND to be restarted if no handler SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} rt_sigreturn()=-1 EINTR (interrupted system call) I read that bro should handle EINTR errors internally. any suggestions on what can be done ? thanks ! Barak -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160117/1febf31a/attachment.html From noreply at bro.org Mon Jan 18 00:00:30 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 18 Jan 2016 00:00:30 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601180800.u0I80URf003532@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1524 [1] Bro Seth Hall - 2016-01-16 - Normal Fixing compiler warnings BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------- #3 [3] broctl aeppert [4] 2015-12-30 Wrap interface for running a custom plugin [5] [1] BIT-1524 https://bro-tracker.atlassian.net/browse/BIT-1524 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #3 https://github.com/bro/broctl/pull/3 [4] aeppert https://github.com/aeppert [5] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From seth at icir.org Mon Jan 18 06:48:51 2016 From: seth at icir.org (Seth Hall) Date: Mon, 18 Jan 2016 09:48:51 -0500 Subject: [Bro-Dev] bro manager stops writing logs - EINTR issue ? In-Reply-To: References: Message-ID: > On Jan 17, 2016, at 3:58 AM, barak gilboa wrote: > > problem: after a few hours, manager stops writing the log file though everything is still running. no errors on debug.log or stderr.log. > I ran strace and found that the manager's child process has EINTR issue: I'm not completely sure what's causing the issue that you're seeing, but could you try running your same workload with a branch I've worked on some? topic/seth/remove-flare Thanks! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Mon Jan 18 15:08:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Mon, 18 Jan 2016 17:08:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1525) Support Internet Message Format for SMTP In-Reply-To: References: Message-ID: Jan Grashoefer created BIT-1525: ----------------------------------- Summary: Support Internet Message Format for SMTP Key: BIT-1525 URL: https://bro-tracker.atlassian.net/browse/BIT-1525 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Environment: All Reporter: Jan Grashoefer Priority: Low Having a look at an [issue|https://bro-tracker.atlassian.net/browse/BIT-1507?focusedCommentId=23300&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-23300] I noticed problem with SMTP: Bro assumes that e.g. the To-field contains a comma-separated list of mail-addresses. According to [RFC 5322|https://tools.ietf.org/html/rfc5322#section-3.6.3] there is also the possibility to use groups (see below). {code} To: "Test Group":,; {code} Regarding groups I am not sure whether they can be nested. If I am not mistaken, the [grammar|https://tools.ietf.org/html/rfc5322#section-3.4] in the RFC would allow nested groups. But in my understanding this is not desired for the Destination Address Fields: {quote} the field name, which is either "To", "Cc", or "Bcc", followed by a comma-separated list of one or more addresses (either mailbox or group syntax) {quote} That leads to two questions: # Would it be sufficient for Bro to log just the addresses (usually whats inside < and >) without description (quoted with " )? # Should Bro support nested group-syntax? I think option 1 (just log the plain addresses) should be sufficient, because if someone is interested in more details, one could have a look at the raw headers. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Mon Jan 18 15:48:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Mon, 18 Jan 2016 17:48:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1507) Intel framework does not match mail addresses properly In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23900#comment-23900 ] Jan Grashoefer commented on BIT-1507: ------------------------------------- I have opened a pull request for a patch that fixes this issue. For the address format related issue I have opened [a new ticket|https://bro-tracker.atlassian.net/browse/BIT-1525]. > Intel framework does not match mail addresses properly > ------------------------------------------------------ > > Key: BIT-1507 > URL: https://bro-tracker.atlassian.net/browse/BIT-1507 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: All > Reporter: Jan Grashoefer > Priority: Low > Labels: intel-framework > > Some time ago someone in #bro asked for matching mail addresses using the intel-framework. We realized, that the [seen-script|https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/smtp.bro] seems to contain a bug: Using {code}split_string_n(mail_address, /<.+>/, T, 1){code} to extract a mail address misses the last character and does not respect the possibility of multiple addresses. > I will add a pcap later. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Tue Jan 19 00:00:27 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 19 Jan 2016 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601190800.u0J80Rf2004133@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ---------- ------------ ---------- ------------- ---------- ------------------------------------------------------------- BIT-1524 [1] Bro Seth Hall - 2016-01-16 - Normal Fixing compiler warnings BIT-1490 [2] BroControl Seth Hall Justin Azoff 2015-12-11 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ----------- ---------- ---------------------------------------------- #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] #3 [6] broctl aeppert [7] 2015-12-30 Wrap interface for running a custom plugin [8] [1] BIT-1524 https://bro-tracker.atlassian.net/browse/BIT-1524 [2] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [6] Pull Request #3 https://github.com/bro/broctl/pull/3 [7] aeppert https://github.com/aeppert [8] Merge Pull Request #3 with git pull --no-ff --no-commit https://github.com/aeppert/broctl.git master From jira at bro-tracker.atlassian.net Tue Jan 19 01:15:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 19 Jan 2016 03:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1526) Radiotap support In-Reply-To: References: Message-ID: Seth Hall created BIT-1526: ------------------------------ Summary: Radiotap support Key: BIT-1526 URL: https://bro-tracker.atlassian.net/browse/BIT-1526 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Radiotap support so that Bro can understand packets captured from many wireless interfaces. It even has a test that tests 802.11 headers with and without QoS data..  The branch is ready to be merged and is named: topic/seth/radiotap -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 01:15:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Tue, 19 Jan 2016 03:15:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1526) Radiotap support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1526: --------------------------- Status: Merge Request (was: Open) > Radiotap support > ---------------- > > Key: BIT-1526 > URL: https://bro-tracker.atlassian.net/browse/BIT-1526 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > > Radiotap support so that Bro can understand packets captured from many wireless interfaces. It even has a test that tests 802.11 headers with and without QoS data.. >  > The branch is ready to be merged and is named: topic/seth/radiotap -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From barak.work.email at gmail.com Tue Jan 19 06:31:34 2016 From: barak.work.email at gmail.com (barak gilboa) Date: Tue, 19 Jan 2016 16:31:34 +0200 Subject: [Bro-Dev] bro manager stops writing logs - EINTR issue ? In-Reply-To: References: Message-ID: hi can you please post the full url for your version ? i cant find it under https://github.com/sethhall thanks 2016-01-18 16:48 GMT+02:00 Seth Hall : > > > On Jan 17, 2016, at 3:58 AM, barak gilboa > wrote: > > > > problem: after a few hours, manager stops writing the log file though > everything is still running. no errors on debug.log or stderr.log. > > I ran strace and found that the manager's child process has EINTR issue: > > I'm not completely sure what's causing the issue that you're seeing, but > could you try running your same workload with a branch I've worked on some? > topic/seth/remove-flare > > Thanks! > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160119/c62d6c4e/attachment.html From jira at bro-tracker.atlassian.net Tue Jan 19 06:54:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Tue, 19 Jan 2016 08:54:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1514) Test plugins.pktsrc fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jan Grashoefer updated BIT-1514: -------------------------------- Resolution: Cannot Reproduce Status: Closed (was: Open) Neither I was not able to reproduce the crash again on current master. Thanks for having a look! > Test plugins.pktsrc fails > ------------------------- > > Key: BIT-1514 > URL: https://bro-tracker.atlassian.net/browse/BIT-1514 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: Fedora 23 > Reporter: Jan Grashoefer > Assignee: Robin Sommer > > The plugins.pktsrc test fails for me. Bro crashes with: > {code} > *** Error in `bro': corrupted double-linked list: 0x0000000003ac10a0 *** > ======= Backtrace: ========= > /lib64/libc.so.6(+0x77e15)[0x7f5c5e23ae15] > /lib64/libc.so.6(+0x7eed8)[0x7f5c5e241ed8] > /lib64/libc.so.6(+0x807a8)[0x7f5c5e2437a8] > /lib64/libc.so.6(cfree+0x4c)[0x7f5c5e246cac] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x32)[0x5d3322] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZN8BrofilerD1Ev+0x22)[0x5d2162] > /lib64/libc.so.6(+0x39658)[0x7f5c5e1fc658] > /lib64/libc.so.6(+0x396a5)[0x7f5c5e1fc6a5] > /lib64/libc.so.6(__libc_start_main+0xf7)[0x7f5c5e1e3587] > bro(_start+0x29)[0x5ac359] > ======= Memory map: ======== > 00400000-00a35000 r-xp 00000000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c34000-00c36000 r--p 00634000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c36000-00c3a000 rw-p 00636000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c3a000-00c4e000 rw-p 00000000 00:00 0 > 01c02000-03cb7000 rw-p 00000000 00:00 0 [heap] > 7f5c50000000-7f5c50021000 rw-p 00000000 00:00 0 > 7f5c50021000-7f5c54000000 ---p 00000000 00:00 0 > 7f5c577ff000-7f5c57800000 ---p 00000000 00:00 0 > 7f5c57800000-7f5c58000000 rw-p 00000000 00:00 0 > 7f5c58000000-7f5c58021000 rw-p 00000000 00:00 0 > 7f5c58021000-7f5c5c000000 ---p 00000000 00:00 0 > 7f5c5c39c000-7f5c5c39d000 ---p 00000000 00:00 0 > 7f5c5c39d000-7f5c5cb9d000 rw-p 00000000 00:00 0 > 7f5c5cb9d000-7f5c5cba0000 r-xp 00000000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cba0000-7f5c5cda0000 ---p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda0000-7f5c5cda1000 r--p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda1000-7f5c5cda2000 rw-p 00004000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda2000-7f5c5cdad000 r-xp 00000000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cdad000-7f5c5cfac000 ---p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfac000-7f5c5cfad000 r--p 0000a000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfad000-7f5c5cfae000 rw-p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfae000-7f5c5cfb4000 rw-p 00000000 00:00 0 > 7f5c5cfb4000-7f5c5d023000 r-xp 00000000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d023000-7f5c5d222000 ---p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d222000-7f5c5d223000 r--p 0006e000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d223000-7f5c5d224000 rw-p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d224000-7f5c5d243000 r-xp 00000000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d243000-7f5c5d443000 ---p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d443000-7f5c5d444000 r--p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d444000-7f5c5d445000 rw-p 00020000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d445000-7f5c5d447000 rw-p 00000000 00:00 0 > 7f5c5d447000-7f5c5d44a000 r-xp 00000000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d44a000-7f5c5d649000 ---p 00003000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d649000-7f5c5d64a000 r--p 00002000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d64a000-7f5c5d64b000 rw-p 00000000 00:00 0 > 7f5c5d64b000-7f5c5d658000 r-xp 00000000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d658000-7f5c5d858000 ---p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d858000-7f5c5d859000 r--p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d859000-7f5c5d85a000 rw-p 0000e000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d85a000-7f5c5d889000 r-xp 00000000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5d889000-7f5c5da89000 ---p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da89000-7f5c5da8b000 r--p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8b000-7f5c5da8c000 rw-p 00031000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8c000-7f5c5da8f000 r-xp 00000000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5da8f000-7f5c5dc8e000 ---p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8e000-7f5c5dc8f000 r--p 00002000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8f000-7f5c5dc90000 rw-p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc90000-7f5c5dd65000 r-xp 00000000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5dd65000-7f5c5df64000 ---p 000d5000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df64000-7f5c5df73000 r--p 000d4000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df73000-7f5c5df75000 rw-p 000e3000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df75000-7f5c5dfc0000 r-xp 00000000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5dfc0000-7f5c5e1c0000 ---p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c0000-7f5c5e1c2000 r--p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c2000-7f5c5e1c3000 rw-p 0004d000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c3000-7f5c5e37a000 r-xp 00000000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e37a000-7f5c5e57a000 ---p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57a000-7f5c5e57e000 r--p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57e000-7f5c5e580000 rw-p 001bb000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e580000-7f5c5e584000 rw-p 00000000 00:00 0 > 7f5c5e584000-7f5c5e59a000 r-xp 00000000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e59a000-7f5c5e799000 ---p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e799000-7f5c5e79a000 r--p 00015000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79a000-7f5c5e79b000 rw-p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79b000-7f5c5e89c000 r-xp 00000000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5e89c000-7f5c5ea9b000 ---p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9b000-7f5c5ea9c000 r--p 00100000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9c000-7f5c5ea9d000 rw-p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9d000-7f5c5ec0f000 r-xp 00000000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ec0f000-7f5c5ee0f000 ---p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee0f000-7f5c5ee19000 r--p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee19000-7f5c5ee1b000 rw-p 0017c000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee1b000-7f5c5ee1f000 rw-p 00000000 00:00 0 > 7f5c5ee1f000-7f5c5eed2000 r-xp 00000000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5eed2000-7f5c5f0d1000 ---p 000b3000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d1000-7f5c5f0d7000 r--p 000b2000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d7000-7f5c5f0d9000 rw-p 000b8000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d9000-7f5c5f1d4000 r-xp 00000000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f1d4000-7f5c5f3d4000 ---p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3d4000-7f5c5f3dc000 r--p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3dc000-7f5c5f3de000 rw-p 00103000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3de000-7f5c5f3e1000 r-xp 00000000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f3e1000-7f5c5f5e0000 ---p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e0000-7f5c5f5e1000 r--p 00002000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e1000-7f5c5f5e2000 rw-p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e2000-7f5c5f5fa000 r-xp 00000000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f5fa000-7f5c5f7f9000 ---p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7f9000-7f5c5f7fa000 r--p 00017000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fa000-7f5c5f7fb000 rw-p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fb000-7f5c5f7ff000 rw-p 00000000 00:00 0 > 7f5c5f7ff000-7f5c5fb6f000 r-xp 00000000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fb6f000-7f5c5fd6e000 ---p 00370000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd6e000-7f5c5fd7d000 r--p 0036f000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd7d000-7f5c5fd81000 rw-p 0037e000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd81000-7f5c5fd82000 rw-p 00000000 00:00 0 > 7f5c5fd82000-7f5c5fdb1000 r-xp 00000000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5fdb1000-7f5c5ffb1000 ---p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb1000-7f5c5ffb2000 r--p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb2000-7f5c5ffb4000 rw-p 00030000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb4000-7f5c5ffc9000 r-xp 00000000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c5ffc9000-7f5c601c8000 ---p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c8000-7f5c601c9000 r--p 00014000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c9000-7f5c601ca000 rw-p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601ca000-7f5c601e1000 r-xp 00000000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c601e1000-7f5c603e1000 ---p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e1000-7f5c603e2000 r--p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e2000-7f5c603e3000 rw-p 00018000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e3000-7f5c603e5000 rw-p 00000000 00:00 0 > 7f5c603e5000-7f5c60606000 r-xp 00000000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60606000-7f5c60806000 ---p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60806000-7f5c60821000 r--p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60821000-7f5c6082e000 rw-p 0023c000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c6082e000-7f5c60832000 rw-p 00000000 00:00 0 > 7f5c60832000-7f5c6089f000 r-xp 00000000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c6089f000-7f5c60a9f000 ---p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60a9f000-7f5c60aa4000 r--p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aa4000-7f5c60aab000 rw-p 00072000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aab000-7f5c60aeb000 r-xp 00000000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60aeb000-7f5c60ceb000 ---p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ceb000-7f5c60ced000 r--p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ced000-7f5c60cee000 rw-p 00042000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60cee000-7f5c60d0f000 r-xp 00000000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60ee6000-7f5c60ef6000 rw-p 00000000 00:00 0 > 7f5c60f0c000-7f5c60f0e000 rw-p 00000000 00:00 0 > 7f5c60f0e000-7f5c60f0f000 r--p 00020000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f0f000-7f5c60f10000 rw-p 00021000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f10000-7f5c60f11000 rw-p 00000000 00:00 0 > 7ffd67281000-7ffd672a3000 rw-p 00000000 00:00 0 [stack] > 7ffd673ce000-7ffd673d0000 r--p 00000000 00:00 0 [vvar] > 7ffd673d0000-7ffd673d2000 r-xp 00000000 00:00 0 [vdso] > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] > {code} > The commit ["Use better data structure for storing BPF filters."|https://github.com/bro/bro/commit/6dd32c649b3dcb6ec652366ffaa90966549da008] seems to have introduced the issue. A quick google search indicated that it might be a threading issue. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 06:54:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Tue, 19 Jan 2016 08:54:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1514) Test plugins.pktsrc fails In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1514?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23902#comment-23902 ] Jan Grashoefer edited comment on BIT-1514 at 1/19/16 8:53 AM: -------------------------------------------------------------- Neither I was able to reproduce the crash again on current master. Thanks for having a look! was (Author: jgras): Neither I was not able to reproduce the crash again on current master. Thanks for having a look! > Test plugins.pktsrc fails > ------------------------- > > Key: BIT-1514 > URL: https://bro-tracker.atlassian.net/browse/BIT-1514 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Environment: Fedora 23 > Reporter: Jan Grashoefer > Assignee: Robin Sommer > > The plugins.pktsrc test fails for me. Bro crashes with: > {code} > *** Error in `bro': corrupted double-linked list: 0x0000000003ac10a0 *** > ======= Backtrace: ========= > /lib64/libc.so.6(+0x77e15)[0x7f5c5e23ae15] > /lib64/libc.so.6(+0x7eed8)[0x7f5c5e241ed8] > /lib64/libc.so.6(+0x807a8)[0x7f5c5e2437a8] > /lib64/libc.so.6(cfree+0x4c)[0x7f5c5e246cac] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x32)[0x5d3322] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZNSt8_Rb_treeISt4pairINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEES6_ES0_IKS7_mESt10_Select1stIS9_ESt4lessIS7_ESaIS9_EE8_M_eraseEPSt13_Rb_tree_nodeIS9_E+0x1c)[0x5d330c] > bro(_ZN8BrofilerD1Ev+0x22)[0x5d2162] > /lib64/libc.so.6(+0x39658)[0x7f5c5e1fc658] > /lib64/libc.so.6(+0x396a5)[0x7f5c5e1fc6a5] > /lib64/libc.so.6(__libc_start_main+0xf7)[0x7f5c5e1e3587] > bro(_start+0x29)[0x5ac359] > ======= Memory map: ======== > 00400000-00a35000 r-xp 00000000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c34000-00c36000 r--p 00634000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c36000-00c3a000 rw-p 00636000 fd:01 5378219 /home/jgras/devel/bro/build/src/bro > 00c3a000-00c4e000 rw-p 00000000 00:00 0 > 01c02000-03cb7000 rw-p 00000000 00:00 0 [heap] > 7f5c50000000-7f5c50021000 rw-p 00000000 00:00 0 > 7f5c50021000-7f5c54000000 ---p 00000000 00:00 0 > 7f5c577ff000-7f5c57800000 ---p 00000000 00:00 0 > 7f5c57800000-7f5c58000000 rw-p 00000000 00:00 0 > 7f5c58000000-7f5c58021000 rw-p 00000000 00:00 0 > 7f5c58021000-7f5c5c000000 ---p 00000000 00:00 0 > 7f5c5c39c000-7f5c5c39d000 ---p 00000000 00:00 0 > 7f5c5c39d000-7f5c5cb9d000 rw-p 00000000 00:00 0 > 7f5c5cb9d000-7f5c5cba0000 r-xp 00000000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cba0000-7f5c5cda0000 ---p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda0000-7f5c5cda1000 r--p 00003000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda1000-7f5c5cda2000 rw-p 00004000 fd:01 5636209 /home/jgras/devel/bro/testing/btest/.tmp/plugins.pktsrc/build/lib/Demo-Foo.linux-x86_64.so > 7f5c5cda2000-7f5c5cdad000 r-xp 00000000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cdad000-7f5c5cfac000 ---p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfac000-7f5c5cfad000 r--p 0000a000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfad000-7f5c5cfae000 rw-p 0000b000 fd:00 135163 /usr/lib64/libnss_files-2.22.so > 7f5c5cfae000-7f5c5cfb4000 rw-p 00000000 00:00 0 > 7f5c5cfb4000-7f5c5d023000 r-xp 00000000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d023000-7f5c5d222000 ---p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d222000-7f5c5d223000 r--p 0006e000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d223000-7f5c5d224000 rw-p 0006f000 fd:00 139841 /usr/lib64/libpcre.so.1.2.6 > 7f5c5d224000-7f5c5d243000 r-xp 00000000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d243000-7f5c5d443000 ---p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d443000-7f5c5d444000 r--p 0001f000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d444000-7f5c5d445000 rw-p 00020000 fd:00 140062 /usr/lib64/libselinux.so.1 > 7f5c5d445000-7f5c5d447000 rw-p 00000000 00:00 0 > 7f5c5d447000-7f5c5d44a000 r-xp 00000000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d44a000-7f5c5d649000 ---p 00003000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d649000-7f5c5d64a000 r--p 00002000 fd:00 139791 /usr/lib64/libkeyutils.so.1.5 > 7f5c5d64a000-7f5c5d64b000 rw-p 00000000 00:00 0 > 7f5c5d64b000-7f5c5d658000 r-xp 00000000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d658000-7f5c5d858000 ---p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d858000-7f5c5d859000 r--p 0000d000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d859000-7f5c5d85a000 rw-p 0000e000 fd:00 138521 /usr/lib64/libkrb5support.so.0.1 > 7f5c5d85a000-7f5c5d889000 r-xp 00000000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5d889000-7f5c5da89000 ---p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da89000-7f5c5da8b000 r--p 0002f000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8b000-7f5c5da8c000 rw-p 00031000 fd:00 138510 /usr/lib64/libk5crypto.so.3.1 > 7f5c5da8c000-7f5c5da8f000 r-xp 00000000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5da8f000-7f5c5dc8e000 ---p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8e000-7f5c5dc8f000 r--p 00002000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc8f000-7f5c5dc90000 rw-p 00003000 fd:00 139465 /usr/lib64/libcom_err.so.2.1 > 7f5c5dc90000-7f5c5dd65000 r-xp 00000000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5dd65000-7f5c5df64000 ---p 000d5000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df64000-7f5c5df73000 r--p 000d4000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df73000-7f5c5df75000 rw-p 000e3000 fd:00 138520 /usr/lib64/libkrb5.so.3.3 > 7f5c5df75000-7f5c5dfc0000 r-xp 00000000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5dfc0000-7f5c5e1c0000 ---p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c0000-7f5c5e1c2000 r--p 0004b000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c2000-7f5c5e1c3000 rw-p 0004d000 fd:00 138399 /usr/lib64/libgssapi_krb5.so.2.2 > 7f5c5e1c3000-7f5c5e37a000 r-xp 00000000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e37a000-7f5c5e57a000 ---p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57a000-7f5c5e57e000 r--p 001b7000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e57e000-7f5c5e580000 rw-p 001bb000 fd:00 135137 /usr/lib64/libc-2.22.so > 7f5c5e580000-7f5c5e584000 rw-p 00000000 00:00 0 > 7f5c5e584000-7f5c5e59a000 r-xp 00000000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e59a000-7f5c5e799000 ---p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e799000-7f5c5e79a000 r--p 00015000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79a000-7f5c5e79b000 rw-p 00016000 fd:00 139594 /usr/lib64/libgcc_s-5.1.1-20150618.so.1 > 7f5c5e79b000-7f5c5e89c000 r-xp 00000000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5e89c000-7f5c5ea9b000 ---p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9b000-7f5c5ea9c000 r--p 00100000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9c000-7f5c5ea9d000 rw-p 00101000 fd:00 135151 /usr/lib64/libm-2.22.so > 7f5c5ea9d000-7f5c5ec0f000 r-xp 00000000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ec0f000-7f5c5ee0f000 ---p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee0f000-7f5c5ee19000 r--p 00172000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee19000-7f5c5ee1b000 rw-p 0017c000 fd:00 140108 /usr/lib64/libstdc++.so.6.0.21 > 7f5c5ee1b000-7f5c5ee1f000 rw-p 00000000 00:00 0 > 7f5c5ee1f000-7f5c5eed2000 r-xp 00000000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5eed2000-7f5c5f0d1000 ---p 000b3000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d1000-7f5c5f0d7000 r--p 000b2000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d7000-7f5c5f0d9000 rw-p 000b8000 fd:01 5506756 /home/jgras/devel/actor-framework/build/lib/libcaf_io.so.0.14.4 > 7f5c5f0d9000-7f5c5f1d4000 r-xp 00000000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f1d4000-7f5c5f3d4000 ---p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3d4000-7f5c5f3dc000 r--p 000fb000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3dc000-7f5c5f3de000 rw-p 00103000 fd:01 5506715 /home/jgras/devel/actor-framework/build/lib/libcaf_core.so.0.14.4 > 7f5c5f3de000-7f5c5f3e1000 r-xp 00000000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f3e1000-7f5c5f5e0000 ---p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e0000-7f5c5f5e1000 r--p 00002000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e1000-7f5c5f5e2000 rw-p 00003000 fd:00 135144 /usr/lib64/libdl-2.22.so > 7f5c5f5e2000-7f5c5f5fa000 r-xp 00000000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f5fa000-7f5c5f7f9000 ---p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7f9000-7f5c5f7fa000 r--p 00017000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fa000-7f5c5f7fb000 rw-p 00018000 fd:00 135171 /usr/lib64/libpthread-2.22.so > 7f5c5f7fb000-7f5c5f7ff000 rw-p 00000000 00:00 0 > 7f5c5f7ff000-7f5c5fb6f000 r-xp 00000000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fb6f000-7f5c5fd6e000 ---p 00370000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd6e000-7f5c5fd7d000 r--p 0036f000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd7d000-7f5c5fd81000 rw-p 0037e000 fd:01 5375894 /home/jgras/devel/bro/build/aux/broker/libbroker.so.0.4-14.0 > 7f5c5fd81000-7f5c5fd82000 rw-p 00000000 00:00 0 > 7f5c5fd82000-7f5c5fdb1000 r-xp 00000000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5fdb1000-7f5c5ffb1000 ---p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb1000-7f5c5ffb2000 r--p 0002f000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb2000-7f5c5ffb4000 rw-p 00030000 fd:00 139259 /usr/lib64/libGeoIP.so.1.6.6 > 7f5c5ffb4000-7f5c5ffc9000 r-xp 00000000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c5ffc9000-7f5c601c8000 ---p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c8000-7f5c601c9000 r--p 00014000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601c9000-7f5c601ca000 rw-p 00015000 fd:00 140295 /usr/lib64/libz.so.1.2.8 > 7f5c601ca000-7f5c601e1000 r-xp 00000000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c601e1000-7f5c603e1000 ---p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e1000-7f5c603e2000 r--p 00017000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e2000-7f5c603e3000 rw-p 00018000 fd:00 135173 /usr/lib64/libresolv-2.22.so > 7f5c603e3000-7f5c603e5000 rw-p 00000000 00:00 0 > 7f5c603e5000-7f5c60606000 r-xp 00000000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60606000-7f5c60806000 ---p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60806000-7f5c60821000 r--p 00221000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c60821000-7f5c6082e000 rw-p 0023c000 fd:00 137954 /usr/lib64/libcrypto.so.1.0.2d > 7f5c6082e000-7f5c60832000 rw-p 00000000 00:00 0 > 7f5c60832000-7f5c6089f000 r-xp 00000000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c6089f000-7f5c60a9f000 ---p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60a9f000-7f5c60aa4000 r--p 0006d000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aa4000-7f5c60aab000 rw-p 00072000 fd:00 138211 /usr/lib64/libssl.so.1.0.2d > 7f5c60aab000-7f5c60aeb000 r-xp 00000000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60aeb000-7f5c60ceb000 ---p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ceb000-7f5c60ced000 r--p 00040000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60ced000-7f5c60cee000 rw-p 00042000 fd:00 139950 /usr/lib64/libpcap.so.1.7.4 > 7f5c60cee000-7f5c60d0f000 r-xp 00000000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60ee6000-7f5c60ef6000 rw-p 00000000 00:00 0 > 7f5c60f0c000-7f5c60f0e000 rw-p 00000000 00:00 0 > 7f5c60f0e000-7f5c60f0f000 r--p 00020000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f0f000-7f5c60f10000 rw-p 00021000 fd:00 135129 /usr/lib64/ld-2.22.so > 7f5c60f10000-7f5c60f11000 rw-p 00000000 00:00 0 > 7ffd67281000-7ffd672a3000 rw-p 00000000 00:00 0 [stack] > 7ffd673ce000-7ffd673d0000 r--p 00000000 00:00 0 [vvar] > 7ffd673d0000-7ffd673d2000 r-xp 00000000 00:00 0 [vdso] > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] > {code} > The commit ["Use better data structure for storing BPF filters."|https://github.com/bro/bro/commit/6dd32c649b3dcb6ec652366ffaa90966549da008] seems to have introduced the issue. A quick google search indicated that it might be a threading issue. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From seth at icir.org Tue Jan 19 07:06:25 2016 From: seth at icir.org (Seth Hall) Date: Tue, 19 Jan 2016 10:06:25 -0500 Subject: [Bro-Dev] bro manager stops writing logs - EINTR issue ? In-Reply-To: References: Message-ID: <4226F5B2-7C7C-41A0-9462-D6F0682BC470@icir.org> It's a branch on the main Bro repository. .Seth > On Jan 19, 2016, at 9:31 AM, barak gilboa wrote: > > hi > > can you please post the full url for your version ? > i cant find it under https://github.com/sethhall > > thanks > > 2016-01-18 16:48 GMT+02:00 Seth Hall : > > > On Jan 17, 2016, at 3:58 AM, barak gilboa wrote: > > > > problem: after a few hours, manager stops writing the log file though everything is still running. no errors on debug.log or stderr.log. > > I ran strace and found that the manager's child process has EINTR issue: > > I'm not completely sure what's causing the issue that you're seeing, but could you try running your same workload with a branch I've worked on some? > topic/seth/remove-flare > > Thanks! > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From jira at bro-tracker.atlassian.net Tue Jan 19 08:14:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 19 Jan 2016 10:14:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1526) Radiotap support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann reassigned BIT-1526: ---------------------------------- Assignee: Johanna Amann > Radiotap support > ---------------- > > Key: BIT-1526 > URL: https://bro-tracker.atlassian.net/browse/BIT-1526 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Johanna Amann > > Radiotap support so that Bro can understand packets captured from many wireless interfaces. It even has a test that tests 802.11 headers with and without QoS data.. >  > The branch is ready to be merged and is named: topic/seth/radiotap -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 08:47:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 19 Jan 2016 10:47:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-529) Support for DLT IEEE802_11_RADIO linktype In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-529?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-529: ------------------------------ Resolution: No longer applies Status: Closed (was: Open) Superseded by BIT-1526 > Support for DLT IEEE802_11_RADIO linktype > ----------------------------------------- > > Key: BIT-529 > URL: https://bro-tracker.atlassian.net/browse/BIT-529 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: gregor > Assignee: Seth Hall > Priority: Low > Fix For: 2.5 > > > {noformat} > #!rst > Add support for DLT IEEE802_11_RADIO to Bro. It appears this linktype adds a bunch of info from the WLAN radio in front of the actual ethernet header. Unfortunately, it appears to have variable length headers, to adding support to Bro is not trivial. > Many (all?) wlan interface can create pcap captures with this DLT. E.g, one can use > * ``tcpdump -I ....`` or > * ``tcpdump -y IEEE802_11_RADIO`` (depending on OS and tcpdump version used) > On my Mac OS ``tcpdump -I`` works. > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 10:05:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 19 Jan 2016 12:05:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1524) Fixing compiler warnings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1524?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1524: --------------------------------- Assignee: Robin Sommer > Fixing compiler warnings > ------------------------ > > Key: BIT-1524 > URL: https://bro-tracker.atlassian.net/browse/BIT-1524 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Seth Hall > Assignee: Robin Sommer > > The topic/seth/compiler-cleanup branch in the Bro repository and the Binpac repository fix a set of compiler warnings currently showing up in Bro. Some of them were introduced by moving to C++11. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 11:03:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Tue, 19 Jan 2016 13:03:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23906#comment-23906 ] Adam Slagell commented on BIT-1490: ----------------------------------- Justin, can you merge this this week? > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 11:12:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 19 Jan 2016 13:12:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23907#comment-23907 ] Justin Azoff commented on BIT-1490: ----------------------------------- Will do. > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 11:59:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 19 Jan 2016 13:59:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1524) Fixing compiler warnings In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1524?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1524: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Fixing compiler warnings > ------------------------ > > Key: BIT-1524 > URL: https://bro-tracker.atlassian.net/browse/BIT-1524 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro > Reporter: Seth Hall > Assignee: Robin Sommer > > The topic/seth/compiler-cleanup branch in the Bro repository and the Binpac repository fix a set of compiler warnings currently showing up in Bro. Some of them were introduced by moving to C++11. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 14:49:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 19 Jan 2016 16:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1527) Please merge topic/johanna/cve-2015-3194 In-Reply-To: References: Message-ID: Johanna Amann created BIT-1527: ---------------------------------- Summary: Please merge topic/johanna/cve-2015-3194 Key: BIT-1527 URL: https://bro-tracker.atlassian.net/browse/BIT-1527 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.5 Please merge topic/johanna/cve-2015-3194. The branch contains a test that checks if a machine is vulnerable to cve-2015-3194 and - if yes - raises a test error. Note that we should assure that all our jenkins machines have a current OpenSSL before merging this to master. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 14:49:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 19 Jan 2016 16:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1527) Please merge topic/johanna/cve-2015-3194 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1527?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1527: ------------------------------- Status: Merge Request (was: Open) > Please merge topic/johanna/cve-2015-3194 > ---------------------------------------- > > Key: BIT-1527 > URL: https://bro-tracker.atlassian.net/browse/BIT-1527 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/cve-2015-3194. The branch contains a test that checks if a machine is vulnerable to cve-2015-3194 and - if yes - raises a test error. > Note that we should assure that all our jenkins machines have a current OpenSSL before merging this to master. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 19 16:00:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Tue, 19 Jan 2016 18:00:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1521) known services should probably ignore gridftp-data In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1521?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1521: ------------------------------- Fix Version/s: 2.5 > known services should probably ignore gridftp-data > -------------------------------------------------- > > Key: BIT-1521 > URL: https://bro-tracker.atlassian.net/browse/BIT-1521 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: 2.4 > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > known services script does > {code} > if ( ! addr_matches_host(id$resp_h, service_tracking) || > "ftp-data" in c$service || # don't include ftp data sessions > ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks. > return; > {code} > but should probably also ignore gridftp-data. Probably a good idea to add a set of services that behave like ftp for it to check. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Wed Jan 20 00:00:22 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 20 Jan 2016 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601200800.u0K80MPc004760@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ------------- ---------- ------------- ---------- ------------------------------------------------------------- BIT-1527 [1] Bro Johanna Amann - 2016-01-19 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1526 [2] Bro Seth Hall Johanna Amann 2016-01-19 - Normal Radiotap support BIT-1490 [3] BroControl Seth Hall Justin Azoff 2016-01-19 2.5 Low Need ability to expire logs with more granularity than #days. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- ------------------------------------- #52 [4] bro J-Gras [5] 2016-01-18 Fixed matching mail address intel [6] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1526 https://bro-tracker.atlassian.net/browse/BIT-1526 [3] BIT-1490 https://bro-tracker.atlassian.net/browse/BIT-1490 [4] Pull Request #52 https://github.com/bro/bro/pull/52 [5] J-Gras https://github.com/J-Gras [6] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 From jira at bro-tracker.atlassian.net Wed Jan 20 10:39:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 20 Jan 2016 12:39:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23909#comment-23909 ] Justin Azoff commented on BIT-1490: ----------------------------------- This change looks good but I have one suggestion. I could see someone changing the option to "12hours" and getting this message value of broctl option "logexpireinterval" is invalid: 12hours but being confused about WHY it is invalid. Something like this could help with that: "value of broctl option "logexpireinterval" is invalid: "12hours". Only time units "day", "hr", and "min" are recognized" It might also be a good idea to just in add "hours" and "minutes" as valid units to begin with. > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Wed Jan 20 11:36:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Wed, 20 Jan 2016 13:36:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23910#comment-23910 ] Daniel Thayer commented on BIT-1490: ------------------------------------ In order to avoid confusion, I kept the unit specifiers the same as what's allowed in Bro scripts. I've now made the error message more verbose. > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Wed Jan 20 11:42:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 20 Jan 2016 13:42:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23911#comment-23911 ] Justin Azoff commented on BIT-1490: ----------------------------------- Ah! I bet that is where I have ran into this. Bro throws a syntax error if you try to use a duration of 'hours' or 'minutes'. > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Wed Jan 20 11:49:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Wed, 20 Jan 2016 13:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1490) Need ability to expire logs with more granularity than #days. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff updated BIT-1490: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Need ability to expire logs with more granularity than #days. > ------------------------------------------------------------- > > Key: BIT-1490 > URL: https://bro-tracker.atlassian.net/browse/BIT-1490 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Justin Azoff > Priority: Low > Fix For: 2.5 > > > There are some users that would like or need to have BroControl maintain their collected logs with tighter granularity than how many days old the logs are. > Right now the find command that determines which files to delete uses `-mtime` which is `x*24hr`. We would need to use the `-mmin` argument otherwise, but I suspect this would introduce the need to do some parsing of of the value given so that people could specify things like `10hr` or `5days`. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Wed Jan 20 17:47:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Jan 2016 19:47:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1526) Radiotap support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1526: ------------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Radiotap support > ---------------- > > Key: BIT-1526 > URL: https://bro-tracker.atlassian.net/browse/BIT-1526 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Johanna Amann > > Radiotap support so that Bro can understand packets captured from many wireless interfaces. It even has a test that tests 802.11 headers with and without QoS data.. >  > The branch is ready to be merged and is named: topic/seth/radiotap -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Wed Jan 20 17:49:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Wed, 20 Jan 2016 19:49:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1526) Radiotap support In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1526?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23912#comment-23912 ] Johanna Amann commented on BIT-1526: ------------------------------------ I removed one boundary check when merging this, which I think was unnecessary (it only accessed the current element which was already checked with the boundary check before). Could you perhaps take a short look to see that I did not mess this up? > Radiotap support > ---------------- > > Key: BIT-1526 > URL: https://bro-tracker.atlassian.net/browse/BIT-1526 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Assignee: Johanna Amann > > Radiotap support so that Bro can understand packets captured from many wireless interfaces. It even has a test that tests 802.11 headers with and without QoS data.. >  > The branch is ready to be merged and is named: topic/seth/radiotap -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Thu Jan 21 00:00:31 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 21 Jan 2016 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601210800.u0L80VMQ031845@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- ---------- ---------- ------------- ---------- ---------------------------------------- BIT-1527 [1] Bro Johanna Amann - 2016-01-19 2.5 Normal Please merge topic/johanna/cve-2015-3194 Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- ------------------------------------- #52 [2] bro J-Gras [3] 2016-01-18 Fixed matching mail address intel [4] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] Pull Request #52 https://github.com/bro/bro/pull/52 [3] J-Gras https://github.com/J-Gras [4] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 From jira at bro-tracker.atlassian.net Thu Jan 21 07:24:00 2016 From: jira at bro-tracker.atlassian.net (Jan Grashoefer (JIRA)) Date: Thu, 21 Jan 2016 09:24:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1507) Intel framework does not match mail addresses properly In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jan Grashoefer updated BIT-1507: -------------------------------- Status: Merge Request (was: Open) > Intel framework does not match mail addresses properly > ------------------------------------------------------ > > Key: BIT-1507 > URL: https://bro-tracker.atlassian.net/browse/BIT-1507 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: All > Reporter: Jan Grashoefer > Priority: Low > Labels: intel-framework > > Some time ago someone in #bro asked for matching mail addresses using the intel-framework. We realized, that the [seen-script|https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/smtp.bro] seems to contain a bug: Using {code}split_string_n(mail_address, /<.+>/, T, 1){code} to extract a mail address misses the last character and does not respect the possibility of multiple addresses. > I will add a pcap later. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 07:47:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 21 Jan 2016 09:47:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1525) Support Internet Message Format for SMTP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall reassigned BIT-1525: ------------------------------ Assignee: Seth Hall > Support Internet Message Format for SMTP > ---------------------------------------- > > Key: BIT-1525 > URL: https://bro-tracker.atlassian.net/browse/BIT-1525 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Environment: All > Reporter: Jan Grashoefer > Assignee: Seth Hall > Priority: Low > Labels: SMTP, analyzer > > Having a look at an [issue|https://bro-tracker.atlassian.net/browse/BIT-1507?focusedCommentId=23300&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-23300] I noticed problem with SMTP: Bro assumes that e.g. the To-field contains a comma-separated list of mail-addresses. According to [RFC 5322|https://tools.ietf.org/html/rfc5322#section-3.6.3] there is also the possibility to use groups (see below). > {code} > To: "Test Group":,; > {code} > Regarding groups I am not sure whether they can be nested. If I am not mistaken, the [grammar|https://tools.ietf.org/html/rfc5322#section-3.4] in the RFC would allow nested groups. But in my understanding this is not desired for the Destination Address Fields: > {quote} > the field name, which is either "To", "Cc", or "Bcc", followed by a comma-separated list of one or more addresses (either mailbox or group syntax) > {quote} > That leads to two questions: > # Would it be sufficient for Bro to log just the addresses (usually whats inside < and >) without description (quoted with " )? > # Should Bro support nested group-syntax? > I think option 1 (just log the plain addresses) should be sufficient, because if someone is interested in more details, one could have a look at the raw headers. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 08:17:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 21 Jan 2016 10:17:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1444) Connection logging for ESP In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23913#comment-23913 ] Adam Slagell commented on BIT-1444: ----------------------------------- Status? > Connection logging for ESP > -------------------------- > > Key: BIT-1444 > URL: https://bro-tracker.atlassian.net/browse/BIT-1444 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Jimmy Jones > Assignee: Vlad Grigorescu > Priority: Low > > I'd like to be able to track ESP (IPSec) connections in conn.log. Although ESP is encrypted, the ability to track volumes and pattern of life etc would be beneficial when doing intrusion analysis. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 10:52:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 21 Jan 2016 12:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23914#comment-23914 ] Justin Azoff commented on BIT-1510: ----------------------------------- Hmm.. Often the cause of that is the OOM killer.. so potentially a note about that could be useful, as well as potentially including part of the dmesg output in the email. > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 10:56:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 21 Jan 2016 12:56:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1486) Bro crashes when trying to Start In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23915#comment-23915 ] Justin Azoff commented on BIT-1486: ----------------------------------- BIT-1515 (The Interface setup plugin) should fix this issue. It's not really a bro issue, but the plugin make configurating the interfaces at the OS level not longer a requirement. > Bro crashes when trying to Start > -------------------------------- > > Key: BIT-1486 > URL: https://bro-tracker.atlassian.net/browse/BIT-1486 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: It's on a Centos 6 OS version and we are in the process of transitioning for an onboard NIC to a Myricom 10G fiber interface card. > Reporter: Gabriel Dinkins > Labels: broctl > > Upon trying to start the Bro IDS software it continually crashes. Upon checking the "diag" it states: ==== stderr.log > fatal error: problem with interface p3p1 (p3p1: no IPv4 address assigned) -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 11:40:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Thu, 21 Jan 2016 13:40:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1528) SNMP and SIP scans show up in known services. In-Reply-To: References: Message-ID: Justin Azoff created BIT-1528: --------------------------------- Summary: SNMP and SIP scans show up in known services. Key: BIT-1528 URL: https://bro-tracker.atlassian.net/browse/BIT-1528 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Justin Azoff Assignee: Vlad Grigorescu Fix For: 2.5 It appears that single packet SIP and SNMP scans cause the destination host to end up in known_services as running a SIP or SNMP service, even though they are not running that service and did not respond to the packet. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 12:51:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 21 Jan 2016 14:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1510: ------------------------------- Component/s: (was: Bro) BroControl > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 13:02:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 21 Jan 2016 15:02:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1522: ------------------------------- Fix Version/s: 2.5 > Broker listener takes a long time to shut down on cluster stop/restart > ---------------------------------------------------------------------- > > Key: BIT-1522 > URL: https://bro-tracker.atlassian.net/browse/BIT-1522 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Ubuntu 14.04, Bro 2.4.1 with Broker > Reporter: Stephen Hosom > Fix For: 2.5 > > > It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. > The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 13:04:00 2016 From: jira at bro-tracker.atlassian.net (Johanna Amann (JIRA)) Date: Thu, 21 Jan 2016 15:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23916#comment-23916 ] Johanna Amann commented on BIT-1522: ------------------------------------ Can you perhaps give a bit more details about this? After reading it, I am not quite sure if Bro takes a long time to shut down, or if Broker takes a long time to shut down in an external application? Is there some easy way that you can give us to reproduce this? > Broker listener takes a long time to shut down on cluster stop/restart > ---------------------------------------------------------------------- > > Key: BIT-1522 > URL: https://bro-tracker.atlassian.net/browse/BIT-1522 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Ubuntu 14.04, Bro 2.4.1 with Broker > Reporter: Stephen Hosom > Fix For: 2.5 > > > It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. > The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 14:32:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 21 Jan 2016 16:32:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23917#comment-23917 ] Daniel Thayer commented on BIT-1510: ------------------------------------ Currently, when "broctl stop" sends SIGTERM to Bro, if a Bro process terminates but does not write "TERMINATED" to its ".status" file, then broctl marks the process as "crashed" (and the user sees a message such as "worker-1 crashed during shutdown"). If a user then runs "broctl status", they will see that node is "crashed". Then, when "broctl start" runs, it sees the crashed status and sends a crash report. Seth, is this the scenario that you want changed? (i.e., in the above scenario, a "broctl stop" would still output "worker-1 crashed during shutdown", but then "broctl status" would show the node as "stopped" instead of "crashed") > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 14:44:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 21 Jan 2016 16:44:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23918#comment-23918 ] Daniel Thayer commented on BIT-1510: ------------------------------------ I forgot to mention that a node does not enter the "crashed" state (and therefore, there is no crash report sent) in the case when "broctl stop" sends a SIGKILL (this happens when SIGTERM does not terminate Bro). > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 21 20:29:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 21 Jan 2016 22:29:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23919#comment-23919 ] Seth Hall commented on BIT-1510: -------------------------------- Yeah, I don't think we should be sending crash reports in those cases. Just because Bro wasn't shutting down quickly enough we shouldn't be indicating to users that it crashed. I've seen a number of cases where Bro left to it's own devices will take an extended period to shut down due to running scripts as it flushes the connection table and other internal processing. Telling people that it crashed is definitely wrong and those reports don't have anything that would be useful to anyone. > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Fri Jan 22 00:00:27 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 22 Jan 2016 00:00:27 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601220800.u0M80RDd030176@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1527 [1] Bro Johanna Amann - 2016-01-19 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [2] Bro Jan Grashoefer - 2016-01-21 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- ------------------------------------- #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 From jira at bro-tracker.atlassian.net Fri Jan 22 05:03:00 2016 From: jira at bro-tracker.atlassian.net (Stephen Hosom (JIRA)) Date: Fri, 22 Jan 2016 07:03:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephen Hosom updated BIT-1522: -------------------------------- Attachment: broker-shutdown-test.bro > Broker listener takes a long time to shut down on cluster stop/restart > ---------------------------------------------------------------------- > > Key: BIT-1522 > URL: https://bro-tracker.atlassian.net/browse/BIT-1522 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Ubuntu 14.04, Bro 2.4.1 with Broker > Reporter: Stephen Hosom > Fix For: 2.5 > > Attachments: broker-shutdown-test.bro > > > It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. > The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Fri Jan 22 05:04:00 2016 From: jira at bro-tracker.atlassian.net (Stephen Hosom (JIRA)) Date: Fri, 22 Jan 2016 07:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephen Hosom updated BIT-1522: -------------------------------- Attachment: (was: broker-shutdown-test.bro) > Broker listener takes a long time to shut down on cluster stop/restart > ---------------------------------------------------------------------- > > Key: BIT-1522 > URL: https://bro-tracker.atlassian.net/browse/BIT-1522 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Ubuntu 14.04, Bro 2.4.1 with Broker > Reporter: Stephen Hosom > Fix For: 2.5 > > Attachments: broker-shutdown-test.bro > > > It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. > The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Fri Jan 22 05:04:00 2016 From: jira at bro-tracker.atlassian.net (Stephen Hosom (JIRA)) Date: Fri, 22 Jan 2016 07:04:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1522?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephen Hosom updated BIT-1522: -------------------------------- Attachment: broker-shutdown-test.bro > Broker listener takes a long time to shut down on cluster stop/restart > ---------------------------------------------------------------------- > > Key: BIT-1522 > URL: https://bro-tracker.atlassian.net/browse/BIT-1522 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Ubuntu 14.04, Bro 2.4.1 with Broker > Reporter: Stephen Hosom > Fix For: 2.5 > > Attachments: broker-shutdown-test.bro > > > It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. > The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Fri Jan 22 05:13:00 2016 From: jira at bro-tracker.atlassian.net (Stephen Hosom (JIRA)) Date: Fri, 22 Jan 2016 07:13:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1522) Broker listener takes a long time to shut down on cluster stop/restart In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1522?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23920#comment-23920 ] Stephen Hosom commented on BIT-1522: ------------------------------------- I can see how that would be confusing. The attached file should recreate the issue. To observe the issue: # Add the script to your configuration # Start Bro as a cluster using broctl start # Observe listeners with "watch netstat -tulpn" (port 9999 should be in use) # Stop Bro using broctl stop At this point, the port 9999 listener stays around for as much as 60-120 seconds before going away. Because of this, a broctl deploy or broctl restart will result in Broker being unable to bind to the same port and Broker event communications will fail. Oddly enough, when I tried to recreate this with a standalone instance, I wasn't able to do so. I could only recreate the issue using broctl to start and stop bro as a cluster. > Broker listener takes a long time to shut down on cluster stop/restart > ---------------------------------------------------------------------- > > Key: BIT-1522 > URL: https://bro-tracker.atlassian.net/browse/BIT-1522 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Broker > Affects Versions: 2.4 > Environment: Ubuntu 14.04, Bro 2.4.1 with Broker > Reporter: Stephen Hosom > Fix For: 2.5 > > Attachments: broker-shutdown-test.bro > > > It looks like when shutting down Broker, the listener sticks around for an exceptionally long time (as much as a minute or more). Because of this, Broker's listener actually fails to re-bind to the port on the next cluster start silently. All Broker communication then fails to work silently. It can take a while to notice this failure, since nothing really complains. > The listener should probably shut down faster than 1 minute... but it might also make sense to add options to have the listener retry to start, or generate a failure message when it doesn't start. Maybe listener starts in bro_init should actually cause Bro to stop, so that the user sees the failure immediately? -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Fri Jan 22 07:51:00 2016 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Fri, 22 Jan 2016 09:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1516) openbsd build issues In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1516?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Justin Azoff reassigned BIT-1516: --------------------------------- Assignee: Justin Azoff > openbsd build issues > -------------------- > > Key: BIT-1516 > URL: https://bro-tracker.atlassian.net/browse/BIT-1516 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: OpenBSD > Reporter: Justin Azoff > Assignee: Justin Azoff > Priority: Low > Labels: openbsd > Attachments: openbsd_diag.log.gz > > > Someone on IRC asked about bro on openbsd issues. I took a look and here is what I have found so far. There are 3 issues: > bro needs the libbind port installed to build, but cmake has trouble finding it > Changing FindBIND.cmake lets configure works: > {code} > - HINTS ${BIND_ROOT_DIR}/lib > + HINTS ${BIND_ROOT_DIR}/lib/libbind > {code} > This probably needs to be > {code} > HINTS ${BIND_ROOT_DIR}/lib ${BIND_ROOT_DIR}/lib/libbind > {code} > or such to not break other platforms > The second is that {code}pcap_offline_filter{code} does not exist in the version of pcap it has (though I did my testing on openbsd 5.5 so the latest (5.8) may be different) > Finally, openbsd does not have {code}wordexp{code} so src/broxygen/Manager.cc does not build. I ifdef'd it out most of {code}Manager::Manager{code} and bro built ok after that. I'm not sure what it is doing there anyway.. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Fri Jan 22 10:21:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 22 Jan 2016 12:21:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23921#comment-23921 ] Daniel Thayer commented on BIT-1510: ------------------------------------ OK, but just to be clear, the case that you mention (when bro just takes too long to shut down and has to be killed with SIGKILL) is already not being handled as a "crash". > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Fri Jan 22 12:24:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Fri, 22 Jan 2016 14:24:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1529) Base SIP scripts missing SUBSCRIBE and NOTIFY In-Reply-To: References: Message-ID: Seth Hall created BIT-1529: ------------------------------ Summary: Base SIP scripts missing SUBSCRIBE and NOTIFY Key: BIT-1529 URL: https://bro-tracker.atlassian.net/browse/BIT-1529 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Seth Hall The base/protocols/sip/main.bro script has a set in `sip_methods` which needs to have SUBSCRIBE and NOTIFY added. They're defined in RFC 3265. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Sat Jan 23 00:00:33 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 23 Jan 2016 00:00:33 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601230800.u0N80Xin004194@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1527 [1] Bro Johanna Amann - 2016-01-19 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [2] Bro Jan Grashoefer - 2016-01-21 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- ------------------------------------- #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 From noreply at bro.org Sun Jan 24 00:00:20 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 24 Jan 2016 00:00:20 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601240800.u0O80Kmb026573@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1527 [1] Bro Johanna Amann - 2016-01-19 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [2] Bro Jan Grashoefer - 2016-01-21 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ------------ ---------- ----------------------------------------------------------------------------------- #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] #10 [6] pysubnettree jroyalty [7] 2016-01-23 Added prefixes() method to return all prefixes in the tree as a set of strings. [8] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [6] Pull Request #10 https://github.com/bro/pysubnettree/pull/10 [7] jroyalty https://github.com/jroyalty [8] Merge Pull Request #10 with git pull --no-ff --no-commit https://github.com/jroyalty/pysubnettree.git topic/jroyalty/prefixset From jira at bro-tracker.atlassian.net Sun Jan 24 08:01:00 2016 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Sun, 24 Jan 2016 10:01:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1510) Crash reports when no crash happened In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=23922#comment-23922 ] Seth Hall commented on BIT-1510: -------------------------------- I'm actually not completely sure of all of the cases where broctl ends up sending a notification, but there are a number of cases where it sends reports when it shouldn't. > Crash reports when no crash happened > ------------------------------------ > > Key: BIT-1510 > URL: https://bro-tracker.atlassian.net/browse/BIT-1510 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: git/master > Reporter: Seth Hall > Fix For: 2.5 > > > We need to make broctl stop sending crash reports when Bro was shutdown by a signal. It's confusing for users because they will get these emails sporadically when restarting Bro. > The crash report typically has the following text and no backtrace: > ==== stderr.log > KILLED > received termination signal -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Mon Jan 25 00:00:31 2016 From: noreply at bro.org (Merge Tracker) Date: Mon, 25 Jan 2016 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601250800.u0P80V3g021664@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1527 [1] Bro Johanna Amann - 2016-01-19 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [2] Bro Jan Grashoefer - 2016-01-21 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ------------ ---------- ----------------------------------------------------------------------------------- #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] #10 [6] pysubnettree jroyalty [7] 2016-01-23 Added prefixes() method to return all prefixes in the tree as a set of strings. [8] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [6] Pull Request #10 https://github.com/bro/pysubnettree/pull/10 [7] jroyalty https://github.com/jroyalty [8] Merge Pull Request #10 with git pull --no-ff --no-commit https://github.com/jroyalty/pysubnettree.git topic/jroyalty/prefixset From martin.vanhensbergen at fox-it.com Mon Jan 25 08:17:14 2016 From: martin.vanhensbergen at fox-it.com (Martin van Hensbergen) Date: Mon, 25 Jan 2016 16:17:14 +0000 Subject: [Bro-Dev] SMB2 - NTLM GSSAPI messages Message-ID: <1453738634775.77119@fox-it.com> Hello all, We are using the topic/vladg/smb branch for its SMB support. This branch supports the parsing of SMB1/NTLM/SSP traffic, thereby parsing the so-called 'GSS-API'-security blob which contains (among other things) the domain, user name and workstation name of the client attempting to authenticate. Of course, the GSS-API protocol can also be done over SMB2 for which we would also like to have support. At first I was under the impression that this would be a mutatis-mutandis since it obviously already supports these types of messages. It proved to be a little more difficult and I want to cross check with the devs to see if I'm overlooking something. It appears that the parsing of the GSSAPI is very much intertwined with the SMB parsing itself. The sequence of types defined, SMB_NTLM_SSP, GSS_APINEGTOKEN, GSS_API_INIT, ..., SMB_NTLM_AUTH all require the SMB(1) header to be supplied. I think this makes it less trivial to make it quickly support SMB2. ? There are two strategies that I can think of: 1) (pac level) Make a separate library of the parsing of the GSSAPI blob ( as I think this is independent of whether SMB1 or SMB2 is used ), which returns the parsed ASN1 structure when called. Then both the SMB1 and SMB2 parser can use these functions. 2) (bro script level) Make an ASN1 parser at the bro script level that does the parsing there. I would not opt for this route as it probably would be to slow and then we would have two places where this parsing is done. Does anyone have insights what the best approach is or whether or not bro-dev is already busy with implementing this feature? Thanks in advance! -Martin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160125/5b9ef384/attachment.html From seth at icir.org Mon Jan 25 08:33:56 2016 From: seth at icir.org (Seth Hall) Date: Mon, 25 Jan 2016 11:33:56 -0500 Subject: [Bro-Dev] SMB2 - NTLM GSSAPI messages In-Reply-To: <1453738634775.77119@fox-it.com> References: <1453738634775.77119@fox-it.com> Message-ID: <2EAC15A1-B618-459E-B3BE-F2A406DE5BF6@icir.org> > On Jan 25, 2016, at 11:17 AM, Martin van Hensbergen wrote: > > 1) (pac level) Make a separate library of the parsing of the GSSAPI blob ( as I think this is independent of whether SMB1 or SMB2 is used ), which returns the parsed ASN1 structure when called. Then both the SMB1 and SMB2 parser can use these functions. Yep, that's probably the right way. We never had enough time to get that integrated more cleanly. > 2) (bro script level) Make an ASN1 parser at the bro script level that does the parsing there. I would not opt for this route as it probably would be to slow and then we would have two places where this parsing is done. This is almost certainly not a great idea as you learned. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From vlad at grigorescu.org Mon Jan 25 10:39:52 2016 From: vlad at grigorescu.org (Vlad Grigorescu) Date: Mon, 25 Jan 2016 12:39:52 -0600 Subject: [Bro-Dev] SMB2 - NTLM GSSAPI messages In-Reply-To: <2EAC15A1-B618-459E-B3BE-F2A406DE5BF6@icir.org> References: <1453738634775.77119@fox-it.com> <2EAC15A1-B618-459E-B3BE-F2A406DE5BF6@icir.org> Message-ID: My intention for this was to do the parsing at the PAC level, but it wasn't possible at the time. In the meantime, BinPAC now supports including files from other directories, so just how ASN1 is now a BinPAC library shared by SNMP and Kerberos, I would envision GSSAPI to become a library. This would also allow parsing of NTLM auth over HTTP. --Vlad On Mon, Jan 25, 2016 at 10:33 AM, Seth Hall wrote: > > > On Jan 25, 2016, at 11:17 AM, Martin van Hensbergen < > martin.vanhensbergen at fox-it.com> wrote: > > > > 1) (pac level) Make a separate library of the parsing of the GSSAPI blob > ( as I think this is independent of whether SMB1 or SMB2 is used ), which > returns the parsed ASN1 structure when called. Then both the SMB1 and SMB2 > parser can use these functions. > > Yep, that's probably the right way. We never had enough time to get that > integrated more cleanly. > > > 2) (bro script level) Make an ASN1 parser at the bro script level that > does the parsing there. I would not opt for this route as it probably would > be to slow and then we would have two places where this parsing is done. > > This is almost certainly not a great idea as you learned. :) > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160125/0ff3330c/attachment.html From jira at bro-tracker.atlassian.net Mon Jan 25 14:05:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 25 Jan 2016 16:05:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1507) Intel framework does not match mail addresses properly In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1507: --------------------------------- Assignee: Seth Hall > Intel framework does not match mail addresses properly > ------------------------------------------------------ > > Key: BIT-1507 > URL: https://bro-tracker.atlassian.net/browse/BIT-1507 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: All > Reporter: Jan Grashoefer > Assignee: Seth Hall > Priority: Low > Labels: intel-framework > > Some time ago someone in #bro asked for matching mail addresses using the intel-framework. We realized, that the [seen-script|https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/smtp.bro] seems to contain a bug: Using {code}split_string_n(mail_address, /<.+>/, T, 1){code} to extract a mail address misses the last character and does not respect the possibility of multiple addresses. > I will add a pcap later. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Mon Jan 25 14:05:00 2016 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Mon, 25 Jan 2016 16:05:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1507) Intel framework does not match mail addresses properly In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24001#comment-24001 ] Robin Sommer commented on BIT-1507: ----------------------------------- assigning to Seth as I believe he started looking at this already > Intel framework does not match mail addresses properly > ------------------------------------------------------ > > Key: BIT-1507 > URL: https://bro-tracker.atlassian.net/browse/BIT-1507 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.4 > Environment: All > Reporter: Jan Grashoefer > Assignee: Seth Hall > Priority: Low > Labels: intel-framework > > Some time ago someone in #bro asked for matching mail addresses using the intel-framework. We realized, that the [seen-script|https://github.com/bro/bro/blob/master/scripts/policy/frameworks/intel/seen/smtp.bro] seems to contain a bug: Using {code}split_string_n(mail_address, /<.+>/, T, 1){code} to extract a mail address misses the last character and does not respect the possibility of multiple addresses. > I will add a pcap later. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Tue Jan 26 00:00:33 2016 From: noreply at bro.org (Merge Tracker) Date: Tue, 26 Jan 2016 00:00:33 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601260800.u0Q80Xg2019296@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1527 [1] Bro Johanna Amann - 2016-01-19 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [2] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ -------------- ---------- ------------------------------------------------------------------------------------ #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] #14 [6] bro-plugins mpurzynski [7] 2016-01-25 Show users how to run Bro with AF_Packet as non-root. [8] #10 [9] pysubnettree jroyalty [10] 2016-01-25 Added prefixes() method to return all prefixes in the tree as a set of strings. [11] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [6] Pull Request #14 https://github.com/bro/bro-plugins/pull/14 [7] mpurzynski https://github.com/mpurzynski [8] Merge Pull Request #14 with git pull --no-ff --no-commit https://github.com/mpurzynski/bro-plugins.git master [9] Pull Request #10 https://github.com/bro/pysubnettree/pull/10 [10] jroyalty https://github.com/jroyalty [11] Merge Pull Request #10 with git pull --no-ff --no-commit https://github.com/jroyalty/pysubnettree.git topic/jroyalty/prefixset From jira at bro-tracker.atlassian.net Tue Jan 26 14:28:00 2016 From: jira at bro-tracker.atlassian.net (Jeff Barber (JIRA)) Date: Tue, 26 Jan 2016 16:28:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1530) protocol_confirmation event cannot be hooked by plugin In-Reply-To: References: Message-ID: Jeff Barber created BIT-1530: -------------------------------- Summary: protocol_confirmation event cannot be hooked by plugin Key: BIT-1530 URL: https://bro-tracker.atlassian.net/browse/BIT-1530 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.4 Reporter: Jeff Barber The way the 'protocol_confirmation' event is raised bypasses the plugin event-hook mechanism. Plugin event hooks are triggered via EventMgr.QueueEvent which is in the usual event generation interface. However, protocol_confirmation is generated via this code in src/analyzer/Analyzer.cc: {{ // We immediately raise the event so that the analyzer can quickly // react if necessary. ::Event* e = new ::Event(protocol_confirmation, vl, SOURCE_LOCAL); mgr.Dispatch(e); }} The EventMgr.Dispatch method doesn't invoke the hook so at present it's not possible for a plugin to hook this event. It would be nice if this were orthogonal with other events. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Tue Jan 26 15:26:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 26 Jan 2016 17:26:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1527) Please merge topic/johanna/cve-2015-3194 In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1527?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24002#comment-24002 ] Daniel Thayer commented on BIT-1527: ------------------------------------ All of our jenkins machines are fully up-to-date. > Please merge topic/johanna/cve-2015-3194 > ---------------------------------------- > > Key: BIT-1527 > URL: https://bro-tracker.atlassian.net/browse/BIT-1527 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.5 > > > Please merge topic/johanna/cve-2015-3194. The branch contains a test that checks if a machine is vulnerable to cve-2015-3194 and - if yes - raises a test error. > Note that we should assure that all our jenkins machines have a current OpenSSL before merging this to master. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From noreply at bro.org Wed Jan 27 00:00:22 2016 From: noreply at bro.org (Merge Tracker) Date: Wed, 27 Jan 2016 00:00:22 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601270800.u0R80MBX017886@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1527 [1] Bro Johanna Amann - 2016-01-26 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [2] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ------------ ---------- ----------------------------------------------------------------------------------- #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] #10 [6] pysubnettree jroyalty [7] 2016-01-25 Added prefixes() method to return all prefixes in the tree as a set of strings. [8] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [6] Pull Request #10 https://github.com/bro/pysubnettree/pull/10 [7] jroyalty https://github.com/jroyalty [8] Merge Pull Request #10 with git pull --no-ff --no-commit https://github.com/jroyalty/pysubnettree.git topic/jroyalty/prefixset From noreply at bro.org Thu Jan 28 00:00:29 2016 From: noreply at bro.org (Merge Tracker) Date: Thu, 28 Jan 2016 00:00:29 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601280800.u0S80Tpf014033@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1527 [1] Bro Johanna Amann - 2016-01-26 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [2] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ------------ ---------- ----------------------------------------------------------------------------------- #52 [3] bro J-Gras [4] 2016-01-18 Fixed matching mail address intel [5] #10 [6] pysubnettree jroyalty [7] 2016-01-25 Added prefixes() method to return all prefixes in the tree as a set of strings. [8] [1] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [2] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [3] Pull Request #52 https://github.com/bro/bro/pull/52 [4] J-Gras https://github.com/J-Gras [5] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 [6] Pull Request #10 https://github.com/bro/pysubnettree/pull/10 [7] jroyalty https://github.com/jroyalty [8] Merge Pull Request #10 with git pull --no-ff --no-commit https://github.com/jroyalty/pysubnettree.git topic/jroyalty/prefixset From jira at bro-tracker.atlassian.net Thu Jan 28 08:52:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 28 Jan 2016 10:52:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-253) Can't bind to port 47760, Address already in use In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-253: ----------------------------- Resolution: Won't Fix Status: Closed (was: Open) We are going to be solving this problem more generally to warn users of potentially dangerous changes. > Can't bind to port 47760, Address already in use > ------------------------------------------------ > > Key: BIT-253 > URL: https://bro-tracker.atlassian.net/browse/BIT-253 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: tyler.schoenke > Assignee: Daniel Thayer > Priority: Low > Fix For: 2.5 > > > I ran into some strange behavior with the cluster. I was still receiving email alerts, but the log files on the manager contained only headers with no log messages. The connection summary emails had the columns and summaries with all of the values being empty. > I ran a dumpcap on my manager's eth0 filtering my worker IP, and saw that the logs were being sent to the manager. I could start the cluster run broctl stats, and diag with no errors. I finally saw "Can't bind to port 47760, Address already in use" in the remote.log on the manager. After stopping the cluster and looking for LISTENing processes, saw that something was bound to that port. I checked for running bro processes and saw that some hadn't terminated when the cluster was stopped. After killing those, the cluster started working properly. > My enhancement request is to have something added to the cluster startup script that reports an error if the manager or workers encounter an error binding to a port. This error could either prevent the cluster from starting, or just print some message to let the user know there is a problem with port binding. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 28 08:53:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 28 Jan 2016 10:53:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-161) In standalone mode, broctl attempts to connect to wrong port. In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell updated BIT-161: ----------------------------- Resolution: No longer applies Status: Closed (was: Open) Broping is gone. > In standalone mode, broctl attempts to connect to wrong port. > ------------------------------------------------------------- > > Key: BIT-161 > URL: https://bro-tracker.atlassian.net/browse/BIT-161 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Affects Versions: 1.5.2 > Reporter: Seth Hall > Assignee: Daniel Thayer > Priority: Low > Labels: warning > > I have a standalone instance setup and the bro process is holding open port 47758/tcp, but the broctl interface is attempting to connect to port 47760/tcp when it tries to do anything with broccoli. > {noformat} > [BroControl] > netstats > bro: > {noformat} > {noformat} > seth at Blake3:~$ sudo lsof -i | grep LISTEN > bro 74156 root 0u IPv4 0xb3ad270 0t0 TCP *:47758 (LISTEN) > {noformat} -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From robin at icir.org Thu Jan 28 08:56:16 2016 From: robin at icir.org (Robin Sommer) Date: Thu, 28 Jan 2016 08:56:16 -0800 Subject: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!) In-Reply-To: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> References: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> Message-ID: <20160128165616.GY61143@icir.org> Jenkins is reporting two problems I don't see locally on my dev box: On Thu, Jan 28, 2016 at 03:25 -0600, jenkins at brotestbed.ncsa.illinois.edu wrote: > from /home/jenkins/workspace/UnitTests/bro/aux/plugins/elasticsearch/build/elasticsearch.bif.cc:4: > /home/jenkins/workspace/CompileLeakCheck/bro/src/analyzer/../SerialObj.h:172:40: warning: override controls (override/final) only available with -std=c++11 or -std=gnu++11 > virtual bool DoSerialize(SerialInfo*) const override; \ There are lots of these, which I don't quite understand as c++11 should be on by default, no? > ../../aux/btest/btest -b -d --xml=/home/jenkins/workspace/UnitTests/results.xml > +++ /tmp/test-diff.17631.all-events.log.tmp 2016-01-28 09:15:18.343357310 +0000 > +XXXXXXXXXX.XXXXXX file_hash > + [0] f: fa_file = [id=F1vce92FT1oRjKI328, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=XXXXXXXXXX.XXXXXX, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=, sha256=, x509=[ts=XXXXXXXXXX.XXXXXX, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x05z0\x82\x04b\xa0\x03\x02\x01\x02\x02\x08\x05?\xce\x9b\xa6\x80[\x000\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x1e\x17\x0d150217144531Z\x17\x0d170318144531Z0u1\x150\x13\x06\x03U\x04\x03\x0c\x0c*.icloud.com1%0#\x06\x03U\x04\x0b\x0c\x1cmanagement:idms.group.5063641\x130\x11\x06\x03U\x04\x0a\x0c\x0aApple Inc.1\x130\x11\x06\x03U\x04\x08\x0c\x0aCalifornia1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xb8+L\xa2[\xca\xcd\x02\x1a/\x8b]\xaci\xe6\x0f#L\x98W\x87\x88\x94\x02\xae\xd0\xf4F\x15\xb4\xc2\xa9y\xab\x1b2\xdcT\xea\x8d\xf5\xf5c\xa7KR\xde \x0f=\x13\x89\xf2\x1dd\x85vhE\xc3\xd9vJ\x0eJV\x19\xa7\x0c2\x08\xf8\x10t\xa5[\xdc\x0b\x83\x93\x89\x0d\xa9\xc5t~mUvn\xcaV\xc8D2\xe8\xb4\xa2\x02\xef\x7f*\xba\xb9x\xa8G\x82\x1f\xac\x8e\xff\x93\x00\xb9y&\x84"vU\xf5\x9f\xa8\x86\xe8~m\x0f\x80\x95(\x0d\x0a\xdfESHC\xf8\xeb\x13n\x98\xac\xd6\x96\x19~j\x15XtD|7\x7ft\xe7\x1e\x8a\x96uP\xc9\x97\x8c\xb1]6y\x90\xb2\x06H\xa3\xd2\xe2\xd8/\xcb\xe8\x13\xa0\xe2es9s\xe5u'\xbe\xf4F\xaa\xc2n"\xe0\x13\x1d\xc3\x04\x90XnP\x07Lh\xca/lN\xc6\xb6 \xa7*J\xc9g\xb3&\x94\x05\x14\xe2\x0cU\x1c\xdban*\xd8z\xec\x8cs5\x04\x975w\x9di(sr\x14\xd2>\xf3\x13\x02\x03\x01\x00\x01\xa3\x82\x02\x1f0\x82\x02\x1b0H\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04<0:08\x06\x08+\x06\x01\x05\x05\x070\x01\x86,http://ocsp.apple.com/ocsp04-appleistca2g1010\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x8eQ\xa1\x0e\x0a\x9b\x1c\x04\xf7Y\xd3i.#\x16\x91\x0e\xad\x06\xfb0\x0c\x06\x03U\x1d\x13\x01\x01\xff\x04\x020\x000\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x81\xff\x06\x03U\x1d \x04\x81\xf70\x81\xf40\x81\xf1\x06\x0a*\x86H\x86\xf7cd\x05\x0b\x040\x81\xe20\x81\xa4\x06\x08+\x06\x01\x05\x05\x07\x02\x020\x81\x97\x0c\x81\x94Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.09\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16-http://www.apple.com/certificateauthority/rpa07\x06\x03U\x1d\x1f\x0400.0,\xa0*\xa0(\x86&http://crl.apple.com/appleistca2g1.crl0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x05\xa00\x1d\x06\x03U\x1d%\x04\x160\x14\x06\x08+\x06\x01\x05\x05\x07\x03\x01\x06\x08+\x06\x01\x05\x05\x07\x03\x020\x17\x06\x03U\x1d\x11\x04\x100\x0e\x82\x0c*.icloud.com0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00 at fi\xb2+\x8clA\xe2Bc\xde\x101\xa4.M\xc9 \xb3\x1c\xf3k)\xd1\x9eI\x17\xbf"\x8c\xcd\xb1H\x14\xd6\x8c\x8eO2\x84v`E\xbb(\x9cj\xea)\xd3\x191\xfb\x1ei\x9e\xd7\xf4\xb7\xa9\x1c\x92vY\xdeR*\xa2}>\x81d\x0dW\x07\xae\x17\x81{\xe2\x9c\x9fT-\x19\xe3c#\x8a\xfc\x08\xbb\x8eR\xf0-3\x81\x16bh\xaaY\x03\xcc\xd1\xea\x9e\xe6\xe6\xc11\xa0e\x02* \xad{\xdeI\x8fQ\x0f]\xf3"\x18\x19\xea\x04\x97y\x19\xa5\x9f#\xae\xaei\x84r6W\x93d\xe7\xdbF\xed\x8c\x13Yh\xb0g$\xfa\xaa,\xe4\xe7\xd7\xe7_G\x92\x14\xb2O\x0a\xc8Y\xa5\x9bx\xae\x88\xd1u\x19\xb6\x96\x88\x1a\xbf\xac\x91\x92\xc4B\x07\xc6\x8a\x03 \x01a\xe0\xfc\xd4\x86\x8d\x14c\x08}~\x97o\xa7\x90\xbb\x98~\xe2\xa8\x8d\xfai\x9d\xd3\xabI\xa0D\xa8\xe6\xf8#\xae\xbb\xd2\xf5\xf1\x87\xe0\x88\x0f\xe9\xf5\x91\xbb58Y@\xf7\x82\xc1\x80{\x92\x90\xc3, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=, sha256=, x509=[ts=XXXXXXXXXX.XXXXXX, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], ftp=, http=, irc=, pe=, u2_events=] > + [1] kind: string = sha1 > + [2] hash: string = f5ccb1a724133607548b00d8eb402efca3076d58 > + > +XXXXXXXXXX.XXXXXX file_hash > + [0] f: fa_file = [id=Fxp53s3wA5G3zdEJg8, parent_id=, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0], start_time=XXXXXXXXXX.XXXXXX, duration=0.303424, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C7XEbhP654jzLoe3a, tunnel=, vlan=, inner_vlan=, dpd=, conn=, extract_orig=F, extract_resp=F, thresholds=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C7XEbhP654jzLoe3a, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=, server_name=p31-keyvalueservice.icloud.com, session_id=, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, last_alert=, next_protocol=, analyzer_id=35, established=F, logged=F, delay_tokens=, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=F1vce92FT1oRjKI328, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1406, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=, x509=[ts=XXXXXXXXXX.XXXXXX, id=F1vce92FT1oRjKI328, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=1424184331.0, not_valid_after=1489848331.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a User Notice:\x0a Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=, email=, ip=, other_fields=F], basic_constraints=[ca=F, path_len=]], extracted=], [ts=XXXXXXXXXX.XXXXXX, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a\x09}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=, sha256=, x509=[ts=XXXXXXXXXX.XXXXXX, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=, basic_constraints=[ca=T, path_len=0]], extracted=]], cert_chain_fuids=[F1vce92FT1oRjKI328, Fxp53s3wA5G3zdEJg8], client_cert_chain=[], client_cert_chain_fuids=[], subject=, issuer=, client_subject=, client_issuer=, server_depth=0, client_depth=0], http=, http_state=, irc=, krb=, modbus=, mysql=, radius=, rdp=, sip=, sip_state=, snmp=, smtp=, smtp_state=, socks=, ssh=, syslog=]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=0\x82\x04 at 0\x82\x03(\xa0\x03\x02\x01\x02\x02\x03\x02:t0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x000B1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x160\x14\x06\x03U\x04\x0a\x13\x0dGeoTrust Inc.1\x1b0\x19\x06\x03U\x04\x03\x13\x12GeoTrust Global CA0\x1e\x17\x0d140616154202Z\x17\x0d220520154202Z0b1\x1c0\x1a\x06\x03U\x04\x03\x13\x13Apple IST CA 2 - G11 0\x1e\x06\x03U\x04\x0b\x13\x17Certification Authority1\x130\x11\x06\x03U\x04\x0a\x13\x0aApple Inc.1\x0b0\x09\x06\x03U\x04\x06\x13\x02US0\x82\x01"0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\x0a\x02\x82\x01\x01\x00\xd0\x93\xa1\x1dGC \x16\xb2\x0bk\xeb\xc3\xd5\xb4\xe8\xc7\x98\xcd\xf3\xde\xbf\xe8M\xe9\xe36\x80\x07\xfcE\x1bj|E\x86\xaeV\xd3\xa4\x09\x7fa\x0dk]~Rk}\xb4\xc89\xc4\xf4g:\xf7\x83\xce\x19o\x86/~E~G\x1cgR\xca\x95\x05]\xe26Q\x85\xc0\xd4g\x805o\x15\xdd>\xfd\x1d\xd2\xfd\x8f4P\xd8\xecv*\xbe\xe3\xd3\xda\xe4\xfd\xc8\xeb(\x02\x96\x11\x97\x17a\x1c\xe9\xc4Y;B\xdc2\xd1\x09\x1d\xda\xa6\xd1C\x86\xff^\xb2\xbc\x8c\xcff\xdb\x01\x8b\x02\xae\x94H\xf38\x8f\xfd\xea2\xa8\x08\xec\x86\x97Q\x94$>II\x96S\xe8y\xa1@\x81\xe9\x05\xbb\x93\x95Q\xfc\xe3\xfd|\x11K\xf7\x9e\x08\xb3\x15I\x15\x07\xf9\xd17\xa0\x9bK2\xf6\xb5\xc4\xdcj\xd1\xfc\x0a\xed\xf6\xe0\xc5)\xa0\xa8\x8bq\xfe\x0d\x92\xbc\xfeTp\x18\x0am\xc7\xed\x0c\xfb\xc9-\x06\xc3\x8c\x85\xfc\xcb\x86\\xd66\x8e\x12\x8b\x09\x7f\xfb\x19\x1a8\xd5\xf0\x940z\x0f\xa6\x8c\xf3\x02\x03\x01\x00\x01\xa3\x82\x01\x1d0\x82\x01\x190\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\xc0z\x98h\x8d\x89\xfb\xab\x05d\x0c\x11}\xaa}e\xb8\xca\xccN0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\xd8z\x94D|\x90p\x90\x16\x9e\xdd\x17\x9c\x01D\x03\x86\xd6*)0\x12\x06\x03U\x1d\x13\x01\x01\xff\x04\x080\x06\x01\x01\xff\x02\x01\x000\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\x0605\x06\x03U\x1d\x1f\x04.0,0*\xa0(\xa0&\x86$http://g.symcb.com/crls/gtglobal.crl0.\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x04"0 0\x1e\x06\x08+\x06\x01\x05\x05\x070\x01\x86\x12http://g.symcd.com0L\x06\x03U\x1d \x04E0C0A\x06\x0a`\x86H\x01\x86\xf8E\x01\x0760301\x06\x08+\x06\x01\x05\x05\x07\x02\x01\x16%http://www.geotrust.com/resources/cps0\x0d\x06\x09*\x86H\x86\xf7\x0d\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x16Gso\x85\xa2b\xe1\xe7*v\xbb\x89\x95B&\x97\xbcJ\xac\xacpS:?1\x83=<\x1c\xab\x9a\xe2\xb1]\x1cv\x1a\xa0<\x0crW\xbe\xd3\x9eP\xe0\xc8\x99\xd6X\xd7\x02\xea\xce\x0d)T|\xcd\xf5\xc2\xc6\x90)U\xa3o\x14\xa8\x0bB\x0d:\x98m\x06x\x9e\xf0j\xa3\x1d\x02\x0a\xa2(\xa4\x8d\xc2\x81F>mg\xda\xde?\xfe\x85\x0eB*\x12\xde\xb5\xb7\xfb\xb8\x1b\xa7\x96\xecw\x9f\xec\xd4S\x95z\xff\x07\xf4\xf2\x0a\x14\xc0QR\xb1\xd6\x8eP\x0b\x1a\x99\\xbc\x0b\xc9\xbd\xed\xed\xf8^\xc1V\xdbM~#\xa4\x11\xa1,\xd4\x1b\x05\x9a\xe4\x1bR\xf6|8\x99\x05K\xbar\x8dB\x89`\x04f*\xf4\xfdh\xd7k\xf7\x99A(\xd6l$\xab\xe6%S.\xc8\x82\x99\xe2\xa2\x8f#\xbe0\x83\xb1'\x8b\xfah\x7f\x01I\xe8\xc6\x98k\x10.\x98^\x8a\xd7\xcaK\xb1\xc7\xc9X\x9a\xd06\xdb\x96\x95\xec\xb6\x81\xe4\xf2\xcdo\x1by\x87L\x10<\x89\xe4M\xfaT\xdc\xaa\xa6, info=[ts=XXXXXXXXXX.XXXXXX, fuid=Fxp53s3wA5G3zdEJg8, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC7XEbhP654jzLoe3a\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aMD5,\x0aSHA1\x0a}, mime_type=application/pkix-cert, filename=, duration=0 secs, local_orig=, is_orig=F, seen_bytes=1092, total_bytes=, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=, sha256=, x509=[ts=XXXXXXXXXX.XXXXXX, id=Fxp53s3wA5G3zdEJg8, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=1402933322.0, not_valid_after=1653061322.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=], handle=, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a CPS: http://www.geotrust.com/resources/cps\x0a]], san=, basic_constraints=[ca=T, path_len=0]], extracted=], ftp=, http=, irc=, pe=, u2_events=] > + [1] kind: string = sha1 > + [2] hash: string = 8e8321ca08b08e3726fe1d82996884eeb5f0d655 > + sha1 is filled in the 2nd version. I think saw a different example where it was md5sum that was set in the 2nd version but not the baseline version. Were there any changes in this regard? Robin -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From johanna at icir.org Thu Jan 28 10:54:19 2016 From: johanna at icir.org (Johanna Amann) Date: Thu, 28 Jan 2016 10:54:19 -0800 Subject: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!) In-Reply-To: <20160128165616.GY61143@icir.org> References: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20160128165616.GY61143@icir.org> Message-ID: <20160128185413.GA95695@wifi168.sys.ICSI.Berkeley.EDU> On Thu, Jan 28, 2016 at 08:56:16AM -0800, Robin Sommer wrote: > sha1 is filled in the 2nd version. I think saw a different example > where it was md5sum that was set in the 2nd version but not the > baseline version. Were there any changes in this regard? I am not aware of anything in the SSL source having changed recently that should/could cause anything like that. Johanna From jira at bro-tracker.atlassian.net Thu Jan 28 11:51:00 2016 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 28 Jan 2016 13:51:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1033) add script based on BBN's ICMP analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1033: --------------------------------- Assignee: Jon Schipp (was: Vlad Grigorescu) > add script based on BBN's ICMP analyzer > --------------------------------------- > > Key: BIT-1033 > URL: https://bro-tracker.atlassian.net/browse/BIT-1033 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: git/master > Reporter: dmandelb > Assignee: Jon Schipp > Priority: Low > Fix For: 2.5 > > Attachments: 0001-add-script-based-on-BBN-s-ICMP-analyzer.patch > > -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 28 12:44:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 28 Jan 2016 14:44:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1531) Use of mktemp command should be more portable In-Reply-To: References: Message-ID: Daniel Thayer created BIT-1531: ---------------------------------- Summary: Use of mktemp command should be more portable Key: BIT-1531 URL: https://bro-tracker.atlassian.net/browse/BIT-1531 Project: Bro Issue Tracker Issue Type: Task Components: Bro, BTest Reporter: Daniel Thayer Fix For: 2.5 The use of the mktemp command breaks on some platforms, because we only use three Xs in our templates, but some platforms require at least six Xs. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 28 12:45:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 28 Jan 2016 14:45:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1531) Use of mktemp command should be more portable In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1531?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=24006#comment-24006 ] Daniel Thayer commented on BIT-1531: ------------------------------------ In the bro and btest repos, the branch "topic/dnthayer/mktemp" fixes this issue. > Use of mktemp command should be more portable > --------------------------------------------- > > Key: BIT-1531 > URL: https://bro-tracker.atlassian.net/browse/BIT-1531 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro, BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > > The use of the mktemp command breaks on some platforms, because > we only use three Xs in our templates, but some platforms require at > least six Xs. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From jira at bro-tracker.atlassian.net Thu Jan 28 13:13:00 2016 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Thu, 28 Jan 2016 15:13:00 -0600 (CST) Subject: [Bro-Dev] [JIRA] (BIT-1531) Use of mktemp command should be more portable In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1531?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1531: ------------------------------- Status: Merge Request (was: Open) > Use of mktemp command should be more portable > --------------------------------------------- > > Key: BIT-1531 > URL: https://bro-tracker.atlassian.net/browse/BIT-1531 > Project: Bro Issue Tracker > Issue Type: Task > Components: Bro, BTest > Reporter: Daniel Thayer > Fix For: 2.5 > > > The use of the mktemp command breaks on some platforms, because > we only use three Xs in our templates, but some platforms require at > least six Xs. -- This message was sent by Atlassian JIRA (v7.1.0-OD-05-006#71001) From seth at icir.org Thu Jan 28 18:19:21 2016 From: seth at icir.org (Seth Hall) Date: Thu, 28 Jan 2016 21:19:21 -0500 Subject: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!) In-Reply-To: <20160128165616.GY61143@icir.org> References: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20160128165616.GY61143@icir.org> Message-ID: <99FC1428-6313-4ABF-8E0C-988E26915B03@icir.org> > On Jan 28, 2016, at 11:56 AM, Robin Sommer wrote: > > On Thu, Jan 28, 2016 at 03:25 -0600, jenkins at brotestbed.ncsa.illinois.edu wrote: > >> from /home/jenkins/workspace/UnitTests/bro/aux/plugins/elasticsearch/build/elasticsearch.bif.cc:4: >> /home/jenkins/workspace/CompileLeakCheck/bro/src/analyzer/../SerialObj.h:172:40: warning: override controls (override/final) only available with -std=c++11 or -std=gnu++11 >> virtual bool DoSerialize(SerialInfo*) const override; \ > > There are lots of these, which I don't quite understand as c++11 > should be on by default, no?  Oh, is the elasticsearch plugin being built with C++11 enabled? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From johanna at icir.org Thu Jan 28 21:43:34 2016 From: johanna at icir.org (Johanna Amann) Date: Thu, 28 Jan 2016 21:43:34 -0800 Subject: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!) In-Reply-To: <99FC1428-6313-4ABF-8E0C-988E26915B03@icir.org> References: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20160128165616.GY61143@icir.org> <99FC1428-6313-4ABF-8E0C-988E26915B03@icir.org> Message-ID: <938E01DB-AF11-4806-9348-EBD2DD03B78A@icir.org> On 28 Jan 2016, at 18:19, Seth Hall wrote: >> On Jan 28, 2016, at 11:56 AM, Robin Sommer wrote: >> >> On Thu, Jan 28, 2016 at 03:25 -0600, >> jenkins at brotestbed.ncsa.illinois.edu wrote: >> >>> from >>> /home/jenkins/workspace/UnitTests/bro/aux/plugins/elasticsearch/build/elasticsearch.bif.cc:4: >>> /home/jenkins/workspace/CompileLeakCheck/bro/src/analyzer/../SerialObj.h:172:40: >>> warning: override controls (override/final) only available with >>> -std=c++11 or -std=gnu++11 >>> virtual bool DoSerialize(SerialInfo*) const override; \ >> >> There are lots of these, which I don't quite understand as c++11 >> should be on by default, no? >  > Oh, is the elasticsearch plugin being built with C++11 enabled? Ah, you have a point there. It probably is not - at least for the postgresql plugin I had to add include(RequireCXX11) to the cmakelist manually... Johanna From noreply at bro.org Fri Jan 29 00:00:24 2016 From: noreply at bro.org (Merge Tracker) Date: Fri, 29 Jan 2016 00:00:24 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601290800.u0T80OQ5019378@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1531 [1] Bro,BTest Daniel Thayer - 2016-01-28 2.5 Normal Use of mktemp command should be more portable BIT-1527 [2] Bro Johanna Amann - 2016-01-26 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [3] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------------- be0d2d6 [4] bro-aux Daniel Thayer 2016-01-28 Fix the init-plugin script to be more portable Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- ------------------------------------- #52 [5] bro J-Gras [6] 2016-01-18 Fixed matching mail address intel [7] [1] BIT-1531 https://bro-tracker.atlassian.net/browse/BIT-1531 [2] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [3] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [4] be0d2d6 https://github.com/bro/bro-aux/commit/be0d2d639a0757d0a9664d3e8f22d26a78e2814c [5] Pull Request #52 https://github.com/bro/bro/pull/52 [6] J-Gras https://github.com/J-Gras [7] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 From dnthayer at illinois.edu Fri Jan 29 07:46:17 2016 From: dnthayer at illinois.edu (Daniel Thayer) Date: Fri, 29 Jan 2016 09:46:17 -0600 Subject: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!) In-Reply-To: <938E01DB-AF11-4806-9348-EBD2DD03B78A@icir.org> References: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20160128165616.GY61143@icir.org> <99FC1428-6313-4ABF-8E0C-988E26915B03@icir.org> <938E01DB-AF11-4806-9348-EBD2DD03B78A@icir.org> Message-ID: <56AB8949.8000307@illinois.edu> On 01/28/2016 11:43 PM, Johanna Amann wrote: > > > On 28 Jan 2016, at 18:19, Seth Hall wrote: > >>> On Jan 28, 2016, at 11:56 AM, Robin Sommer wrote: >>> >>> On Thu, Jan 28, 2016 at 03:25 -0600, >>> jenkins at brotestbed.ncsa.illinois.edu wrote: >>> >>>> from >>>> /home/jenkins/workspace/UnitTests/bro/aux/plugins/elasticsearch/build/elasticsearch.bif.cc:4: >>>> /home/jenkins/workspace/CompileLeakCheck/bro/src/analyzer/../SerialObj.h:172:40: >>>> warning: override controls (override/final) only available with >>>> -std=c++11 or -std=gnu++11 >>>> virtual bool DoSerialize(SerialInfo*) const override; \ >>> >>> There are lots of these, which I don't quite understand as c++11 >>> should be on by default, no? >>  >> Oh, is the elasticsearch plugin being built with C++11 enabled? > > Ah, you have a point there. It probably is not - at least for the > postgresql plugin I had to add include(RequireCXX11) to the cmakelist > manually... > > Johanna > Yes, we need to add this to the CMakeLists.txt file (at least for the elasticsearch and tcprs plugins): include(RequireCXX11) From seth at icir.org Fri Jan 29 08:25:45 2016 From: seth at icir.org (Seth Hall) Date: Fri, 29 Jan 2016 11:25:45 -0500 Subject: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!) In-Reply-To: <56AB8949.8000307@illinois.edu> References: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20160128165616.GY61143@icir.org> <99FC1428-6313-4ABF-8E0C-988E26915B03@icir.org> <938E01DB-AF11-4806-9348-EBD2DD03B78A@icir.org> <56AB8949.8000307@illinois.edu> Message-ID: <888F078B-A502-45B9-895B-FF294AB33D5E@icir.org> > On Jan 29, 2016, at 10:46 AM, Daniel Thayer wrote: > > Yes, we need to add this to the CMakeLists.txt file (at least for > the elasticsearch and tcprs plugins): > > include(RequireCXX11)  I suppose we need to also update the script that generates the plugin skeleton to make sure that this is included there for any future plugins that are created. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From robin at icir.org Fri Jan 29 08:43:13 2016 From: robin at icir.org (Robin Sommer) Date: Fri, 29 Jan 2016 08:43:13 -0800 Subject: [Bro-Dev] Jenkins errors (Re: [Bro-Commits-Internal] UnitTests - Build # 6935 - Failure!) In-Reply-To: <888F078B-A502-45B9-895B-FF294AB33D5E@icir.org> References: <1156116149.59.1453973125069.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20160128165616.GY61143@icir.org> <99FC1428-6313-4ABF-8E0C-988E26915B03@icir.org> <938E01DB-AF11-4806-9348-EBD2DD03B78A@icir.org> <56AB8949.8000307@illinois.edu> <888F078B-A502-45B9-895B-FF294AB33D5E@icir.org> Message-ID: <20160129164313.GQ76212@icir.org> I'll fix this, now that I understand what's going on. :) Thanks everybody, Robin On Fri, Jan 29, 2016 at 11:25 -0500, you wrote: > > > On Jan 29, 2016, at 10:46 AM, Daniel Thayer wrote: > > > > Yes, we need to add this to the CMakeLists.txt file (at least for > > the elasticsearch and tcprs plugins): > > > > include(RequireCXX11) >  > I suppose we need to also update the script that generates the plugin skeleton to make sure that this is included there for any future plugins that are created. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -- Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin From noreply at bro.org Sat Jan 30 00:00:28 2016 From: noreply at bro.org (Merge Tracker) Date: Sat, 30 Jan 2016 00:00:28 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601300800.u0U80S68030425@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1531 [1] Bro,BTest Daniel Thayer - 2016-01-28 2.5 Normal Use of mktemp command should be more portable BIT-1527 [2] Bro Johanna Amann - 2016-01-26 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [3] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------------- be0d2d6 [4] bro-aux Daniel Thayer 2016-01-28 Fix the init-plugin script to be more portable Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- ------------------------------------- #52 [5] bro J-Gras [6] 2016-01-18 Fixed matching mail address intel [7] [1] BIT-1531 https://bro-tracker.atlassian.net/browse/BIT-1531 [2] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [3] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [4] be0d2d6 https://github.com/bro/bro-aux/commit/be0d2d639a0757d0a9664d3e8f22d26a78e2814c [5] Pull Request #52 https://github.com/bro/bro/pull/52 [6] J-Gras https://github.com/J-Gras [7] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507 From noreply at bro.org Sun Jan 31 00:00:31 2016 From: noreply at bro.org (Merge Tracker) Date: Sun, 31 Jan 2016 00:00:31 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201601310800.u0V80Vgn021817@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ------------------------------------------------------ BIT-1531 [1] Bro,BTest Daniel Thayer - 2016-01-28 2.5 Normal Use of mktemp command should be more portable BIT-1527 [2] Bro Johanna Amann - 2016-01-26 2.5 Normal Please merge topic/johanna/cve-2015-3194 BIT-1507 [3] Bro Jan Grashoefer Seth Hall 2016-01-25 - Low Intel framework does not match mail addresses properly Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------------- be0d2d6 [4] bro-aux Daniel Thayer 2016-01-28 Fix the init-plugin script to be more portable Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- ------------------------------------- #52 [5] bro J-Gras [6] 2016-01-18 Fixed matching mail address intel [7] [1] BIT-1531 https://bro-tracker.atlassian.net/browse/BIT-1531 [2] BIT-1527 https://bro-tracker.atlassian.net/browse/BIT-1527 [3] BIT-1507 https://bro-tracker.atlassian.net/browse/BIT-1507 [4] be0d2d6 https://github.com/bro/bro-aux/commit/be0d2d639a0757d0a9664d3e8f22d26a78e2814c [5] Pull Request #52 https://github.com/bro/bro/pull/52 [6] J-Gras https://github.com/J-Gras [7] Merge Pull Request #52 with git pull --no-ff --no-commit https://github.com/J-Gras/bro.git topic/jgras/bit-1507