From vern at icir.org Thu Dec 1 02:37:42 2011 From: vern at icir.org (Vern Paxson) Date: Thu, 01 Dec 2011 02:37:42 -0800 Subject: [Bro-Dev] question & meta-question regarding "path" field in smtp.log In-Reply-To: <09B66D9F-B932-41F4-A482-31D971CBD0B5@icir.org> (Wed, 30 Nov 2011 23:09:55 EST). Message-ID: <20111201103742.59AA72C400E@rock.ICSI.Berkeley.EDU> > Yes, it's the path derived from the received headers and it's in reverse > order where the actual message originator would be found at the right side > and the receiver would be at the left. But what about adding the client & server? Are those added separately? It would appear so, though I'm not sure that's the right thing to do. It muddles the semantics somewhat, and also isn't necessary as the client & server info are available from other fields. Vern From vern at icir.org Thu Dec 1 02:37:46 2011 From: vern at icir.org (Vern Paxson) Date: Thu, 01 Dec 2011 02:37:46 -0800 Subject: [Bro-Dev] generation of loaded_scripts.log In-Reply-To: (Wed, 30 Nov 2011 23:18:00 EST). Message-ID: <20111201103746.6B32D2C400E@rock.ICSI.Berkeley.EDU> > The local script is where we are suggesting a starting configuration for > users, similarly to how Apache probably ships a default httpd.conf. Right, I gathered that. > The misc/loaded-scripts script is loaded in the local script. This is the part that's not so obvious to me. I guess the rationale is "who knows what junk might be in local/ ...." ? Vern From vern at icir.org Thu Dec 1 02:38:08 2011 From: vern at icir.org (Vern Paxson) Date: Thu, 01 Dec 2011 02:38:08 -0800 Subject: [Bro-Dev] Deprecating events In-Reply-To: <20111130171648.GI96269@icir.org> (Wed, 30 Nov 2011 09:16:48 PST). Message-ID: <20111201103809.0161C2C400E@rock.ICSI.Berkeley.EDU> > > That would be a pity, as now-and-then it provides very valuable forensic > > information. > > I didn't realize this is still being used. It's quite rare, but basically whenever you detect (through some other means) a credential thief, the stepping-stone info can be very handy for the incident analysis. > I'm fine keeping the events > then, but could you provide a few sentences describing their semantics > for the script reference? I don't really know. I really don't know if this is worth it. The events are fodder for the specific algorithm; I can't picture a user actually wanting to write their own handlers for them. That they're quite specific also makes them awkward to explain. So my vote is to just label them as "internal to the stepping-stone detector". > > I'd be reluctant to lose these, as they could potentially become relevant > > if one is able to feed unencrypted SSH streams to Bro > > That's right but isn't the scripting land the better place to > implement this functionality eventually? Yeah, it would ... though it's a pretty messy state-machine-plus-string- matching chunk of code. > What I don't like is all the > hard-coded regexp variables that one passes into the core; that's > quite different from any other analyzer. A valid point. Vern From seth at icir.org Thu Dec 1 05:38:40 2011 From: seth at icir.org (Seth Hall) Date: Thu, 1 Dec 2011 08:38:40 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Fix error emitted when loading local.bro in bare mode (8d7ca13) In-Reply-To: <201111302000.pAUK0qEd031822@bro-ids.icir.org> References: <201111302000.pAUK0qEd031822@bro-ids.icir.org> Message-ID: <8AC30C5A-E904-4375-A6C0-E66C6075E10D@icir.org> On Nov 30, 2011, at 3:00 PM, Jonathan Siwek wrote: > Regarding the redef of SMTP::entity_excerpt_len without having > been previously defined. > + at load base/protocols/smtp/entities-excerpt I'm confused why this is needed, this script should already be loaded. I just checked and it is loaded in the base/protocols/smtp/__load__.bro script. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jsiwek at illinois.edu Thu Dec 1 06:51:13 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 1 Dec 2011 14:51:13 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Fix error emitted when loading local.bro in bare mode (8d7ca13) In-Reply-To: <8AC30C5A-E904-4375-A6C0-E66C6075E10D@icir.org> References: <201111302000.pAUK0qEd031822@bro-ids.icir.org> <8AC30C5A-E904-4375-A6C0-E66C6075E10D@icir.org> Message-ID: >> Regarding the redef of SMTP::entity_excerpt_len without having >> been previously defined. >> + at load base/protocols/smtp/entities-excerpt > > I'm confused why this is needed, this script should already be loaded. I just checked and it is loaded in the base/protocols/smtp/__load__.bro script. But that the loading of that depends on running in "default" mode, right? $ bro -b local error in /Users/jsiwek/Projects/bro/bro/scripts/site/local.bro, line 69: "redef" used but not previously defined (SMTP::entity_excerpt_len) Granted, I'm not sure if that's going to be a common case to use bare mode to load local.bro, but the rule should be that everything loads without error in bare mode (and the documentation generation does just that which is where I first observed the error) +Jon From seth at icir.org Thu Dec 1 07:14:29 2011 From: seth at icir.org (Seth Hall) Date: Thu, 1 Dec 2011 10:14:29 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Fix error emitted when loading local.bro in bare mode (8d7ca13) In-Reply-To: References: <201111302000.pAUK0qEd031822@bro-ids.icir.org> <8AC30C5A-E904-4375-A6C0-E66C6075E10D@icir.org> Message-ID: On Dec 1, 2011, at 9:51 AM, Siwek, Jonathan Luke wrote: > Granted, I'm not sure if that's going to be a common case to use bare mode to load local.bro, but the rule should be that everything loads without error in bare mode (and the documentation generation does just that which is where I first observed the error) Oh. Hm, I see what you are talking about now. I wouldn't expect people to ever run local.bro in bare mode. Actually, how about you just remove that whole redef from the local.bro script (and the @load you added)? I wasn't sure I liked it that much at the time I wrote it and I don't think it would be something that a lot of people would be interested in anyway. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Thu Dec 1 07:18:54 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 15:18:54 -0000 Subject: [Bro-Dev] #705: Makefile in doc/ doesn't work. In-Reply-To: <047.924679682a5a6c6c0784fa8db12eb41f@tracker.bro-ids.org> References: <047.924679682a5a6c6c0784fa8db12eb41f@tracker.bro-ids.org> Message-ID: <062.b2f3c0e22aab48877292312ce2d0df01@tracker.bro-ids.org> #705: Makefile in doc/ doesn't work. ----------------------+-------------------- Reporter: robin | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Changes (by jsiwek): * owner: => jsiwek * status: new => closed * resolution: => fixed Comment: In [f6494a09c95063f717539a19b44454c1abba3ab5/bro]: {{{ #!CommitTicketReference repository="bro" revision="f6494a09c95063f717539a19b44454c1abba3ab5" Add missing doc targets to top Makefile; remove old doc/Makefile. (fixes #705) }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From jsiwek at illinois.edu Thu Dec 1 07:31:59 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 1 Dec 2011 15:31:59 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Fix error emitted when loading local.bro in bare mode (8d7ca13) In-Reply-To: References: <201111302000.pAUK0qEd031822@bro-ids.icir.org> <8AC30C5A-E904-4375-A6C0-E66C6075E10D@icir.org> Message-ID: > Actually, how about you just remove that whole redef from the local.bro script (and the @load you added)? Ok, I can do that. +Jon From bro at tracker.bro-ids.org Thu Dec 1 07:43:19 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 15:43:19 -0000 Subject: [Bro-Dev] #493: RemoteSerializer::Log method should give peer to remote_log event In-Reply-To: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> References: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> Message-ID: <061.be63e5427c7d6efe3987d3684409e41b@tracker.bro-ids.org> #493: RemoteSerializer::Log method should give peer to remote_log event ------------------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ------------------------------+---------------------- Changes (by seth): * owner: => jsiwek * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 07:46:14 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 15:46:14 -0000 Subject: [Bro-Dev] #681: Control characters is ASCII output In-Reply-To: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> References: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> Message-ID: <062.7baa53384fd9ebf71ad9a65f1c548158@tracker.bro-ids.org> #681: Control characters is ASCII output ----------------------+---------------------- Reporter: robin | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by seth): * owner: => jsiwek * status: new => assigned Comment: Jon, feel free to poke around and see if you can find out what's going on here, but don't worry if you can't figure it out. This problem has been fairly rare for me and seems to show up randomly so we can bump it back if we can't find the problem. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 07:46:38 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 15:46:38 -0000 Subject: [Bro-Dev] #654: Off_Port_Protocol_Found not used In-Reply-To: <047.15c2d0cfc177e12da263861fac931591@tracker.bro-ids.org> References: <047.15c2d0cfc177e12da263861fac931591@tracker.bro-ids.org> Message-ID: <062.0094b70e145bf3b91043187987ea947d@tracker.bro-ids.org> #654: Off_Port_Protocol_Found not used ----------------------+---------------------- Reporter: robin | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by seth): * owner: => seth * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 07:50:12 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 15:50:12 -0000 Subject: [Bro-Dev] #647: SDCH support In-Reply-To: <046.95060f0c54e55e518c6e6817c50c1af5@tracker.bro-ids.org> References: <046.95060f0c54e55e518c6e6817c50c1af5@tracker.bro-ids.org> Message-ID: <061.3feb92187c6592f65c0a5994a570b856@tracker.bro-ids.org> #647: SDCH support ----------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by seth): * owner: => jsiwek * status: new => assigned Comment: We only need support for part 1 right now. Supporting part 2 may be quite difficult. I'll attach a tracefile in just a sec. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 08:39:10 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 16:39:10 -0000 Subject: [Bro-Dev] #681: Control characters is ASCII output In-Reply-To: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> References: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> Message-ID: <062.0c77db4f174ff2924a2b337bb53000e7@tracker.bro-ids.org> #681: Control characters is ASCII output ----------------------+---------------------- Reporter: robin | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Comment (by robin): On Thu, Dec 01, 2011 at 15:46 -0000, you wrote: > here, but don't worry if you can't figure it out. This problem has been > fairly rare for me and seems to show up randomly so we can bump it back if It's not that rare, I see it regularly with the external/ test-suite on a Linux system. Usually, re-running gets rid of it, but it's a bit annoying. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Dec 1 08:43:10 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 1 Dec 2011 08:43:10 -0800 Subject: [Bro-Dev] Deprecating events In-Reply-To: <20111201103809.0161C2C400E@rock.ICSI.Berkeley.EDU> References: <20111130171648.GI96269@icir.org> <20111201103809.0161C2C400E@rock.ICSI.Berkeley.EDU> Message-ID: <20111201164310.GE41965@icir.org> On Thu, Dec 01, 2011 at 02:38 -0800, you wrote: > awkward to explain. So my vote is to just label them as "internal to > the stepping-stone detector". Makes sense (the stepping stone detector isn't ported to 2.0 yet though, like a few other scripts). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Thu Dec 1 09:08:09 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:08:09 -0000 Subject: [Bro-Dev] #675: enum values in log output can be ambitious In-Reply-To: <047.4f1dd8bfa80747c53415ac796804b4c9@tracker.bro-ids.org> References: <047.4f1dd8bfa80747c53415ac796804b4c9@tracker.bro-ids.org> Message-ID: <062.e69e263e2f4c1fcb5cb11f2ac36a93aa@tracker.bro-ids.org> #675: enum values in log output can be ambitious ---------------------------+-------------------- Reporter: robin | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Works for Me | Keywords: ---------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Works for Me Comment: Enums are always written out fully expanded (logging framework and plain print). You changed this behavior for me a while ago because I was running into trouble with them not being expanded. Here's an example I wrote: {{{ module Other; export { type MyEnum: enum { blue }; } module M1; export { redef enum Other::MyEnum += { green }; } module M2; export { redef enum Other::MyEnum += { green }; } module Mine; export { redef enum Log::ID += { LOG }; type Info: record { enum_val: Other::MyEnum &log; }; } event bro_init() { Log::create_stream(Mine::LOG, [$columns=Info]); Log::write(Mine::LOG, [$enum_val=M2::green]); } }}} This output a file name mine.log with these contents: {{{ #separator \x09 #path mine #fields enum_val #types enum M2::green }}} The only additional change I can think of is that we probably need to indicate which enum type the value is in the headers but I think Bernhard has already addressed that in the input framework branch. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:08:52 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:08:52 -0000 Subject: [Bro-Dev] #664: Interesting_Hostname_Login misleading In-Reply-To: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> References: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> Message-ID: <062.d7f047a0d4685f7676b912eddbd00cda@tracker.bro-ids.org> #664: Interesting_Hostname_Login misleading ----------------------+---------------------- Reporter: robin | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by seth): * owner: => seth * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:09:47 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:09:47 -0000 Subject: [Bro-Dev] #669: Bro-cut fails when no gawk is present In-Reply-To: <054.8d38b264fc49b0372d0d839413ccf3c4@tracker.bro-ids.org> References: <054.8d38b264fc49b0372d0d839413ccf3c4@tracker.bro-ids.org> Message-ID: <069.d3da2b4af978f9ce45ef79e74f5ed659@tracker.bro-ids.org> #669: Bro-cut fails when no gawk is present ---------------------------+---------------------- Reporter: david.bianco | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: 2.0 Beta Resolution: Duplicate | Keywords: ---------------------------+---------------------- Changes (by seth): * status: new => closed * resolution: => Duplicate -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:11:03 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:11:03 -0000 Subject: [Bro-Dev] #668: Please support UTC conversion in bro-cut In-Reply-To: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> References: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> Message-ID: <069.261207e24f63af3503b145c0cb5beb24@tracker.bro-ids.org> #668: Please support UTC conversion in bro-cut ------------------------------+---------------------- Reporter: david.bianco | Owner: robin Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: 2.0 Beta Resolution: | Keywords: ------------------------------+---------------------- Changes (by seth): * owner: => robin * status: new => assigned Comment: I think we should support this with the same argument that cf uses (-c) and keep the default as local time. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:11:29 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:11:29 -0000 Subject: [Bro-Dev] #653: bro-cut does not work with mawk In-Reply-To: <050.b131409afa45c564960b689e75d671f3@tracker.bro-ids.org> References: <050.b131409afa45c564960b689e75d671f3@tracker.bro-ids.org> Message-ID: <065.25e1910d6e47efef62cc920b7983614e@tracker.bro-ids.org> #653: bro-cut does not work with mawk -----------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: bro-aux | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Changes (by seth): * owner: => robin * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:12:50 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:12:50 -0000 Subject: [Bro-Dev] #342: Add payload to ICMP analyzer In-Reply-To: <046.dc4cf3cae0b93ae2cca66efcf0ce60b4@tracker.bro-ids.org> References: <046.dc4cf3cae0b93ae2cca66efcf0ce60b4@tracker.bro-ids.org> Message-ID: <061.0f59eabb2b3d710eb75e2dcf1b66b767@tracker.bro-ids.org> #342: Add payload to ICMP analyzer ---------------------+-------------------- Reporter: seth | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: 1.5.2 Resolution: | Keywords: ---------------------+-------------------- Changes (by seth): * milestone: Bro2.0 => Bro2.1 Comment: This is too deep of a change to happen at this point for the 2.0 release. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:14:49 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:14:49 -0000 Subject: [Bro-Dev] #677: diff-all problem with testing In-Reply-To: <047.9158b91f8c87419388ef4a41186b3862@tracker.bro-ids.org> References: <047.9158b91f8c87419388ef4a41186b3862@tracker.bro-ids.org> Message-ID: <062.4c8e7fef583c8a8038777292000251d9@tracker.bro-ids.org> #677: diff-all problem with testing ----------------------+---------------------- Reporter: robin | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by seth): * owner: => robin * status: new => assigned Comment: Are you planning to fix this for the 2.0 release or do you want to bump it back? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:18:09 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:18:09 -0000 Subject: [Bro-Dev] #704: use of $BRO_LOG_SUFFIX In-Reply-To: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> References: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> Message-ID: <061.937846f4ac91990c44736a79e658dd89@tracker.bro-ids.org> #704: use of $BRO_LOG_SUFFIX ----------------------+---------------------- Reporter: vern | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by seth): * owner: => jsiwek * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 09:18:59 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 17:18:59 -0000 Subject: [Bro-Dev] #677: diff-all problem with testing In-Reply-To: <047.9158b91f8c87419388ef4a41186b3862@tracker.bro-ids.org> References: <047.9158b91f8c87419388ef4a41186b3862@tracker.bro-ids.org> Message-ID: <062.09fc043abb24146d9ea4d9b425f2ef53@tracker.bro-ids.org> #677: diff-all problem with testing ----------------------+---------------------- Reporter: robin | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Comment (by robin): I thinking `diff-all` could expand the wildcard in both current work directory and baseline directory, and use the join of the two sets of files. I'll see if I can get to work quickly. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Dec 1 09:27:22 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 1 Dec 2011 09:27:22 -0800 Subject: [Bro-Dev] Call for opinions on logging framework syntax problem In-Reply-To: <04C960E7-9B00-4802-A656-EAC98C1EAC94@icir.org> References: <40827F30-AF22-4993-885D-0A9C6B25C499@icsi.berkeley.edu> <4ED59D20.9050805@icir.org> <20111130163243.GE96269@icir.org> <4ED68816.6000806@icir.org> <0D291BCB-E411-4A22-96BA-6C1AD1C5DF86@icir.org> <54AA1654-DC45-4EF1-B5E7-80C035BAC91D@ICSI.Berkeley.EDU> <04C960E7-9B00-4802-A656-EAC98C1EAC94@icir.org> Message-ID: <20111201172722.GH41965@icir.org> So looks like we don't really have much of a better idea than using the attribute Bernhard originally proposed? (At least nothing short of removing the port type altogehter ...) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Thu Dec 1 09:43:16 2011 From: seth at icir.org (Seth Hall) Date: Thu, 1 Dec 2011 12:43:16 -0500 Subject: [Bro-Dev] Call for opinions on logging framework syntax problem In-Reply-To: <20111201172722.GH41965@icir.org> References: <40827F30-AF22-4993-885D-0A9C6B25C499@icsi.berkeley.edu> <4ED59D20.9050805@icir.org> <20111130163243.GE96269@icir.org> <4ED68816.6000806@icir.org> <0D291BCB-E411-4A22-96BA-6C1AD1C5DF86@icir.org> <54AA1654-DC45-4EF1-B5E7-80C035BAC91D@ICSI.Berkeley.EDU> <04C960E7-9B00-4802-A656-EAC98C1EAC94@icir.org> <20111201172722.GH41965@icir.org> Message-ID: On Dec 1, 2011, at 12:27 PM, Robin Sommer wrote: > So looks like we don't really have much of a better idea than using > the attribute Bernhard originally proposed? (At least nothing short of > removing the port type altogehter ...) I think that's correct. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Thu Dec 1 09:51:27 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 1 Dec 2011 09:51:27 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> Message-ID: <20111201175127.GB57452@icir.org> On Wed, Nov 30, 2011 at 00:59 +0000, you wrote: > I vote 2. :-) isn't democracy grand? Ok, let's do it the way any good democracy deals with different opinions[1]: we don't do any the original suggestions. I can live with Seth's "nil" as well. Deal? Robin [1] No, that's *not* filibustering. -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vallentin at icir.org Thu Dec 1 09:53:23 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Thu, 1 Dec 2011 09:53:23 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: <20111201175127.GB57452@icir.org> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> Message-ID: > I can live with Seth's "nil" as well. Deal? Deal. Matthias From bro at tracker.bro-ids.org Thu Dec 1 10:38:14 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 18:38:14 -0000 Subject: [Bro-Dev] #493: RemoteSerializer::Log method should give peer to remote_log event In-Reply-To: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> References: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> Message-ID: <061.018562545dbfb3757049a473a3956fdf@tracker.bro-ids.org> #493: RemoteSerializer::Log method should give peer to remote_log event ------------------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ------------------------------+---------------------- Comment (by jsiwek): Replying to [comment:1 seth]: > This is line 2930 in RemoteSerializer.cc. 2930-2933 need to be removed and an instance of the event_peer record needs to be created and included with the remote_log event. In that code, there's not always a `Peer` object which can be included in the `remote_log` event as an `event_peer` record. I just wrote the code to create a new `remote_log_peer` event that's the same as `remote_log`, but has an added `event_peer` parameter, is there another solution that seems better? -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Thu Dec 1 10:46:28 2011 From: seth at icir.org (Seth Hall) Date: Thu, 1 Dec 2011 13:46:28 -0500 Subject: [Bro-Dev] Empty log fields In-Reply-To: <20111201175127.GB57452@icir.org> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> Message-ID: <854FC9F4-1582-4DEB-B874-2F21F61AFA08@icir.org> On Dec 1, 2011, at 12:51 PM, Robin Sommer wrote: > I can live with Seth's "nil" as well. Deal? I guess I can live with that but I wish that ascii included Matthias' suggestion of the null character. Weirdly, I think that would be best since empty string and no value would both be represented by single a single byte. nil it is. > [1] No, that's *not* filibustering. Yeah, congress doesn't filibuster either. They only need to *threaten* that they will. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Thu Dec 1 11:16:08 2011 From: seth at icir.org (Seth Hall) Date: Thu, 1 Dec 2011 14:16:08 -0500 Subject: [Bro-Dev] generation of loaded_scripts.log In-Reply-To: <20111201103746.6B32D2C400E@rock.ICSI.Berkeley.EDU> References: <20111201103746.6B32D2C400E@rock.ICSI.Berkeley.EDU> Message-ID: <52034FD9-A23A-414D-BF27-1B0D6EB2FA78@icir.org> On Dec 1, 2011, at 5:37 AM, Vern Paxson wrote: >> The misc/loaded-scripts script is loaded in the local script. > > This is the part that's not so obvious to me. I guess the rationale > is "who knows what junk might be in local/ ...." ? Basically. Do you think that local.bro should be more well defined? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Thu Dec 1 11:26:18 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 19:26:18 -0000 Subject: [Bro-Dev] #606: broccoli and connection records In-Reply-To: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> References: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> Message-ID: <061.68d65dc2918c67bec6c5fcbb97f1235c@tracker.bro-ids.org> #606: broccoli and connection records -----------------------+---------------------- Reporter: seth | Owner: kreibich Type: Problem | Status: accepted Priority: Normal | Milestone: Component: Broccoli | Version: Resolution: | Keywords: -----------------------+---------------------- Comment (by kreibich): Yeah, check out commit bc797f1. Basically, due to the fact that nowadays the connection record pulls in a whole bunch of stuff via redefs, Broccoli's lack for certain types caused a bunch of problems. I added enum, vector, and file types. We have one problem remaining: attributes with expressions, such as "&default=0", which would in principle require Broccoli to support parsing the whole expression hierarchy. That makes little sense, so we've added a capability bit that Broccoli now always sends upon handshake, and Bro will subsequently (once Robin tweaks the code) simply not send problematic objects to Broccoli peers. -- Ticket URL: Bro Tracker Bro Issue Tracker From vern at icir.org Thu Dec 1 11:34:54 2011 From: vern at icir.org (Vern Paxson) Date: Thu, 01 Dec 2011 11:34:54 -0800 Subject: [Bro-Dev] generation of loaded_scripts.log In-Reply-To: <52034FD9-A23A-414D-BF27-1B0D6EB2FA78@icir.org> (Thu, 01 Dec 2011 14:16:08 EST). Message-ID: <20111201193454.F196E2C400A@rock.ICSI.Berkeley.EDU> > >> The misc/loaded-scripts script is loaded in the local script. > > > > This is the part that's not so obvious to me. I guess the rationale > > is "who knows what junk might be in local/ ...." ? > > > Basically. Do you think that local.bro should be more well defined? No, I just am not sure I see that it's grab-bag nature means that misc/loaded-scripts should necessarily be itself loaded. But if you think it's appropriate to do so, it's okay by me. Vern From bro at tracker.bro-ids.org Thu Dec 1 11:49:57 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 19:49:57 -0000 Subject: [Bro-Dev] #606: broccoli and connection records In-Reply-To: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> References: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> Message-ID: <061.f322ef085d49635f2a8ffdd6d1394786@tracker.bro-ids.org> #606: broccoli and connection records -----------------------+---------------------- Reporter: seth | Owner: kreibich Type: Problem | Status: accepted Priority: Normal | Milestone: Bro2.0 Component: Broccoli | Version: Resolution: | Keywords: -----------------------+---------------------- Changes (by seth): * milestone: => Bro2.0 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 12:04:19 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 20:04:19 -0000 Subject: [Bro-Dev] #606: broccoli and connection records In-Reply-To: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> References: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> Message-ID: <061.5072085d1bb524ecf2ce2af808001f42@tracker.bro-ids.org> #606: broccoli and connection records -----------------------+---------------------- Reporter: seth | Owner: kreibich Type: Problem | Status: accepted Priority: Normal | Milestone: Bro2.0 Component: Broccoli | Version: Resolution: | Keywords: -----------------------+---------------------- Comment (by robin): In [18d968adcd300425c2c540677d6e5a8c621467a3/bro]: {{{ #!CommitTicketReference repository="bro" revision="18d968adcd300425c2c540677d6e5a8c621467a3" Adapting attribute serialization when talking to Broccoli. Broccoli doesn't support expressions, and we now no longer send them when serializing attributes. This is the Bro change mentioned in #606. It's needs a correspondinly modified Broccoli identifying itself as such, and it isn't tested yet ... Addresses #606. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 12:08:52 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 20:08:52 -0000 Subject: [Bro-Dev] #493: RemoteSerializer::Log method should give peer to remote_log event In-Reply-To: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> References: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> Message-ID: <061.4581cf23fd644c1e89ceb4648f3e5f64@tracker.bro-ids.org> #493: RemoteSerializer::Log method should give peer to remote_log event ------------------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ------------------------------+---------------------- Comment (by jsiwek): In [0c8b5a712d1d3117e19b8fb13dbd505938dba75d/bro]: {{{ #!CommitTicketReference repository="bro" revision="0c8b5a712d1d3117e19b8fb13dbd505938dba75d" Add a remote_log_peer event which contains an event_peer record param. Addresses #493. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From vern at icir.org Thu Dec 1 12:15:44 2011 From: vern at icir.org (Vern Paxson) Date: Thu, 01 Dec 2011 12:15:44 -0800 Subject: [Bro-Dev] Call for opinions on logging framework syntax problem In-Reply-To: <20111130163103.GD96269@icir.org> (Wed, 30 Nov 2011 08:31:03 PST). Message-ID: <20111201201544.F24142C400A@rock.ICSI.Berkeley.EDU> > > If we started using counts for port values (and get rid of the port > > type?) and add a $proto field to conn_id does that break any existing > > assumptions within the language? > > Vern might know whether there's anything that would severely break but > my guess is that in principle we could do that. I suspect it would be a mess. But, more fundamentally, I really resist getting rid of ports as a built-in type. Vern From bro at tracker.bro-ids.org Thu Dec 1 13:12:45 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 21:12:45 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.bfabaa37b5cfb1aa86fa628de2e1d3b6@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): I'm going to try creating a test case for this soon. If I can't create a test case and no one else stands up and creates a test case I'm going to bump this ticket back. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 13:13:52 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 21:13:52 -0000 Subject: [Bro-Dev] #706: Framework Documentation Package 1 Message-ID: <046.0094aad7fdf918d4b7c290b5a6d75304@tracker.bro-ids.org> #706: Framework Documentation Package 1 --------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | --------------------+-------------------- init-bare.bro This one is enough of a bare (bear!) that it gets it's own package. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 13:14:30 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 21:14:30 -0000 Subject: [Bro-Dev] #707: Framework Documentation Package 2 Message-ID: <046.e9e5405a5f8003302e4e37bcf4a08cf1@tracker.bro-ids.org> #707: Framework Documentation Package 2 --------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | --------------------+-------------------- Cluster framework Communication framework Reporter framework Logging framework -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 13:15:06 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 21:15:06 -0000 Subject: [Bro-Dev] #708: Framework Documentation Package 3 Message-ID: <046.00995ae87d9659b0e30d35895689a37c@tracker.bro-ids.org> #708: Framework Documentation Package 3 --------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | --------------------+-------------------- Notice framework Signature framework Packet Filter framework DPD framework. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 13:15:45 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 21:15:45 -0000 Subject: [Bro-Dev] #709: Framework Documentation Package 4 Message-ID: <046.992c96e6db16fdf1fb40e698b4833ac4@tracker.bro-ids.org> #709: Framework Documentation Package 4 --------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | --------------------+-------------------- Software framework Metrics framework Intelligence (intel) framework Control framework -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Thu Dec 1 13:19:40 2011 From: seth at icir.org (Seth Hall) Date: Thu, 1 Dec 2011 16:19:40 -0500 Subject: [Bro-Dev] Call for opinions on logging framework syntax problem In-Reply-To: <20111201201544.F24142C400A@rock.ICSI.Berkeley.EDU> References: <20111201201544.F24142C400A@rock.ICSI.Berkeley.EDU> Message-ID: <679F1D06-E759-456F-AF82-34F466834607@icir.org> On Dec 1, 2011, at 3:15 PM, Vern Paxson wrote: > I suspect it would be a mess. But, more fundamentally, I really resist > getting rid of ports as a built-in type. Heh, although this thread may not indicate it I was intensely conflicted when I wrote about removing the type. If you think keeping it is the right thing, that's enough for me. Now the conversation can turn to how to work with the type correctly. I'll think about it more. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Thu Dec 1 14:15:32 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 22:15:32 -0000 Subject: [Bro-Dev] #493: RemoteSerializer::Log method should give peer to remote_log event In-Reply-To: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> References: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> Message-ID: <061.a4223b2938deeaabe4e42cdf8aa633dc@tracker.bro-ids.org> #493: RemoteSerializer::Log method should give peer to remote_log event ----------------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+---------------------- Changes (by jsiwek): * type: Feature Request => Merge Request Comment: In `topic/jsiwek/remote-log-peer`. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 14:20:59 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 22:20:59 -0000 Subject: [Bro-Dev] #704: use of $BRO_LOG_SUFFIX In-Reply-To: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> References: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> Message-ID: <061.d9cc6b46f57fd0a15d4d18b6a9416da0@tracker.bro-ids.org> #704: use of $BRO_LOG_SUFFIX ----------------------+---------------------- Reporter: vern | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Comment (by jsiwek): In [edc0a451f8d72c2f14990498ba105047aecca0a5/bro]: {{{ #!CommitTicketReference repository="bro" revision="edc0a451f8d72c2f14990498ba105047aecca0a5" Teach LogWriterAscii to use BRO_LOG_SUFFIX env. var. (addresses #704) }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 14:25:26 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 22:25:26 -0000 Subject: [Bro-Dev] #704: use of $BRO_LOG_SUFFIX In-Reply-To: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> References: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> Message-ID: <061.ec834a7644e1d5561d9aa67bebb23077@tracker.bro-ids.org> #704: use of $BRO_LOG_SUFFIX ----------------------------+---------------------- Reporter: vern | Owner: jsiwek Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+---------------------- Changes (by jsiwek): * type: Problem => Merge Request Comment: Fixed in `topic/jsiwek/bro-log-suffix`. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 15:20:58 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 01 Dec 2011 23:20:58 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.ce29e6df0c13e6ce4032c1fe2a3c2fa2@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by aashish): None Filename None could not be saved, problem: [Errno 13] Permission denied: '/da/trac/projects/bro/attachments/ticket/608'\Just add 5000 IP's to a table and you should have a test case. If that doesn't work, let me know. Aashish On Thu, Dec 01, 2011 at 09:12:45PM -0000, Bro Tracker wrote: > #608: broctl print times out if the table is too big > ----------------------+------------------------ > Reporter: aashish | Owner: > Type: Problem | Status: new > Priority: Normal | Milestone: Bro2.0 > Component: Bro | Version: git/master > Resolution: | Keywords: > ----------------------+------------------------ > > Comment (by seth): > > I'm going to try creating a test case for this soon. If I can't create a > test case and no one else stands up and creates a test case I'm going to > bump this ticket back. > > -- > Ticket URL: > Bro Tracker > Bro Issue Tracker [attachment:"None"] -- Ticket URL: Bro Tracker Bro Issue Tracker From asharma at lbl.gov Thu Dec 1 15:20:48 2011 From: asharma at lbl.gov (Aashish Sharma) Date: Thu, 1 Dec 2011 15:20:48 -0800 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <064.bfabaa37b5cfb1aa86fa628de2e1d3b6@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> <064.bfabaa37b5cfb1aa86fa628de2e1d3b6@tracker.bro-ids.org> Message-ID: <20111201232047.GO31929@f0-4d-a2-28-3c-de.dhcp.lbl.gov> Just add 5000 IP's to a table and you should have a test case. If that doesn't work, let me know. Aashish On Thu, Dec 01, 2011 at 09:12:45PM -0000, Bro Tracker wrote: > #608: broctl print times out if the table is too big > ----------------------+------------------------ > Reporter: aashish | Owner: > Type: Problem | Status: new > Priority: Normal | Milestone: Bro2.0 > Component: Bro | Version: git/master > Resolution: | Keywords: > ----------------------+------------------------ > > Comment (by seth): > > I'm going to try creating a test case for this soon. If I can't create a > test case and no one else stands up and creates a test case I'm going to > bump this ticket back. > > -- > Ticket URL: > Bro Tracker > Bro Issue Tracker -- Aashish Sharma (asharma at lbl.gov) Cyber Security, Information Technology Division Lawrence Berkeley National Laboratory http://www.lbl.gov/cyber/pgp-aashish.txt Office: (510)-495-2680 Cell: (510)-457-1525 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111201/ce275cae/attachment.bin From bro at tracker.bro-ids.org Thu Dec 1 17:02:55 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 01:02:55 -0000 Subject: [Bro-Dev] #668: Please support UTC conversion in bro-cut In-Reply-To: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> References: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> Message-ID: <069.2e8a872a1aaddb9fdf5ac3a13d1c92fc@tracker.bro-ids.org> #668: Please support UTC conversion in bro-cut ------------------------------+---------------------- Reporter: david.bianco | Owner: robin Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: 2.0 Beta Resolution: | Keywords: ------------------------------+---------------------- Comment (by robin): -c is already used for passing through the *c*omment header. Do we want to change the existing option to something else? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 18:05:16 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 02:05:16 -0000 Subject: [Bro-Dev] #657: Change bro-cut for general timestamp conversion. In-Reply-To: <046.9668fa90eb8243c2b8a9c55df2a6a329@tracker.bro-ids.org> References: <046.9668fa90eb8243c2b8a9c55df2a6a329@tracker.bro-ids.org> Message-ID: <061.f45f89b9524ea8c6c728f75f40317593@tracker.bro-ids.org> #657: Change bro-cut for general timestamp conversion. ------------------------------+------------------------ Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: bro-aux | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Comment (by robin): I'm going to do the first part of this ticket, but the 2nd is out of scope for now, that's better left to a more general log processor (next thing you'll ask is <,>,!=; then boolean operators; and then ? :-) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 18:05:41 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 02:05:41 -0000 Subject: [Bro-Dev] #649: Output field separator to bro-cut In-Reply-To: <050.6ad25768f67caa0673a494593b5768e1@tracker.bro-ids.org> References: <050.6ad25768f67caa0673a494593b5768e1@tracker.bro-ids.org> Message-ID: <065.65e732c2946ae4bb3a95fde7db42d3ee@tracker.bro-ids.org> #649: Output field separator to bro-cut ------------------------------+------------------------ Reporter: matthias | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: bro-cut ------------------------------+------------------------ Comment (by robin): In [9a8a5d9e18b2cc0821fd1bcf1a6f7a5c20a58e1b/bro-aux]: {{{ #!CommitTicketReference repository="bro-aux" revision="9a8a5d9e18b2cc0821fd1bcf1a6f7a5c20a58e1b" bro-cut extensions and fixes. - If no field names are given on the command line, we now pass through all fields. Adresses #657. - Removing some GNUism from awk script. Addresses #653. - Added option for time output in UTC. Addresses #668. - Added output field separator option -F. Addresses #649. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 18:05:41 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 02:05:41 -0000 Subject: [Bro-Dev] #668: Please support UTC conversion in bro-cut In-Reply-To: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> References: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> Message-ID: <069.ba3629e20c7f0db3c9bf8157c4c93f75@tracker.bro-ids.org> #668: Please support UTC conversion in bro-cut ------------------------------+---------------------- Reporter: david.bianco | Owner: robin Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: 2.0 Beta Resolution: | Keywords: ------------------------------+---------------------- Comment (by robin): In [9a8a5d9e18b2cc0821fd1bcf1a6f7a5c20a58e1b/bro-aux]: {{{ #!CommitTicketReference repository="bro-aux" revision="9a8a5d9e18b2cc0821fd1bcf1a6f7a5c20a58e1b" bro-cut extensions and fixes. - If no field names are given on the command line, we now pass through all fields. Adresses #657. - Removing some GNUism from awk script. Addresses #653. - Added option for time output in UTC. Addresses #668. - Added output field separator option -F. Addresses #649. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 18:05:41 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 02:05:41 -0000 Subject: [Bro-Dev] #653: bro-cut does not work with mawk In-Reply-To: <050.b131409afa45c564960b689e75d671f3@tracker.bro-ids.org> References: <050.b131409afa45c564960b689e75d671f3@tracker.bro-ids.org> Message-ID: <065.e3e23440ba8d0ce88c261bd6facc08ae@tracker.bro-ids.org> #653: bro-cut does not work with mawk -----------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: bro-aux | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by robin): In [9a8a5d9e18b2cc0821fd1bcf1a6f7a5c20a58e1b/bro-aux]: {{{ #!CommitTicketReference repository="bro-aux" revision="9a8a5d9e18b2cc0821fd1bcf1a6f7a5c20a58e1b" bro-cut extensions and fixes. - If no field names are given on the command line, we now pass through all fields. Adresses #657. - Removing some GNUism from awk script. Addresses #653. - Added option for time output in UTC. Addresses #668. - Added output field separator option -F. Addresses #649. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 18:10:14 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 02:10:14 -0000 Subject: [Bro-Dev] #606: broccoli and connection records In-Reply-To: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> References: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> Message-ID: <061.b4c63c8e9c8f5ebafee678d8721d0e30@tracker.bro-ids.org> #606: broccoli and connection records -----------------------+---------------------- Reporter: seth | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Broccoli | Version: Resolution: | Keywords: -----------------------+---------------------- Changes (by robin): * owner: kreibich => seth * status: accepted => assigned Comment: The combination of modified Bro and Broccoli seems to work. Seth, can you confirm that this solves the problem? If so, I'll merge it in. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Dec 1 18:11:56 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 1 Dec 2011 18:11:56 -0800 Subject: [Bro-Dev] Merge status Message-ID: <20111202021156.GJ62306@icir.org> Jfyi, I've merged in all pending merge requests and fastpath changes, but haven't pushed them yet as there are some baseline changes that I'm still confirming. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Thu Dec 1 18:13:23 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 02:13:23 -0000 Subject: [Bro-Dev] #710: Add notes to event.bif regarding inactive events Message-ID: <047.5c2783988d44625672ff8027b8143914@tracker.bro-ids.org> #710: Add notes to event.bif regarding inactive events --------------------+-------------------- Reporter: robin | Owner: robin Type: Task | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | --------------------+-------------------- In Bro 2.0, not all events are raised by default. Need to go through event.bif one more time and add todos saying so. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 19:17:48 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 03:17:48 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.dd46b595062b396d7c54c3e6d8c86d6f@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): On Dec 1, 2011, at 6:20 PM, Aashish Sharma wrote: > Just add 5000 IP's to a table and you should have a test case. If that > doesn't work, let me know. I'll give that a try, thanks. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at ICSI.Berkeley.EDU Thu Dec 1 19:57:46 2011 From: gregor at ICSI.Berkeley.EDU (Gregor Maier) Date: Thu, 01 Dec 2011 19:57:46 -0800 Subject: [Bro-Dev] Call for opinions on logging framework syntax problem In-Reply-To: <20111201172722.GH41965@icir.org> References: <40827F30-AF22-4993-885D-0A9C6B25C499@icsi.berkeley.edu> <4ED59D20.9050805@icir.org> <20111130163243.GE96269@icir.org> <4ED68816.6000806@icir.org> <0D291BCB-E411-4A22-96BA-6C1AD1C5DF86@icir.org> <54AA1654-DC45-4EF1-B5E7-80C035BAC91D@ICSI.Berkeley.EDU> <04C960E7-9B00-4802-A656-EAC98C1EAC94@icir.org> <20111201172722.GH41965@icir.org> Message-ID: <4ED84CBA.2010906@icsi.berkeley.edu> On 12/1/11 9:27 , Robin Sommer wrote: > So looks like we don't really have much of a better idea than using > the attribute Bernhard originally proposed? (At least nothing short of > removing the port type altogehter ...) I would still opt for making the logging framework log port and protocol as foo.port foo.proto! Vectors and sets of ports might be problematic but: * It doesn't appear that vectors/sets of ports are currently used. * How do I specify the attribute for sets/vectors of ports? For the whole vector at once? * What if I want to add ports with different protocols to a set/vector (e.g., logging the now obsolete port_names or a set of sensitive ports). * It feels really hack-y! * Non-ASCII backends should be able to handle it fairly easily. (E.g., vector of ports in a relational DB would probably be modeled as a n:m relationship anyways) * Need to find a solution for ASCII output of vectors/sets of ports. Maybe special case them * BTW: if you have sets, vectors in the output, then the log file must also have an annotation to say what type is in the vector/set, right? * Maybe we could use two columns in general but use the 80/tcp notation for sets/vectors? Or we just simple use a space or some other character to separate the port number and the protocol. If you think that two columns don't work, then I would still prefer something like "80/tcp" in ASCII. Yes it duplicates the protocol but it's IMHO the cleaner solution than using the attribute. One argument for that is that it's printed in the same way a script writer would have to write it if it were a constant. cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From seth at icir.org Thu Dec 1 20:10:52 2011 From: seth at icir.org (Seth Hall) Date: Thu, 1 Dec 2011 23:10:52 -0500 Subject: [Bro-Dev] Writing documentation Message-ID: <07E9537A-97C4-4CEC-A624-301A7635FD00@icir.org> For the people that knew this was coming, I'm splitting out the documentation on the tracker into bundles. I tried to keep it organized so that each bundle should be about as much work as the others. So far I have the frameworks split up and I'll be splitting up the protocols and other various documentation needy bits soon. Jon and I talked this afternoon and we decided that the right thing to do right now is just to write a very short blurb in the summary comment section (the ##! comments at the top) then make sure that everything in the export section is documented. That includes each field in record definitions, exported function prototypes, and configuration variables. In normal ## documentation comments, the first sentence is also special and is used as a summary somewhere. Jon, could you provide an actual explanation of what the first sentence is used for? I don't think I'm qualified to do it. :) Anyway, you should be able to claim tickets in the tracker by assigning them to yourself. If anyone that isn't listed as a developer on the tracker would like to get all masochistic and help out with documentation, get in touch with me and we'll work something out. Direct links to the current documentation bundles: http://tracker.bro-ids.org/bro/ticket/706 http://tracker.bro-ids.org/bro/ticket/707 http://tracker.bro-ids.org/bro/ticket/708 http://tracker.bro-ids.org/bro/ticket/709 .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Thu Dec 1 20:20:22 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 04:20:22 -0000 Subject: [Bro-Dev] #709: Framework Documentation Package 4 In-Reply-To: <046.992c96e6db16fdf1fb40e698b4833ac4@tracker.bro-ids.org> References: <046.992c96e6db16fdf1fb40e698b4833ac4@tracker.bro-ids.org> Message-ID: <061.dfd460669fe62337408d468cb9d56aee@tracker.bro-ids.org> #709: Framework Documentation Package 4 ---------------------+---------------------- Reporter: seth | Owner: seth Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ---------------------+---------------------- Changes (by seth): * owner: => seth * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 1 21:02:41 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 05:02:41 -0000 Subject: [Bro-Dev] #657: Change bro-cut for general timestamp conversion. In-Reply-To: <046.9668fa90eb8243c2b8a9c55df2a6a329@tracker.bro-ids.org> References: <046.9668fa90eb8243c2b8a9c55df2a6a329@tracker.bro-ids.org> Message-ID: <061.4e172a2196636fb0c519abb04e9a6d8a@tracker.bro-ids.org> #657: Change bro-cut for general timestamp conversion. ------------------------------+------------------------ Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: bro-aux | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Comment (by seth): > (next thing > you'll ask is <,>,!=; then boolean operators; and then ? :-) You know me too well. :) -- Ticket URL: Bro Tracker Bro Issue Tracker From jsiwek at illinois.edu Fri Dec 2 07:28:31 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 2 Dec 2011 15:28:31 +0000 Subject: [Bro-Dev] Writing documentation In-Reply-To: <07E9537A-97C4-4CEC-A624-301A7635FD00@icir.org> References: <07E9537A-97C4-4CEC-A624-301A7635FD00@icir.org> Message-ID: <97A0F075-4A6B-4F6D-8598-16CC36765F52@illinois.edu> > In normal ## documentation comments, the first sentence is also special and is used as a summary somewhere. Jon, could you provide an actual explanation of what the first sentence is used for? I don't think I'm qualified to do it. :) It's used in the Overview->Summary section of each script's documentation to give a short description of each Bro identifier that's being documented. e.g. see: http://www.bro-ids.org/documentation-git/scripts/base/protocols/ssl/main.html#summary which has a brief description of SSL::root_certs and then the more verbose docs for it are further down: http://www.bro-ids.org/documentation-git/scripts/base/protocols/ssl/main.html#id-SSL::root_certs +Jon From robin at icir.org Fri Dec 2 08:17:40 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 2 Dec 2011 08:17:40 -0800 Subject: [Bro-Dev] Call for opinions on logging framework syntax problem In-Reply-To: <4ED84CBA.2010906@icsi.berkeley.edu> References: <40827F30-AF22-4993-885D-0A9C6B25C499@icsi.berkeley.edu> <4ED59D20.9050805@icir.org> <20111130163243.GE96269@icir.org> <4ED68816.6000806@icir.org> <0D291BCB-E411-4A22-96BA-6C1AD1C5DF86@icir.org> <54AA1654-DC45-4EF1-B5E7-80C035BAC91D@ICSI.Berkeley.EDU> <04C960E7-9B00-4802-A656-EAC98C1EAC94@icir.org> <20111201172722.GH41965@icir.org> <4ED84CBA.2010906@icsi.berkeley.edu> Message-ID: <20111202161740.GD88523@icir.org> On Thu, Dec 01, 2011 at 19:57 -0800, you wrote: > * It feels really hack-y! Maybe, but all the two-column solutions even more! > If you think that two columns don't work, then I would still prefer > something like "80/tcp" in ASCII. Yes it duplicates the protocol but > it's IMHO the cleaner solution than using the attribute. One argument > for that is that it's printed in the same way a script writer would have > to write it if it were a constant. The argument against that is that now everybody reading the logs needs to parse the ports (rather than being able to just read integers). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From gregor at icir.org Fri Dec 2 13:58:40 2011 From: gregor at icir.org (Gregor Maier) Date: Fri, 02 Dec 2011 13:58:40 -0800 Subject: [Bro-Dev] HTTP log file: trans_depth nit Message-ID: <4ED94A10.7050704@icir.org> Hi, the documentation says about the trans_depth column in the http.log: "This represents the pipelined depth into the connection of this request/response transaction." However, I don't known whether "pipelined" might be misleading here, because this field also counts "persistent" connections. Don't know what else to call it though :-( cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From bro at tracker.bro-ids.org Fri Dec 2 14:16:58 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 02 Dec 2011 22:16:58 -0000 Subject: [Bro-Dev] #703: NUL_in_line and line_terminated_with_single_CR complaints In-Reply-To: <046.a178d88fb4159c54e316119fd1f5ded7@tracker.bro-ids.org> References: <046.a178d88fb4159c54e316119fd1f5ded7@tracker.bro-ids.org> Message-ID: <061.2d6f906cee697ec30dec7d17f98130ab@tracker.bro-ids.org> #703: NUL_in_line and line_terminated_with_single_CR complaints ----------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+-------------------- Changes (by gregor): * milestone: => Bro2.0 Comment: See also #533. IMHO it would still be good to suppress the weirds for 2.0 if possible, but YMMV. (And possibly indicate in smtp.log that the connection used STARTTLS). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 16:58:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 00:58:37 -0000 Subject: [Bro-Dev] #702: topic/seth/dns-updates - Fixed some DNS issues In-Reply-To: <046.2f4b2ad86a7b89075747e60a28802b6f@tracker.bro-ids.org> References: <046.2f4b2ad86a7b89075747e60a28802b6f@tracker.bro-ids.org> Message-ID: <061.adac128df2d525e78bf0fb3b627d0987@tracker.bro-ids.org> #702: topic/seth/dns-updates - Fixed some DNS issues ----------------------+---------------------- Reporter: seth | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by robin): * owner: robin => seth * status: new => assigned * type: Merge Request => Problem Comment: There are problems with the patch. Sent examples to Seth. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:08 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:08 -0000 Subject: [Bro-Dev] #705: Makefile in doc/ doesn't work. In-Reply-To: <047.924679682a5a6c6c0784fa8db12eb41f@tracker.bro-ids.org> References: <047.924679682a5a6c6c0784fa8db12eb41f@tracker.bro-ids.org> Message-ID: <062.9c5301eb9e403bcd1a145917242d7243@tracker.bro-ids.org> #705: Makefile in doc/ doesn't work. ----------------------+-------------------- Reporter: robin | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Comment (by robin): In [220b1618816514797d6472a8f53f46f0a126a3f2/bro]: {{{ #!CommitTicketReference repository="bro" revision="220b1618816514797d6472a8f53f46f0a126a3f2" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Remove example redef of SMTP::entity_excerpt_len from local.bro. Add missing doc targets to top Makefile; remove old doc/Makefile. (fixes #705) Fix error emitted when loading local.bro in bare mode Small updates to address the "globals" ticket. Rearrange packet filter and dpd documentation. Closes #705. Closes #633. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:08 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:08 -0000 Subject: [Bro-Dev] #493: RemoteSerializer::Log method should give peer to remote_log event In-Reply-To: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> References: <046.92af99e6494fd1fafea993dd0397bf7b@tracker.bro-ids.org> Message-ID: <061.755875afb2a42d1f1bdbcce4e0e566ee@tracker.bro-ids.org> #493: RemoteSerializer::Log method should give peer to remote_log event ----------------------------+-------------------- Reporter: seth | Owner: jsiwek Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [df3ae4b30d556628767566e9fdf98b27f633fc2e/bro]: {{{ #!CommitTicketReference repository="bro" revision="df3ae4b30d556628767566e9fdf98b27f633fc2e" Merge remote-tracking branch 'origin/topic/jsiwek/remote-log-peer' * origin/topic/jsiwek/remote-log-peer: Add a remote_log_peer event which contains an event_peer record param. Closes #493. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:08 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:08 -0000 Subject: [Bro-Dev] #633: Globals cleanup In-Reply-To: <047.cf4580f5113530897d7e17a5b9de40dc@tracker.bro-ids.org> References: <047.cf4580f5113530897d7e17a5b9de40dc@tracker.bro-ids.org> Message-ID: <062.a597b67798033e040eb7064e2c780aed@tracker.bro-ids.org> #633: Globals cleanup ----------------------+------------------------ Reporter: robin | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------+------------------------ Comment (by robin): In [220b1618816514797d6472a8f53f46f0a126a3f2/bro]: {{{ #!CommitTicketReference repository="bro" revision="220b1618816514797d6472a8f53f46f0a126a3f2" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Remove example redef of SMTP::entity_excerpt_len from local.bro. Add missing doc targets to top Makefile; remove old doc/Makefile. (fixes #705) Fix error emitted when loading local.bro in bare mode Small updates to address the "globals" ticket. Rearrange packet filter and dpd documentation. Closes #705. Closes #633. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:09 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:09 -0000 Subject: [Bro-Dev] #704: use of $BRO_LOG_SUFFIX In-Reply-To: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> References: <046.a58006125a50eea1b4c28ca8e55b2431@tracker.bro-ids.org> Message-ID: <061.8c2718fdacc77df93cef51575db713b3@tracker.bro-ids.org> #704: use of $BRO_LOG_SUFFIX ----------------------------+-------------------- Reporter: vern | Owner: jsiwek Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [1e45910b257461d36e69e17a1a26e18a829a16a7/bro]: {{{ #!CommitTicketReference repository="bro" revision="1e45910b257461d36e69e17a1a26e18a829a16a7" Merge remote-tracking branch 'origin/topic/jsiwek/bro-log-suffix' * origin/topic/jsiwek/bro-log-suffix: Teach LogWriterAscii to use BRO_LOG_SUFFIX env. var. (addresses #704) Closes #704. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:08 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:08 -0000 Subject: [Bro-Dev] #661: Crash in host name lookup In-Reply-To: <047.b51474059b3622f2b1778a88ef2d7190@tracker.bro-ids.org> References: <047.b51474059b3622f2b1778a88ef2d7190@tracker.bro-ids.org> Message-ID: <062.47debfaad41d7adf2ed0a8f61f70ff0f@tracker.bro-ids.org> #661: Crash in host name lookup ----------------------------+-------------------- Reporter: robin | Owner: robin Type: Merge Request | Status: closed Priority: High | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [03b7ebfb5bfaa495a6c4115e4fe257261a724b20/bro]: {{{ #!CommitTicketReference repository="bro" revision="03b7ebfb5bfaa495a6c4115e4fe257261a724b20" Merge remote-tracking branch 'origin/topic/jsiwek/fix-dns-double-free' * origin/topic/jsiwek/fix-dns-double-free: Fix double-free of DNS_Mgr_Request object (addresses #661) Closes #661. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:27 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:27 -0000 Subject: [Bro-Dev] #657: Change bro-cut for general timestamp conversion. In-Reply-To: <046.9668fa90eb8243c2b8a9c55df2a6a329@tracker.bro-ids.org> References: <046.9668fa90eb8243c2b8a9c55df2a6a329@tracker.bro-ids.org> Message-ID: <061.0539887f8bffaa6222d79ef2a893d460@tracker.bro-ids.org> #657: Change bro-cut for general timestamp conversion. ------------------------------+------------------------ Reporter: seth | Owner: robin Type: Feature Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: bro-aux | Version: git/master Resolution: fixed | Keywords: ------------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => fixed Comment: In [4a8551ae52d52c395b366a4eb68e63356e01999e/bro-aux]: {{{ #!CommitTicketReference repository="bro-aux" revision="4a8551ae52d52c395b366a4eb68e63356e01999e" Merge branch 'topic/robin/bro-cut' * topic/robin/bro-cut: bro-cut extensions and fixes. Closes #657. Closes #653. Closes #668. Closes #649. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:27 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:27 -0000 Subject: [Bro-Dev] #653: bro-cut does not work with mawk In-Reply-To: <050.b131409afa45c564960b689e75d671f3@tracker.bro-ids.org> References: <050.b131409afa45c564960b689e75d671f3@tracker.bro-ids.org> Message-ID: <065.528a7c7b6e4d46921a74ced731aa4d2c@tracker.bro-ids.org> #653: bro-cut does not work with mawk -----------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: bro-aux | Version: git/master Resolution: fixed | Keywords: -----------------------+------------------------ Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [4a8551ae52d52c395b366a4eb68e63356e01999e/bro-aux]: {{{ #!CommitTicketReference repository="bro-aux" revision="4a8551ae52d52c395b366a4eb68e63356e01999e" Merge branch 'topic/robin/bro-cut' * topic/robin/bro-cut: bro-cut extensions and fixes. Closes #657. Closes #653. Closes #668. Closes #649. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:27 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:27 -0000 Subject: [Bro-Dev] #649: Output field separator to bro-cut In-Reply-To: <050.6ad25768f67caa0673a494593b5768e1@tracker.bro-ids.org> References: <050.6ad25768f67caa0673a494593b5768e1@tracker.bro-ids.org> Message-ID: <065.145938d73791c15fb3376d38f520adcd@tracker.bro-ids.org> #649: Output field separator to bro-cut ------------------------------+------------------------ Reporter: matthias | Owner: robin Type: Feature Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: bro-cut ------------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => fixed Comment: In [4a8551ae52d52c395b366a4eb68e63356e01999e/bro-aux]: {{{ #!CommitTicketReference repository="bro-aux" revision="4a8551ae52d52c395b366a4eb68e63356e01999e" Merge branch 'topic/robin/bro-cut' * topic/robin/bro-cut: bro-cut extensions and fixes. Closes #657. Closes #653. Closes #668. Closes #649. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:27 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:27 -0000 Subject: [Bro-Dev] #668: Please support UTC conversion in bro-cut In-Reply-To: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> References: <054.642e0955ca3b58a1649cb85169342f62@tracker.bro-ids.org> Message-ID: <069.a1151498bdf2b444634a4651548a53f0@tracker.bro-ids.org> #668: Please support UTC conversion in bro-cut ------------------------------+---------------------- Reporter: david.bianco | Owner: robin Type: Feature Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: 2.0 Beta Resolution: fixed | Keywords: ------------------------------+---------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [4a8551ae52d52c395b366a4eb68e63356e01999e/bro-aux]: {{{ #!CommitTicketReference repository="bro-aux" revision="4a8551ae52d52c395b366a4eb68e63356e01999e" Merge branch 'topic/robin/bro-cut' * topic/robin/bro-cut: bro-cut extensions and fixes. Closes #657. Closes #653. Closes #668. Closes #649. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:34 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:34 -0000 Subject: [Bro-Dev] #658: Broctl check doesn't account for cluster layout or config changes In-Reply-To: <046.33069865e6009f5d564323acf1468ca8@tracker.bro-ids.org> References: <046.33069865e6009f5d564323acf1468ca8@tracker.bro-ids.org> Message-ID: <061.1b7996069cab2d5b5aeee62d78eac3bd@tracker.bro-ids.org> #658: Broctl check doesn't account for cluster layout or config changes ----------------------------+-------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: BroControl | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [395648f90e0117a6c61b7db431dfcf5b04a874d4/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="395648f90e0117a6c61b7db431dfcf5b04a874d4" Merge remote-tracking branch 'origin/topic/jsiwek/ticket658' * origin/topic/jsiwek/ticket658: Teach 'check' command to generate temporary versions of autogen. files. Closes #658. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:35 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:35 -0000 Subject: [Bro-Dev] #676: Broctl not relinking logs/current correctly In-Reply-To: <046.cd0ffbb5c01e8b46c16ffc30a036451e@tracker.bro-ids.org> References: <046.cd0ffbb5c01e8b46c16ffc30a036451e@tracker.bro-ids.org> Message-ID: <061.308962fa6575725800ec20942236ee71@tracker.bro-ids.org> #676: Broctl not relinking logs/current correctly -------------------------+-------------------- Reporter: seth | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: BroControl | Version: Resolution: fixed | Keywords: -------------------------+-------------------- Comment (by robin): In [919eda0c1c6ce2681de6d1b975b73313b834353d/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="919eda0c1c6ce2681de6d1b975b73313b834353d" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Fix standalone->cluster upgrade failing to update logs/current symlink. Fix broctl 'scripts' command in cluster mode (fixes #655) Closes #655. Closes #676. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:12:35 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:12:35 -0000 Subject: [Bro-Dev] #655: broctl 'scripts' command doesn't work in cluster mode In-Reply-To: <048.94750b9656841ef5d3bd2012524def39@tracker.bro-ids.org> References: <048.94750b9656841ef5d3bd2012524def39@tracker.bro-ids.org> Message-ID: <063.79a3e8b44cb726f89dc15264fa99dec9@tracker.bro-ids.org> #655: broctl 'scripts' command doesn't work in cluster mode -------------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: BroControl | Version: git/master Resolution: fixed | Keywords: -------------------------+------------------------ Comment (by robin): In [919eda0c1c6ce2681de6d1b975b73313b834353d/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="919eda0c1c6ce2681de6d1b975b73313b834353d" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Fix standalone->cluster upgrade failing to update logs/current symlink. Fix broctl 'scripts' command in cluster mode (fixes #655) Closes #655. Closes #676. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 2 17:30:58 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 01:30:58 -0000 Subject: [Bro-Dev] #711: topic/robin/pp-alarms Message-ID: <047.1b448e78bff44559e1f195ed0f4d8430@tracker.bro-ids.org> #711: topic/robin/pp-alarms ---------------------------+-------------------- Reporter: robin | Owner: seth Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | ---------------------------+-------------------- This fixes a few things in the notice/actions/pp-alarms.bro scripts: - With some notices, the reported originator wasn't right. - Time range is now included in subject. - Some visual polishing - Adding test. -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Fri Dec 2 19:07:12 2011 From: seth at icir.org (Seth Hall) Date: Fri, 2 Dec 2011 22:07:12 -0500 Subject: [Bro-Dev] HTTP log file: trans_depth nit In-Reply-To: <4ED94A10.7050704@icir.org> References: <4ED94A10.7050704@icir.org> Message-ID: On Dec 2, 2011, at 4:58 PM, Gregor Maier wrote: > "This represents the pipelined depth into the connection of this > request/response transaction." > > However, I don't known whether "pipelined" might be misleading here, > because this field also counts "persistent" connections. You're right, that's a bad description. The actual field name works fairly well though. What about something like this: "This represents the ordinal value of the request into the connection for persistent or pipelined requests." .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111202/5c6173d0/attachment.bin From bro at tracker.bro-ids.org Fri Dec 2 19:08:57 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 03 Dec 2011 03:08:57 -0000 Subject: [Bro-Dev] #703: NUL_in_line and line_terminated_with_single_CR complaints In-Reply-To: <046.a178d88fb4159c54e316119fd1f5ded7@tracker.bro-ids.org> References: <046.a178d88fb4159c54e316119fd1f5ded7@tracker.bro-ids.org> Message-ID: <061.9495d952dfa6f174e29f5de474b530f7@tracker.bro-ids.org> #703: NUL_in_line and line_terminated_with_single_CR complaints ----------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+-------------------- Comment (by seth): None Filename signature.asc could not be saved, problem: [Errno 13] Permission denied: '/da/trac/projects/bro/attachments/ticket/703'\> (And possibly indicate in smtp.log that the connection used STARTTLS). That already happens because the smtp log contains the last message from the server. [attachment:"signature.asc"] -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Fri Dec 2 20:32:36 2011 From: seth at icir.org (Seth Hall) Date: Fri, 2 Dec 2011 23:32:36 -0500 Subject: [Bro-Dev] question & meta-question regarding "path" field in smtp.log In-Reply-To: <20111201103742.59AA72C400E@rock.ICSI.Berkeley.EDU> References: <20111201103742.59AA72C400E@rock.ICSI.Berkeley.EDU> Message-ID: <881F296B-60C6-4D3A-8F02-4DE6716943DB@icir.org> On Dec 1, 2011, at 5:37 AM, Vern Paxson wrote: >> Yes, it's the path derived from the received headers and it's in reverse >> order where the actual message originator would be found at the right side >> and the receiver would be at the left. > > But what about adding the client & server? Are those added separately? > It would appear so, though I'm not sure that's the right thing to do. > It muddles the semantics somewhat, and also isn't necessary as the > client & server info are available from other fields. Hah, you're finding all of the places that I debated with myself for a long time. I ended up adding the orig_h and resp_h for the current connection to the path field because I wanted an easy way to reliably find the address that originally sent the message. If you are watching the actual message being sent from the MUA then it obviously won't have any received headers yet but it was handy to have the orig_h for the connection there anyway. Do you think we should cut those out? It certainly made log processing easier when I added it. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111202/2838eba2/attachment-0001.bin From robin at icir.org Sat Dec 3 14:47:17 2011 From: robin at icir.org (Robin Sommer) Date: Sat, 3 Dec 2011 14:47:17 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: <20111201175127.GB57452@icir.org> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> Message-ID: <20111203224717.GA30428@icir.org> On Thu, Dec 01, 2011 at 09:51 -0800, I wrote: > I can live with Seth's "nil" as well. Deal? Sorry for going back to this another time, but I just made the change and doesn't really like the result. We now have tons of "nil" in there just because there are so many non-set fields. "-" looks much better. The here's another suggestion: let's set empty fields simply to "(empty)". How about that? That looks much better and empty fields are much less frequent than unset fields. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vallentin at icir.org Sat Dec 3 15:08:11 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Sat, 3 Dec 2011 15:08:11 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: <20111203224717.GA30428@icir.org> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> Message-ID: > The here's another suggestion: let's set empty fields simply to > "(empty)". How about that? I like it because it is self-descriptive, but isn't that a little verbose? I don't have really compelling alternatives though, maybe "(0)", "()", or "(|)" as generic empty set representation? Matthias From robin at icir.org Sat Dec 3 15:18:09 2011 From: robin at icir.org (Robin Sommer) Date: Sat, 3 Dec 2011 15:18:09 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> Message-ID: <20111203231808.GB33650@icir.org> On Sat, Dec 03, 2011 at 15:08 -0800, you wrote: > "(0)", "()", or "(|)" as generic empty set representation? It's also for empty strings, and I don't find any of the very intuitive I have to say. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vallentin at icir.org Sat Dec 3 15:20:38 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Sat, 3 Dec 2011 15:20:38 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: <20111203231808.GB33650@icir.org> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> <20111203231808.GB33650@icir.org> Message-ID: > It's also for empty strings, and I don't find any of the very > intuitive I have to say. Yeah, I agree. It's hard to find one that is expressive and terse! One more try though :-). What about (") ? Matthias From bernhard at ICSI.Berkeley.EDU Sat Dec 3 15:20:47 2011 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Sat, 3 Dec 2011 15:20:47 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> Message-ID: <544D0ABA-7939-4FE7-82D7-39C7F5A7FF2E@icsi.berkeley.edu> How about (-) (set of empty)? Would be kind of logical in my opinion (admittedly only for sets/vectors and not for strings). Bernhard On Dec 3, 2011, at 3:08 PM, Matthias Vallentin wrote: >> The here's another suggestion: let's set empty fields simply to >> "(empty)". How about that? > > I like it because it is self-descriptive, but isn't that a little > verbose? I don't have really compelling alternatives though, maybe > "(0)", "()", or "(|)" as generic empty set representation? > > Matthias > _______________________________________________ > bro-dev mailing list > bro-dev at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From vallentin at icir.org Sat Dec 3 22:56:45 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Sat, 3 Dec 2011 22:56:45 -0800 Subject: [Bro-Dev] Status of anonymization framework In-Reply-To: <5341503C-AF98-4E7B-8761-E42F6B7639BE@icir.org> References: <20111121022359.482F82C4002@rock.ICSI.Berkeley.EDU> <1321842528-sup-3997@samurai.local> <20111121161552.GD34031@icir.org> <5341503C-AF98-4E7B-8761-E42F6B7639BE@icir.org> Message-ID: >?At the moment though I don't think they serve much purpose especially if they don't work or they don't work like you would anticipate. Should we comment them out in bro.bif or simply tag them with FIXME? I am asking because I am about to document somehow their brokenness. Matthias From mcholste at gmail.com Sun Dec 4 09:41:57 2011 From: mcholste at gmail.com (Martin Holste) Date: Sun, 4 Dec 2011 11:41:57 -0600 Subject: [Bro-Dev] Empty log fields In-Reply-To: <544D0ABA-7939-4FE7-82D7-39C7F5A7FF2E@icsi.berkeley.edu> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> <544D0ABA-7939-4FE7-82D7-39C7F5A7FF2E@icsi.berkeley.edu> Message-ID: I'd really prefer that it be left at a single hyphen, as it cuts down on log size. It's also a convention that a ton of other programs use. The only acceptable alternative to me would be totally empty field as it still parsable because it's between the delimiters. You guys are debating what the visual output of the log files should be by manipulating the raw output when you're really debating how programs like bro-cut should output empty fields. For me, the logs are database data, and it would be silly to write out "nil" in a database, (the DB will understand the lack of data to be NULL). You want the logs to be a data model, and how they are presented to an end user should be dictated by the accessing program (view). On Saturday, December 3, 2011, Bernhard Amann wrote: > How about (-) (set of empty)? Would be kind of logical in my opinion (admittedly only for sets/vectors and not for strings). > > Bernhard > > On Dec 3, 2011, at 3:08 PM, Matthias Vallentin wrote: > >>> The here's another suggestion: let's set empty fields simply to >>> "(empty)". How about that? >> >> I like it because it is self-descriptive, but isn't that a little >> verbose? I don't have really compelling alternatives though, maybe >> "(0)", "()", or "(|)" as generic empty set representation? >> >> Matthias >> _______________________________________________ >> bro-dev mailing list >> bro-dev at bro-ids.org >> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111204/038703b3/attachment.html From vallentin at icir.org Sun Dec 4 10:15:57 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Sun, 4 Dec 2011 10:15:57 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> <544D0ABA-7939-4FE7-82D7-39C7F5A7FF2E@icsi.berkeley.edu> Message-ID: What you motivate is precisely the need for binary logs, which aim to ship with 2.1. This address both the log size and representation issues, as null values are a NUL byte and empty values their type-specific binary equivalent. Clearly, it makes much more sense to use the binary log format when sending them to a database. Going further, one would create a custom database backend that writes the logs directly from the Bro process to the database, without the intermediate step of serializing them to the binary format. In 2.1, we have a CouchDB backend that demonstrates this usage. Unfortunately, for ASCII logs there is a trade-off between clarity and conciseness. While omitting the null/empty representation entirely is the most space-efficient way to go, it may break text-based tools that expect a strictly columnar format and have no notion of field separator. Moreover, if a user needs to separate the cases of null (no value there) vs. empty (e.g., the empty string ""), we need two separate representations. Some users may also find an explicit clue about missing values less confusing. I propose something new: in addition to allowing the field separator to be customized, we allow similar redefinitions for null and empty values. By default, they are the same character, namely the dash, but can be easily redef'ed. Matthias From bernhard at ICSI.Berkeley.EDU Sun Dec 4 10:22:19 2011 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Sun, 4 Dec 2011 10:22:19 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> <544D0ABA-7939-4FE7-82D7-39C7F5A7FF2E@icsi.berkeley.edu> Message-ID: <9C5C3147-380A-48BA-9F70-F42AB3147431@ICSI.Berkeley.EDU> Hi, > I propose something new: in addition to allowing the field separator to > be customized, we allow similar redefinitions for null and empty values. > By default, they are the same character, namely the dash, but can be > easily redef'ed. That is the current state - they can easily be redefined and are both defined as "-" by default. The problem with this is, that log files that have been written once cannot be easily re-imported using the input framework, because it cannot tell if a field is empty or unset. And (in my opinion) it would be nice to be able to write log files that result in the exact same data structures when they are re-read into bro. Bernhard From bro at tracker.bro-ids.org Sun Dec 4 20:19:32 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 05 Dec 2011 04:19:32 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator Message-ID: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> #712: LogMgr should escape the set separator ------------------------+--------------------- Reporter: amannb | Type: Problem Status: new | Priority: Normal Milestone: Bro2.0 | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- The attached bro script outputs a log containing a set of string. The strings the set separator character ",". In the output logfile, this character should be escaped. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sun Dec 4 20:44:58 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 05 Dec 2011 04:44:58 -0000 Subject: [Bro-Dev] #706: Framework Documentation Package 1 In-Reply-To: <046.0094aad7fdf918d4b7c290b5a6d75304@tracker.bro-ids.org> References: <046.0094aad7fdf918d4b7c290b5a6d75304@tracker.bro-ids.org> Message-ID: <061.84ee62bebf873e30566b912f57c74e4d@tracker.bro-ids.org> #706: Framework Documentation Package 1 ---------------------+---------------------- Reporter: seth | Owner: robin Type: Task | Status: accepted Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ---------------------+---------------------- Changes (by robin): * owner: => robin * status: new => accepted Comment: I'll see how far I get with this. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 5 11:10:05 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 05 Dec 2011 19:10:05 -0000 Subject: [Bro-Dev] #663: Load order local-* In-Reply-To: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> References: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> Message-ID: <062.c5ea8317bed3f1fc41c576c7d74bbc70@tracker.bro-ids.org> #663: Load order local-* ----------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [506a42638ae53f6bc86ed77a23090d567b45f54d/bro]: {{{ #!CommitTicketReference repository="bro" revision="506a42638ae53f6bc86ed77a23090d567b45f54d" Omit loading local-.bro scripts from base cluster framework. The loading of these is better handled by BroControl and it seems odd to load them from a base/ script anyway since they'll contain site/policy specific code. Addresses #663 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 5 11:10:35 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 05 Dec 2011 19:10:35 -0000 Subject: [Bro-Dev] #663: Load order local-* In-Reply-To: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> References: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> Message-ID: <062.b69841e0f77b122f171baf1e46bd3858@tracker.bro-ids.org> #663: Load order local-* ----------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [46a86c137a20b1cb48fb160bbf57bcafd3490c10/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="46a86c137a20b1cb48fb160bbf57bcafd3490c10" Re-order the way local.bro and local-.bro scripts are loaded. Node-specific local scripts should load after local.bro so that identifiers defined by the loading of local.bro can be used in them. Addresses #663 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 5 11:12:26 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 05 Dec 2011 19:12:26 -0000 Subject: [Bro-Dev] #663: Load order local-* In-Reply-To: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> References: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> Message-ID: <062.3bca0f5e63e47bf234c98ba1c67731e3@tracker.bro-ids.org> #663: Load order local-* ----------------------------+------------------------ Reporter: robin | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by jsiwek): * type: Problem => Merge Request Comment: See if `topic/jsiwek/local-node-order` in both `bro` and `broctl` repos works as you expect. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 5 19:51:29 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 06 Dec 2011 03:51:29 -0000 Subject: [Bro-Dev] #713: IPv6 session extraction failure Message-ID: <046.cada0c993d930ef613daa5ace3fb9d8c@tracker.bro-ids.org> #713: IPv6 session extraction failure ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Keywords: ipv6 | ---------------------+-------------------- From Jim Mellander: {{{ Hi all: contents.bro performs session reconstruction of IPv4 traffic, but when running Bro 1.5 contents.bro against an IPv6 packet trace, it creates 0-length files, but doesn't extract the session contents to those files. Is this in the works? Thanks in advance }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 5 19:52:44 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 06 Dec 2011 03:52:44 -0000 Subject: [Bro-Dev] #606: broccoli and connection records In-Reply-To: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> References: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> Message-ID: <061.81616fe26faa69b5688f4607ee559000@tracker.bro-ids.org> #606: broccoli and connection records ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Broccoli | Version: Resolution: | Keywords: ----------------------------+---------------------- Changes (by seth): * owner: seth => robin * type: Problem => Merge Request Comment: Seems to work for me. These branches just need to be merged now assuming that the tests still pass with them. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Tue Dec 6 11:16:08 2011 From: robin at icir.org (Robin Sommer) Date: Tue, 6 Dec 2011 11:16:08 -0800 Subject: [Bro-Dev] Status of anonymization framework In-Reply-To: References: <20111121022359.482F82C4002@rock.ICSI.Berkeley.EDU> <1321842528-sup-3997@samurai.local> <20111121161552.GD34031@icir.org> <5341503C-AF98-4E7B-8761-E42F6B7639BE@icir.org> Message-ID: <20111206191608.GC31933@icir.org> On Sat, Dec 03, 2011 at 22:56 -0800, you wrote: > >?At the moment though I don't think they serve much purpose especially if they don't work or they don't work like you would anticipate. > > Should we comment them out in bro.bif or simply tag them with FIXME? I > am asking because I am about to document somehow their brokenness. Document what they are doing currently and use ".. todo::" to mark what they should be doing. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Tue Dec 6 12:17:29 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 06 Dec 2011 20:17:29 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.3fab9d731269ac24ca86622afc20abae@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by jsiwek): * owner: => jsiwek * status: new => assigned Comment: I'm looking at a rewrite of the ODesc escaping mechanism (in relation to #681), so I can probably get this. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 6 12:41:42 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 06 Dec 2011 20:41:42 -0000 Subject: [Bro-Dev] #606: broccoli and connection records In-Reply-To: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> References: <046.83cc834c3a71aa4f378a2b7bec3e66a4@tracker.bro-ids.org> Message-ID: <061.5a0d9969f6bb32f143edf347ed1730b6@tracker.bro-ids.org> #606: broccoli and connection records ----------------------------+-------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Broccoli | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [05d51b55dd5a8430151cff74f7876bd73385d5cd/broccoli]: {{{ #!CommitTicketReference repository="broccoli" revision="05d51b55dd5a8430151cff74f7876bd73385d5cd" Merge remote-tracking branch 'origin/topic/christian/broccoli-connrec' * origin/topic/christian/broccoli-connrec: New types and a connection capability tweak for Broccoli. Closes #606. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 6 12:41:48 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 06 Dec 2011 20:41:48 -0000 Subject: [Bro-Dev] #663: Load order local-* In-Reply-To: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> References: <047.b0024243ec74c2557a7442cf3f8bb03c@tracker.bro-ids.org> Message-ID: <062.98c8a53b222a825553ea832018e5345e@tracker.bro-ids.org> #663: Load order local-* ----------------------------+------------------------ Reporter: robin | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [406c689c88997c4459eaf36bd2c65bce2e847c2d/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="406c689c88997c4459eaf36bd2c65bce2e847c2d" Merge remote-tracking branch 'origin/topic/jsiwek/local-node-order' * origin/topic/jsiwek/local-node-order: Re-order the way local.bro and local-.bro scripts are loaded. Closes #663. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 6 15:09:01 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 06 Dec 2011 23:09:01 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.18f1153b3dd53f94e2d7dd889f7b694c@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): Two questions: 1) I think it makes sense to limit the escaping of set_separator to only data contained within a set/table/vector field? Any reason to go beyond that? 2) Is there a reason why set_separator isn't included in the ascii log header like 'separator' is? Seems like you'll want that added? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 6 15:39:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 06 Dec 2011 23:39:37 -0000 Subject: [Bro-Dev] #714: broctl install copies policy files to the .site folder in incorrect order Message-ID: <049.e82f01374139587adf91a206d94fbd55@tracker.bro-ids.org> #714: broctl install copies policy files to the .site folder in incorrect order ---------------------+--------------------- Reporter: aashish | Type: Problem Status: new | Priority: Normal Milestone: | Component: Bro Version: | Keywords: ---------------------+--------------------- I think broctl install copies the files to .site directory in the order specified by the SitePolicyPath This is probably incorrect. It should instead be in the reverse order of the path specified in the SitePolicyPath example: SitePolicyPath=/dir1:/dir2:/dir3:/usr/local/bro/share/bro if a modified version of file with same name (eg. drop.bro) is in dir1 and original is in /usr/local/bro/share/bro; broctl install will overwrite /dir1/drop.bro with /usr/local/bro/share/bro/drop.bro when it creates /usr/local/bro/share/bro/.site folder. In theory when bro is starting, it should have preference in loading /dir1/drop.bro over /usr/local/bro/share/bro/drop.bro but currently /dir1/drop.bro gets overwritten by /usr/local/bro/share/bro/drop.bro when broctl install creates .site folder. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 06:09:57 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 14:09:57 -0000 Subject: [Bro-Dev] #703: NUL_in_line and line_terminated_with_single_CR complaints In-Reply-To: <046.a178d88fb4159c54e316119fd1f5ded7@tracker.bro-ids.org> References: <046.a178d88fb4159c54e316119fd1f5ded7@tracker.bro-ids.org> Message-ID: <061.a104724d4c4372c61fff5a7f9378d109@tracker.bro-ids.org> #703: NUL_in_line and line_terminated_with_single_CR complaints ----------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+-------------------- Comment (by gregor): Replying to [comment:3 seth]: > That already happens because the smtp log contains the last message from the server. > But this string ("Ready to start TLS") is not standardized, right? Only the 220 is. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Wed Dec 7 06:13:21 2011 From: gregor at icir.org (Gregor Maier) Date: Wed, 07 Dec 2011 06:13:21 -0800 Subject: [Bro-Dev] Empty log fields In-Reply-To: <20111203231808.GB33650@icir.org> References: <20111130002555.GT62930@icir.org> <2E54C1AF-717D-426C-A410-17F29366154F@illinois.edu> <20111201175127.GB57452@icir.org> <20111203224717.GA30428@icir.org> <20111203231808.GB33650@icir.org> Message-ID: <4EDF7481.9030801@icir.org> On 12/3/11 15:18 , Robin Sommer wrote: > > On Sat, Dec 03, 2011 at 15:08 -0800, you wrote: > >> "(0)", "()", or "(|)" as generic empty set representation? > > It's also for empty strings, and I don't find any of the very > intuitive I have to say. Can't we just use an empty string (especially for representing an empty string)? cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From bro at tracker.bro-ids.org Wed Dec 7 07:06:48 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 15:06:48 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.f9941e51ef96fbf3b5ccbeac19565ea5@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): > 1) I think it makes sense to limit the escaping of set_separator to only data contained within a set/table/vector field? Any reason to go beyond that? My answer would be "yes" except that I'm not quite sure what "beyond" might be? > 2) Is there a reason why set_separator isn't included in the ascii log header like 'separator' is? Seems like you'll want that added? That's an oversight, same for the other missing options from `logging/writers/ascii`. Please add. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 07:14:50 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 15:14:50 -0000 Subject: [Bro-Dev] #714: broctl install copies policy files to the .site folder in incorrect order In-Reply-To: <049.e82f01374139587adf91a206d94fbd55@tracker.bro-ids.org> References: <049.e82f01374139587adf91a206d94fbd55@tracker.bro-ids.org> Message-ID: <064.bebeb5980710eee6773c114f82cd1b0a@tracker.bro-ids.org> #714: broctl install copies policy files to the .site folder in incorrect order ----------------------+----------------- Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: Resolution: | Keywords: ----------------------+----------------- Comment (by robin): you shouldn't need to list the default path `/usr/local/bro/share/bro` there, and then I would expect this to work as expected. Can you try that (or have you already and it's not working without?) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 07:51:57 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 15:51:57 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.0259a8c8cf80f56c4fd33c09fc0296eb@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): > > 1) I think it makes sense to limit the escaping of set_separator to only data contained within a set/table/vector field? Any reason to go beyond that? > > My answer would be "yes" except that I'm not quite sure what "beyond" might be? I just meant that if there's a field that's a plain string type, it doesn't seem necessary to escape the set_separator if it appears in any values. The ambiguity could only occur in fields that are vector/set/table types. > > 2) Is there a reason why set_separator isn't included in the ascii log header like 'separator' is? Seems like you'll want that added? > > That's an oversight, same for the other missing options from `logging/writers/ascii`. Please add. Ok. Think header_prefix can still be omitted since it's implicitly the string of characters before the first instance of "separator"? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 07:58:13 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 15:58:13 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.c41c06fd84b9b97c7b5787c19aeb706d@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): > I just meant that if there's a field that's a plain string type, it doesn't seem necessary to escape the set_separator if it appears in any values. The ambiguity could only occur in fields that are vector/set/table types. Yes, I prefer it that way anyway. > Ok. Think header_prefix can still be omitted since it's implicitly the string of characters before the first instance of "separator"? Yeah, that's fine. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 09:10:58 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 17:10:58 -0000 Subject: [Bro-Dev] #681: Control characters is ASCII output In-Reply-To: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> References: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> Message-ID: <062.d2f0974fd595650abb7cfc968c4bbcbf@tracker.bro-ids.org> #681: Control characters is ASCII output ----------------------+---------------------- Reporter: robin | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Comment (by jsiwek): In [0461f79ca242a5c24085aed8ebf82f1073796949/bro]: {{{ #!CommitTicketReference repository="bro" revision="0461f79ca242a5c24085aed8ebf82f1073796949" Rewrite ODesc character escaping functionality. (addresses #681) }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 09:10:58 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 17:10:58 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.dccb6a35dd6681bd1e29087525706ac5@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [1264d9dc9ef08f1bab444552e56131098a654884/bro]: {{{ #!CommitTicketReference repository="bro" revision="1264d9dc9ef08f1bab444552e56131098a654884" Escape the ASCII log's set separator (addresses #712) }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 09:40:46 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 17:40:46 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.bc63a3c2c180ab2f09429e900b4eb15f@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by jsiwek): * type: Problem => Merge Request Comment: Fixed in `topic/jsiwek/log-escaping` in `bro` and `bro-testing` repos. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 10:04:55 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 18:04:55 -0000 Subject: [Bro-Dev] #677: diff-all problem with testing In-Reply-To: <047.9158b91f8c87419388ef4a41186b3862@tracker.bro-ids.org> References: <047.9158b91f8c87419388ef4a41186b3862@tracker.bro-ids.org> Message-ID: <062.24f61e3f8fb923091d2cdead230fcac3@tracker.bro-ids.org> #677: diff-all problem with testing ----------------------+-------------------- Reporter: robin | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [3c2fa085d43c176e4ae75874964eb810cd278cef/bro]: {{{ #!CommitTicketReference repository="bro" revision="3c2fa085d43c176e4ae75874964eb810cd278cef" Adapting diff-all so that it expands globs in both current and baseline directory. This way, it now spots if a Baseline file isn't produced anymore. Closes #677. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 10:23:34 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 18:23:34 -0000 Subject: [Bro-Dev] #714: broctl install copies policy files to the .site folder in incorrect order In-Reply-To: <049.e82f01374139587adf91a206d94fbd55@tracker.bro-ids.org> References: <049.e82f01374139587adf91a206d94fbd55@tracker.bro-ids.org> Message-ID: <064.cbe738068179561b606338533e2d1005@tracker.bro-ids.org> #714: broctl install copies policy files to the .site folder in incorrect order ----------------------+----------------- Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: Resolution: | Keywords: ----------------------+----------------- Comment (by aashish): Yes, I tried without the default path in the SitePolicyPath. SitePolicyPath=/dir1 The problem persists. just for the sake of it, I also tried: SitePolicyPath = /usr/local/bro/share/bro:/dir1 with the same results. Aashish On Wed, Dec 07, 2011 at 03:14:50PM -0000, Bro Tracker wrote: > #714: broctl install copies policy files to the .site folder in incorrect order > ----------------------+----------------- > Reporter: aashish | Owner: > Type: Problem | Status: new > Priority: Normal | Milestone: > Component: Bro | Version: > Resolution: | Keywords: > ----------------------+----------------- > > Comment (by robin): > > you shouldn't need to list the default path `/usr/local/bro/share/bro` > there, and then I would expect this to work as expected. Can you try that > (or have you already and it's not working without?) > > -- > Ticket URL: > Bro Tracker > Bro Issue Tracker -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 7 10:56:06 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 07 Dec 2011 18:56:06 -0000 Subject: [Bro-Dev] #707: Framework Documentation Package 2 In-Reply-To: <046.e9e5405a5f8003302e4e37bcf4a08cf1@tracker.bro-ids.org> References: <046.e9e5405a5f8003302e4e37bcf4a08cf1@tracker.bro-ids.org> Message-ID: <061.480d2681dcbc70a0467d1593a5de34c0@tracker.bro-ids.org> #707: Framework Documentation Package 2 ---------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ---------------------+---------------------- Changes (by jsiwek): * owner: => jsiwek * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 8 10:08:35 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 08 Dec 2011 18:08:35 -0000 Subject: [Bro-Dev] #702: topic/seth/dns-updates - Fixed some DNS issues In-Reply-To: <046.2f4b2ad86a7b89075747e60a28802b6f@tracker.bro-ids.org> References: <046.2f4b2ad86a7b89075747e60a28802b6f@tracker.bro-ids.org> Message-ID: <061.6e417938a6a79c368941bf1061b9d748@tracker.bro-ids.org> #702: topic/seth/dns-updates - Fixed some DNS issues ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+---------------------- Changes (by seth): * owner: seth => robin * type: Problem => Merge Request Comment: Fixed. Changing back to a merge request. -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Thu Dec 8 10:15:50 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Thu, 8 Dec 2011 10:15:50 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/dns-updates: Fixed some bugs with capturing data in the base DNS script. (04e2773) In-Reply-To: <201112081806.pB8I6ncO002918@bro-ids.icir.org> References: <201112081806.pB8I6ncO002918@bro-ids.icir.org> Message-ID: > @@ -140,15 +140,11 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) What is the reason for the DNS:: namespace of the event handler? I looks like it could be removed, since the file specifies "module DNS" at the top already without changing that before do_reply again. Matthias From seth at icir.org Thu Dec 8 11:20:09 2011 From: seth at icir.org (Seth Hall) Date: Thu, 8 Dec 2011 14:20:09 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/dns-updates: Fixed some bugs with capturing data in the base DNS script. (04e2773) In-Reply-To: References: <201112081806.pB8I6ncO002918@bro-ids.icir.org> Message-ID: <1D83592A-D7D4-4567-B954-54269F9F29F9@icir.org> On Dec 8, 2011, at 1:15 PM, Matthias Vallentin wrote: >> @@ -140,15 +140,11 @@ event DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string) > > What is the reason for the DNS:: namespace of the event handler? I > looks like it could be removed, since the file specifies "module DNS" > at the top already without changing that before do_reply again. If I remember correctly there is a bug (or feature?) with handling non-global events where they always need to be fully scoped. Normally, people don't see this (and the reason the bug is there) because all of the core generated events are in the GLOBAL namespace. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Thu Dec 8 12:32:54 2011 From: seth at icir.org (Seth Hall) Date: Thu, 8 Dec 2011 15:32:54 -0500 Subject: [Bro-Dev] network_time() Message-ID: <3968EC99-3D85-42AC-BB1D-D3CE909E0774@icir.org> Am I correct in thinking that the network_time() BiF gives the time in the local timezone? If that's true, do we have a way to get the current UTC time? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From gregor at icir.org Thu Dec 8 12:59:10 2011 From: gregor at icir.org (Gregor Maier) Date: Thu, 08 Dec 2011 12:59:10 -0800 Subject: [Bro-Dev] network_time() In-Reply-To: <3968EC99-3D85-42AC-BB1D-D3CE909E0774@icir.org> References: <3968EC99-3D85-42AC-BB1D-D3CE909E0774@icir.org> Message-ID: <4EE1251E.9070108@icir.org> On 12/8/11 12:32 , Seth Hall wrote: > Am I correct in thinking that the network_time() BiF gives the time in the local timezone? If that's true, do we have a way to get the current UTC time? > No. It gives seconds since epoch which is independent from the timezone (epoch is midnight 1/1/70 UTC) cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From seth at icir.org Thu Dec 8 13:06:42 2011 From: seth at icir.org (Seth Hall) Date: Thu, 8 Dec 2011 16:06:42 -0500 Subject: [Bro-Dev] network_time() In-Reply-To: <4EE1251E.9070108@icir.org> References: <3968EC99-3D85-42AC-BB1D-D3CE909E0774@icir.org> <4EE1251E.9070108@icir.org> Message-ID: <4A7F0C43-5873-4A1E-A494-9C736A6CA8D0@icir.org> On Dec 8, 2011, at 3:59 PM, Gregor Maier wrote: > No. It gives seconds since epoch which is independent from the timezone (epoch is midnight 1/1/70 UTC) I know that epoch is like that, but network_time() give a time-typed value, not epoch time (as a count). When I print the value with %T in a call to fmt it's coming out in local time. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From gregor at icir.org Thu Dec 8 13:27:31 2011 From: gregor at icir.org (Gregor Maier) Date: Thu, 08 Dec 2011 13:27:31 -0800 Subject: [Bro-Dev] network_time() In-Reply-To: <4A7F0C43-5873-4A1E-A494-9C736A6CA8D0@icir.org> References: <3968EC99-3D85-42AC-BB1D-D3CE909E0774@icir.org> <4EE1251E.9070108@icir.org> <4A7F0C43-5873-4A1E-A494-9C736A6CA8D0@icir.org> Message-ID: <4EE12BC3.8040704@icir.org> On 12/8/11 13:06 , Seth Hall wrote: > > On Dec 8, 2011, at 3:59 PM, Gregor Maier wrote: > >> No. It gives seconds since epoch which is independent from the timezone (epoch is midnight 1/1/70 UTC) > > > I know that epoch is like that, but network_time() give a time-typed value, not epoch time (as a count). When I print the value with %T in a call to fmt it's coming out in local time. Hmm. Interesting. I've actually never used %T to format at timestamp. I always used %f (or %d) which just prints the time in seconds since epoch. So I guess the problem is that %T always formats the time in local time. Looks like there is a strftime() BiF, but it also uses localtime(). We might want to modify strftime() so one can pass an arbitrary timezone. As for %T (and %D for that matter): Maybe either discourage it and always use strftime() instead or add a global that defines the timezone for %T/%D.... cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From hlin33 at illinois.edu Fri Dec 9 12:02:02 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Fri, 9 Dec 2011 14:02:02 -0600 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 Message-ID: Hi, I could not see binpac warning in Bro 2.0. I used to see the binpac warning generated by &check statement, showing in the stdout. But now, I could not see any thing and could not find any thing in the log. Here is how I test it. In the "default" branch of "case" statement, I write default -> unknown: Debug_Byte *&check(0)*; My purpose is that if the network packet is not correct, then it come to the default case, then I hope that binpac can directly give me some warning instead of writing bro script to detect it. However, I did not see any warning in Bro 2.0 when this branch is entered. Best, Hui -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111209/23e8b513/attachment.html From hlin33 at illinois.edu Fri Dec 9 14:40:10 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Fri, 9 Dec 2011 16:40:10 -0600 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 In-Reply-To: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> References: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> Message-ID: I try another thing. I just type this in my binpac code &check(abcdefg) right after a variable, and my binpac code is successfully compiled and linked. So &check is ignored in current Bro package, is it? That is a really bad news for me. Then I have to spend much much more time to rewrite &check condition into Bro's script which is sometimes hard to do. Is there any future plan to activate &check statement again? Best, Hui On Fri, Dec 9, 2011 at 2:02 PM, Lin, Hui wrote: > Hi, > > I could not see binpac warning in Bro 2.0. > > I used to see the binpac warning generated by &check statement, showing in > the stdout. But now, I could not see any thing and could not find any thing > in the log. > > Here is how I test it. In the "default" branch of "case" statement, I write > > default -> unknown: Debug_Byte *&check(0)*; > > My purpose is that if the network packet is not correct, then it come to > the default case, then I hope that binpac can directly give me some warning > instead of writing bro script to detect it. > > However, I did not see any warning in Bro 2.0 when this branch is > entered. > > Best, > > Hui > > > -- > Hui Lin > Research Assistant > DEPEND Research Group, ECE Department > University of Illinois at Urbana-Champaign > hlin33 at illinois.edu > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111209/c63c2d9e/attachment.html From bro at tracker.bro-ids.org Fri Dec 9 15:33:26 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 09 Dec 2011 23:33:26 -0000 Subject: [Bro-Dev] #707: Framework Documentation Package 2 In-Reply-To: <046.e9e5405a5f8003302e4e37bcf4a08cf1@tracker.bro-ids.org> References: <046.e9e5405a5f8003302e4e37bcf4a08cf1@tracker.bro-ids.org> Message-ID: <061.9aba0f65cd9fa4a0e049a51aa1cff667@tracker.bro-ids.org> #707: Framework Documentation Package 2 -----------------------------+-------------------- Reporter: seth | Owner: jsiwek Type: Task | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by jsiwek): * status: assigned => closed * resolution: => Solved/Applied Comment: This is now finished in the `topic/script-reference` branch and will be merged with it. -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Fri Dec 9 17:06:39 2011 From: seth at icir.org (Seth Hall) Date: Fri, 9 Dec 2011 20:06:39 -0500 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 In-Reply-To: References: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> Message-ID: On Dec 9, 2011, at 5:40 PM, Hui Lin (Hugo) wrote: > That is a really bad news for me. Then I have to spend much much more time to rewrite &check condition into Bro's script which is sometimes hard to do. > > Is there any future plan to activate &check statement again? Are you sure that this was working previously? I don't think that the &check attribute has ever actually been implemented in binpac (at least the functionality of the &check statement. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From hlin33 at illinois.edu Fri Dec 9 17:15:38 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Fri, 9 Dec 2011 19:15:38 -0600 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 In-Reply-To: References: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> Message-ID: That is cruel! I remember that at the very beginning, I saw some exception generated by binpac which is related to some value range. In this afternoon, I check some cc code generated by binpac code, it seems that Binpac will generate some exception such as out-of-bound, string length and so on. I probably regard them as the exception throwed by &check. Anyway, the news is cruel to me and I have to put those checks into Bro script. Does binpac++ will do something like this? Best, Hui On Fri, Dec 9, 2011 at 7:06 PM, Seth Hall wrote: > > On Dec 9, 2011, at 5:40 PM, Hui Lin (Hugo) wrote: > > > That is a really bad news for me. Then I have to spend much much more > time to rewrite &check condition into Bro's script which is sometimes hard > to do. > > > > Is there any future plan to activate &check statement again? > > Are you sure that this was working previously? I don't think that the > &check attribute has ever actually been implemented in binpac (at least the > functionality of the &check statement. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111209/92d1f525/attachment.html From seth at icir.org Fri Dec 9 18:37:08 2011 From: seth at icir.org (Seth Hall) Date: Fri, 9 Dec 2011 21:37:08 -0500 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 In-Reply-To: References: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> Message-ID: On Dec 9, 2011, at 8:15 PM, Hui Lin (Hugo) wrote: > Anyway, the news is cruel to me and I have to put those checks into Bro script. What sort of checks are they? I wouldn't think you'd want to have too many &check conditions within your parser, but I don't know the protocols you're working on. > Does binpac++ will do something like this? I don't recall. You'll have to wait for Robin to answer. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Fri Dec 9 18:53:11 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 02:53:11 -0000 Subject: [Bro-Dev] #637: Integrate ssl alerts into the ssl log In-Reply-To: <046.76b9bd1e6633db885efa09dbe80c5cd8@tracker.bro-ids.org> References: <046.76b9bd1e6633db885efa09dbe80c5cd8@tracker.bro-ids.org> Message-ID: <061.ad8d8ff6346278b3c177a8b3cd463bc4@tracker.bro-ids.org> #637: Integrate ssl alerts into the ssl log -----------------------------+-------------------- Reporter: seth | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Solved/Applied Comment: I added this to the topic/seth/ssl-updates-for-2.0 branch and it will get merged with that through ticket #692 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 9 18:54:15 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 02:54:15 -0000 Subject: [Bro-Dev] #692: ssl_extension event doesn't indicate originator In-Reply-To: <046.b4c10cc63df92a28ac1c80a434befd3a@tracker.bro-ids.org> References: <046.b4c10cc63df92a28ac1c80a434befd3a@tracker.bro-ids.org> Message-ID: <061.2b8a87fb7d64dd61e350a1b41fb09353@tracker.bro-ids.org> #692: ssl_extension event doesn't indicate originator ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+---------------------- Changes (by seth): * owner: seth => robin * status: new => assigned * type: Problem => Merge Request Comment: This is fixed along with some other small things in branch topic/seth/ssl- updates-for-2.0 and is ready for merging. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 9 21:13:59 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 05:13:59 -0000 Subject: [Bro-Dev] #664: Interesting_Hostname_Login misleading In-Reply-To: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> References: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> Message-ID: <062.818ffae9d2f6c8f500791d7d14f10b5d@tracker.bro-ids.org> #664: Interesting_Hostname_Login misleading ----------------------+-------------------- Reporter: robin | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Changes (by seth): * status: assigned => closed * resolution: => fixed Comment: In [00fb187927b6369f941d30e98a396c85f9e8218d/bro]: {{{ #!CommitTicketReference repository="bro" revision="00fb187927b6369f941d30e98a396c85f9e8218d" SSH::Interesting_Hostname_Login cleanup. Fixes #664. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 9 21:16:04 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 05:16:04 -0000 Subject: [Bro-Dev] #654: Off_Port_Protocol_Found not used In-Reply-To: <047.15c2d0cfc177e12da263861fac931591@tracker.bro-ids.org> References: <047.15c2d0cfc177e12da263861fac931591@tracker.bro-ids.org> Message-ID: <062.7a2297d1391f675610708f411a49b3b6@tracker.bro-ids.org> #654: Off_Port_Protocol_Found not used ----------------------+---------------------- Reporter: robin | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Comment (by seth): The script this is defined within is a total mess. For now I'm just going to remove DPD::Off_Port_Protocol_Found notice type but this script will need a major overhaul at some point. I'll file a separate ticket for that in just a minute. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 9 21:18:42 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 05:18:42 -0000 Subject: [Bro-Dev] #654: Off_Port_Protocol_Found not used In-Reply-To: <047.15c2d0cfc177e12da263861fac931591@tracker.bro-ids.org> References: <047.15c2d0cfc177e12da263861fac931591@tracker.bro-ids.org> Message-ID: <062.46061482d2ffe23d036b1ccb3acc1526@tracker.bro-ids.org> #654: Off_Port_Protocol_Found not used -----------------------------+-------------------- Reporter: robin | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by seth): * status: assigned => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 9 21:19:34 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 05:19:34 -0000 Subject: [Bro-Dev] #711: topic/robin/pp-alarms In-Reply-To: <047.1b448e78bff44559e1f195ed0f4d8430@tracker.bro-ids.org> References: <047.1b448e78bff44559e1f195ed0f4d8430@tracker.bro-ids.org> Message-ID: <062.fa1cf90a97ec3638901acb9cca51bb3f@tracker.bro-ids.org> #711: topic/robin/pp-alarms ----------------------------+-------------------- Reporter: robin | Owner: seth Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+-------------------- Comment (by seth): Am I supposed to merge this or did you just want me to look over it? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 9 22:12:50 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 06:12:50 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.d19ede7b9d01a7ad54b160bc22f3475d@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): A table with 5000 addresses didn't work. Here are the scripts I used, you need to run them from the build/ directory (and have the ruby bindings built). I suppose it could be a bug in the python bindings even? Maybe someone should port the ruby script to python to see if it breaks there. large-table.bro {{{ @load frameworks/control/controllee redef Communication::nodes = { # We're waiting for connections from this host for control. ["control"] = [$host=127.0.0.1, $events=Control::controller_events], }; global large_table: table[count] of addr = set(); function build_table(i: count) { large_table[i] = 1.2.3.4; if ( i < 5000 ) build_table(i+1); } event bro_init() { build_table(1); print large_table; } }}} large-table.rb {{{ $LOAD_PATH << "aux/broccoli/bindings/broccoli-ruby/" $LOAD_PATH << "../aux/broccoli/bindings/broccoli-ruby/lib" require 'broccoli' bc = Broccoli::Connection.new("127.0.0.1:47757") bc.event_handler_for "Control::id_value_response" do |id, val| puts val end puts "Trying to connect..." if bc.connect puts "connected." while true ev = Broccoli::Event.new("Control::id_value_request") ev.insert("large_table", :string) puts "sending event" bc.send(ev) sleep 1 puts "processing input" bc.process_input end end }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 9 22:13:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 10 Dec 2011 06:13:37 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.e94488ddc96a97fb48e043b48a467a02@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): Oops, to clarify that. The scripts above *worked* which means I was unable to validate this ticket. -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Sat Dec 10 14:20:55 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Sat, 10 Dec 2011 14:20:55 -0800 Subject: [Bro-Dev] IDMEF support Message-ID: What are our ambitions for IDMEF support in 2.0? Is it worth including/documenting or should we deprecate it? Matthias From bro at tracker.bro-ids.org Sat Dec 10 18:30:04 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 02:30:04 -0000 Subject: [Bro-Dev] #715: Overhaul dpd/detect-protocols script Message-ID: <046.400746d91507d883354423ce8b706de4@tracker.bro-ids.org> #715: Overhaul dpd/detect-protocols script ---------------------+----------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: Keywords: | ---------------------+----------------- The script doesn't mesh well with other existing functionality and needs some attention. policy/frameworks/dpd/detect-protocols.bro -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Sat Dec 10 18:31:18 2011 From: seth at icir.org (Seth Hall) Date: Sat, 10 Dec 2011 21:31:18 -0500 Subject: [Bro-Dev] IDMEF support In-Reply-To: References: Message-ID: <71B28212-4717-43E4-A706-8B34FCFB1800@icir.org> On Dec 10, 2011, at 5:20 PM, Matthias Vallentin wrote: > What are our ambitions for IDMEF support in 2.0? Is it worth > including/documenting or should we deprecate it? Deprecate it. I think we'll be bringing it back before too long, but the current support is completely broken for multiple reasons. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Sat Dec 10 18:48:38 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 02:48:38 -0000 Subject: [Bro-Dev] #199: initial load level pcap filter not being set In-Reply-To: <048.4f3aba23c45da2fae0617f8a748176c2@tracker.bro-ids.org> References: <048.4f3aba23c45da2fae0617f8a748176c2@tracker.bro-ids.org> Message-ID: <063.6cc29d52023a2969456afbbce0f0c0eb@tracker.bro-ids.org> #199: initial load level pcap filter not being set -----------------------+----------------------- Reporter: justin | Owner: Type: defect | Status: closed Priority: Low | Milestone: Component: Bro | Version: 1.5.2 Resolution: Rejected | Keywords: load pcap -----------------------+----------------------- Changes (by seth): * status: seen => closed * resolution: => Rejected Comment: I'm going to close this because the current load levels code is deprecated and will be rewritten for a future release. I'm noticing that we don't have a "Wontfix" resolution too. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat Dec 10 18:50:20 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 02:50:20 -0000 Subject: [Bro-Dev] #219: It would be nice if the default broctl.cfg contained comments for all possible user options In-Reply-To: <047.ee511cc65baada14f977005e46c064ac@tracker.bro-ids.org> References: <047.ee511cc65baada14f977005e46c064ac@tracker.bro-ids.org> Message-ID: <062.b34dcbd386efb1fd017921079c4c7ef5@tracker.bro-ids.org> #219: It would be nice if the default broctl.cfg contained comments for all possible user options ------------------------------+-------------------- Reporter: leres | Owner: robin Type: Feature Request | Status: closed Priority: Low | Milestone: Component: BroControl | Version: 1.5.1 Resolution: Rejected | Keywords: ------------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Rejected Comment: The broctl.cfg file is getting a selected set of commented options by default now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat Dec 10 18:51:12 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 02:51:12 -0000 Subject: [Bro-Dev] #231: Remove the hard dependency on scan.bro from tm-capture.bro In-Reply-To: <048.f900fbb9e6acf1325e29d06b11d36c7e@tracker.bro-ids.org> References: <048.f900fbb9e6acf1325e29d06b11d36c7e@tracker.bro-ids.org> Message-ID: <063.b22cc7467ecbbfaa5dd8dc3974b31384@tracker.bro-ids.org> #231: Remove the hard dependency on scan.bro from tm-capture.bro -----------------------+------------------------------- Reporter: justin | Owner: Type: Patch | Status: closed Priority: Low | Milestone: Component: Bro | Version: 1.5.1 Resolution: Rejected | Keywords: time machine scan -----------------------+------------------------------- Changes (by seth): * status: new => closed * resolution: => Rejected Comment: 1.5's time machine script and scan.bro script are deprecated (but hopefully returning soon!). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat Dec 10 18:51:42 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 02:51:42 -0000 Subject: [Bro-Dev] #343: broctl's top helper and cpu % on Mac OS X In-Reply-To: <046.10ffa5c5d6fc06cc211a212272476671@tracker.bro-ids.org> References: <046.10ffa5c5d6fc06cc211a212272476671@tracker.bro-ids.org> Message-ID: <061.69ddd79a1ea33bc5b23474fc833591b6@tracker.bro-ids.org> #343: broctl's top helper and cpu % on Mac OS X -----------------------------+------------------------ Reporter: seth | Owner: robin Type: Problem | Status: closed Priority: Low | Milestone: Component: BroControl | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Solved/Applied Comment: This was fixed a while ago. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat Dec 10 18:55:31 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 02:55:31 -0000 Subject: [Bro-Dev] #433: run-time error: unserialized unknown global name In-Reply-To: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> References: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> Message-ID: <063.7a64740947e1020eededc2a94e57a581@tracker.bro-ids.org> #433: run-time error: unserialized unknown global name ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: assigned Priority: Low | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by seth): * owner: => jsiwek * status: new => assigned * milestone: => Bro2.0 Comment: Could we get that warning turned into a more sensible message for 2.0? Something that indicates that the persistent state is inconsistent with the loaded scripts? It should probably be sent to the reporter framework as a informational message too. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat Dec 10 19:16:05 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 03:16:05 -0000 Subject: [Bro-Dev] #210: ssl.bro and --use-binpac cause 100%cpu on bro v1.5.1 (sslv2 trafic on another port than 443) In-Reply-To: <047.f852de098c378b72670b4aa7d660ebc2@tracker.bro-ids.org> References: <047.f852de098c378b72670b4aa7d660ebc2@tracker.bro-ids.org> Message-ID: <062.77270299f56b2caf2d121d1cf4f1acf4@tracker.bro-ids.org> #210: ssl.bro and --use-binpac cause 100%cpu on bro v1.5.1 (sslv2 trafic on another port than 443) -----------------------------+-------------------------------- Reporter: rmkml | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Component: BinPAC | Version: 1.5.2 Resolution: Solved/Applied | Keywords: ssl binpac 100%cpu -----------------------------+-------------------------------- Changes (by seth): * status: new => closed * resolution: => Solved/Applied Comment: The old analyzer is gone in 2.0 and this tracefile works fine in the new SSL analyzer. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat Dec 10 19:18:16 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 11 Dec 2011 03:18:16 -0000 Subject: [Bro-Dev] #8: Handling optional fields In-Reply-To: <050.b9efee7438d8911858d4ed02e677db85@tracker.bro-ids.org> References: <050.b9efee7438d8911858d4ed02e677db85@tracker.bro-ids.org> Message-ID: <065.c0debe7a5f095d1387b49aa78b13aeb7@tracker.bro-ids.org> #8: Handling optional fields -----------------------+---------------------- Reporter: matthias | Owner: kreibich Type: Task | Status: accepted Priority: Normal | Milestone: Component: Broccoli | Version: 1.5.2 Resolution: | Keywords: -----------------------+---------------------- Comment (by seth): Has this been fixed with the recent changes to broccoli? -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Sun Dec 11 18:46:10 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Sun, 11 Dec 2011 18:46:10 -0800 Subject: [Bro-Dev] BiF prefix In-Reply-To: <4ED41203.1060405@icir.org> References: <20111128052258.25FCD2C4002@rock.ICSI.Berkeley.EDU> <1322513027-sup-369@samurai.local> <4ED41203.1060405@icir.org> Message-ID: > Should work. I actually can't recall off the top of my head whether > the file mode encoding used by NFS is indeed normal Unix modes. If so, > go ahead and change it. I could not find anything NFS specific in your implementation based on what I found about the S_* permissions [1], so I'll rename the function to file_mode in my bif-cleanup branch. Matthias [1] http://www.gnu.org/s/hello/manual/libc/Permission-Bits.html From bro at tracker.bro-ids.org Sun Dec 11 21:16:06 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 05:16:06 -0000 Subject: [Bro-Dev] #716: BroControl: Improve installation when changing Spool directory location Message-ID: <047.390058a9cc5ea96a4e4a67c8b256a555@tracker.bro-ids.org> #716: BroControl: Improve installation when changing Spool directory location ----------------------+------------------------ Reporter: eddyg | Type: Patch Status: new | Priority: Low Milestone: Bro2.0 | Component: BroControl Version: 2.0 Beta | Keywords: ----------------------+------------------------ When changing the spool directory location, most likely at installation time BroControl should create the directories that it depends upon when it needs them. In this case it is in three places, I have modified the code at those places rather than "at the top" mainly due to inexperience with the code base, feel free to suggest a better location. Changes: * Changed locking code to create the spool dir if required to help with initial install and new spool directories. * Changed cron HTTP stats code to create the statsdir if required * Changed the Df code to silently handle missing directories at install, they will be created later. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sun Dec 11 22:37:48 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 06:37:48 -0000 Subject: [Bro-Dev] #665: broctl and check/install/(re)start dance refinement In-Reply-To: <046.d4c1207e818d02e104cbc6fa4ddc5247@tracker.bro-ids.org> References: <046.d4c1207e818d02e104cbc6fa4ddc5247@tracker.bro-ids.org> Message-ID: <061.dc58fdc38a8db186058fdde4ef4fa73f@tracker.bro-ids.org> #665: broctl and check/install/(re)start dance refinement -------------------------+----------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: BroControl | Version: Resolution: | Keywords: -------------------------+----------------- Comment (by eddyg): A thought... since this has been irking me of late (when I forget to install). You could use the equivalent of "ls -lR | md5sum" on the share/bro directory to store the current checksum of the configuration, store that in the spool dir after every "install". Then on every "start" check the checksum and perform an implicit "install". Of course you can use python libs for this if you don't want to depend on Unix commands (a sensible approach), so that would be os.walk() (or some recursion), os.lstat() to dump some text into a buffer then md5 it. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 12 01:17:00 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 09:17:00 -0000 Subject: [Bro-Dev] #665: broctl and check/install/(re)start dance refinement In-Reply-To: <046.d4c1207e818d02e104cbc6fa4ddc5247@tracker.bro-ids.org> References: <046.d4c1207e818d02e104cbc6fa4ddc5247@tracker.bro-ids.org> Message-ID: <061.a17f7b73c206047d57c1a71f0d0f308a@tracker.bro-ids.org> #665: broctl and check/install/(re)start dance refinement -------------------------+----------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: BroControl | Version: Resolution: | Keywords: -------------------------+----------------- Comment (by robin): The explicit install is deliberate so that one can work on the configuration while still using the old one and only put the changes in place once read (and "check" passes.) But this is still a good idea, I can see doing something like printing "warning: configuration changed but not yet installed". -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 12 01:41:49 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 09:41:49 -0000 Subject: [Bro-Dev] #433: run-time error: unserialized unknown global name In-Reply-To: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> References: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> Message-ID: <063.fadeb45345286912771a3c80ac84885d@tracker.bro-ids.org> #433: run-time error: unserialized unknown global name ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: assigned Priority: Low | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): Yes on the question regarding the location for the state. Putting it elsewhere would indeed require significant additional machinery and break the tight link between logs and state (all produced by the same input). If dot-state is "rude", we could make it a non-dotted directory or even store `state.bst` right along with the other logs in cwd. Sure, rewording the message and sending through the reporter sounds good. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Mon Dec 12 01:53:26 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 12 Dec 2011 01:53:26 -0800 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 In-Reply-To: References: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> Message-ID: <20111212095326.GH56839@icir.org> On Fri, Dec 09, 2011 at 19:15 -0600, you wrote: > Does binpac++ will do something like this? Yes, it will eventually. Can you give a few more details on the kind of checks you want to do? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Mon Dec 12 01:55:13 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 09:55:13 -0000 Subject: [Bro-Dev] #711: topic/robin/pp-alarms In-Reply-To: <047.1b448e78bff44559e1f195ed0f4d8430@tracker.bro-ids.org> References: <047.1b448e78bff44559e1f195ed0f4d8430@tracker.bro-ids.org> Message-ID: <062.df3b50ae604e7ce5177074e02aee8bdd@tracker.bro-ids.org> #711: topic/robin/pp-alarms ----------------------------+-------------------- Reporter: robin | Owner: seth Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+-------------------- Comment (by robin): On Sat, Dec 10, 2011 at 05:19 -0000, you wrote: > Am I supposed to merge this or did you just want me to look over it? Either is fine. Either go ahead and merge, or just say "ok" (or tweak further) and I'll do it. Just wanted to stick to my self-imposed rule of passing script-changes through your eyes. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Mon Dec 12 02:21:18 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 12 Dec 2011 02:21:18 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112121021.pBCALInR018580@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [7] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [8] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [9] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [10] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [11] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [12] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [13] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [14] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [9] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From robin at icir.org Mon Dec 12 02:29:02 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 12 Dec 2011 02:29:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status In-Reply-To: <201112121021.pBCALInR018580@bro-ids.icir.org> References: <201112121021.pBCALInR018580@bro-ids.icir.org> Message-ID: <20111212102902.GQ56839@icir.org> On Mon, Dec 12, 2011 at 02:21 -0800, you wrote: > > Open Merge Requests for Bro2.0 (These will be send nightly summarizing what's in the queue for merging into git master.) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From ed.groenendaal at mionegroup.com Mon Dec 12 03:28:32 2011 From: ed.groenendaal at mionegroup.com (Edward Groenendaal) Date: Mon, 12 Dec 2011 21:28:32 +1000 Subject: [Bro-Dev] Alarms based on abnormal traffic patterns Message-ID: <91C43D10-808A-4331-A61D-DE71FE85609A@mionegroup.com> Hi, Would you guys say that Bro implementing abnormal traffic analysis (ie deviation from a baseline) would be outside of Bro's scope? If not is anyone working on it? I was envisaging a learning baseline, with a base unit of one hour, covering 24 hours, then day of week, 7 days, then day of month, then month of year. The actual baseline for each hour would be the averages of those. The input would be the traffic percentages ala what we get from Bro at the moment with a single user supplies input being deviation from that norm. The reason that this has come up (other than being something that I've been thinking about for quite a while, not just traffic based) is that over the weekend our works website was hit with an unsolicited security scan gone wrong, it got itself into a loop and hit us with over 150,000 POSTs in a couple of hours until I got out of bed at 2:30 and put a fw rule in place. Bro did not alarm on this, we were alerted by disk space issues from the logging, however the skew in normal traffic profiles was obvious to the eye. Other ways to detect this would be to Alarm on too much traffic from a single IP (in this case), again a baseline and deviation would be required though to b truly usable and user friendly. But that wouldn't help with a DDoS which the more general traffic analysis would. Cheers Ed. From bro at tracker.bro-ids.org Mon Dec 12 07:09:14 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 15:09:14 -0000 Subject: [Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC In-Reply-To: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> References: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> Message-ID: <061.31ee58352198e867f6f97d597e68a237@tracker.bro-ids.org> #311: DPD mistakenly thinking HTTP is IRC -----------------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Solved/Applied Comment: I solved this problem by improving the DPD regexes for server-to-server IRC (it's in fastpath). I'll put a note in Gregor's ticket to refer back to this ticket for information about the DPD inadequacies related to IRC. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 12 07:09:56 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 15:09:56 -0000 Subject: [Bro-Dev] #313: DPD: ProtocolConfirmation, ProtocolViolation revamp In-Reply-To: <048.633f95951e8a9ea196a7265918ce16f5@tracker.bro-ids.org> References: <048.633f95951e8a9ea196a7265918ce16f5@tracker.bro-ids.org> Message-ID: <063.261c8a09b32b4b97903f2f436593ed0a@tracker.bro-ids.org> #313: DPD: ProtocolConfirmation, ProtocolViolation revamp ------------------------------+----------------- Reporter: gregor | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Component: Bro | Version: Resolution: | Keywords: ------------------------------+----------------- Comment (by seth): For information relating to DPD inadequacies related to IRC, see ticket #311 -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Mon Dec 12 08:26:10 2011 From: gregor at icir.org (Gregor Maier) Date: Mon, 12 Dec 2011 08:26:10 -0800 Subject: [Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC In-Reply-To: <061.31ee58352198e867f6f97d597e68a237@tracker.bro-ids.org> References: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> <061.31ee58352198e867f6f97d597e68a237@tracker.bro-ids.org> Message-ID: <4EE62B22.3010007@icir.org> > I solved this problem by improving the DPD regexes for server-to-server > IRC (it's in fastpath). I'll put a note in Gregor's ticket to refer back > to this ticket for information about the DPD inadequacies related to IRC. Note that we should still fix the IRC analyzer. The signatures should just be a hint for the analyzer (to speed things up) and that the analyzer can detect whether it's parsing the right protocol. Without resource constraint, DPD could/would run all analyzers on all connections and then analyzers and if an analyzer can't parse the connection it detaches from the tree. (Not changing ticket status yet, since YMMV) cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From bro at tracker.bro-ids.org Mon Dec 12 08:26:18 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 16:26:18 -0000 Subject: [Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC In-Reply-To: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> References: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> Message-ID: <061.83d93c82e51a3d454009ab2efc8a286d@tracker.bro-ids.org> #311: DPD mistakenly thinking HTTP is IRC -----------------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Comment (by gregor): > I solved this problem by improving the DPD regexes for server-to-server > IRC (it's in fastpath). I'll put a note in Gregor's ticket to refer back > to this ticket for information about the DPD inadequacies related to IRC. Note that we should still fix the IRC analyzer. The signatures should just be a hint for the analyzer (to speed things up) and that the analyzer can detect whether it's parsing the right protocol. Without resource constraint, DPD could/would run all analyzers on all connections and then analyzers and if an analyzer can't parse the connection it detaches from the tree. (Not changing ticket status yet, since YMMV) cu Gregor -- Ticket URL: Bro Tracker Bro Issue Tracker From vern at icir.org Mon Dec 12 09:59:30 2011 From: vern at icir.org (Vern Paxson) Date: Mon, 12 Dec 2011 09:59:30 -0800 Subject: [Bro-Dev] Alarms based on abnormal traffic patterns In-Reply-To: <91C43D10-808A-4331-A61D-DE71FE85609A@mionegroup.com> (Mon, 12 Dec 2011 21:28:32 +1000). Message-ID: <20111212175930.EDF3C2C4073@rock.ICSI.Berkeley.EDU> > Would you guys say that Bro implementing abnormal traffic analysis (ie > deviation from a baseline) would be outside of Bro's scope? Outside of its scope in terms of what's been developed, yes. It could be a reasonable framework though to use to implement such analysis. HOWEVER: this sort of anomaly detection turns out to be much trickier than it would appear. The problem is that non-attack traffic has enough variation in it that often it's very hard to find a useful definition of "abnormal" such that you can alarm on it without endlessly annoying the operator who has to field the alarms. That said, sometimes one can indeed find a sweet spot between normal behavior and problematic behavior. But it's very tricky (and usually publishable research if you can develop such a detector that works in multiple environments). Vern From bro at tracker.bro-ids.org Mon Dec 12 10:09:33 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 18:09:33 -0000 Subject: [Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC In-Reply-To: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> References: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> Message-ID: <061.b5e929e30cc2a51bef77d143928950d9@tracker.bro-ids.org> #311: DPD mistakenly thinking HTTP is IRC -----------------------------+-------------------- Reporter: vern | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Comment (by seth): On Dec 12, 2011, at 11:26 AM, Gregor Maier wrote: > Note that we should still fix the IRC analyzer. The signatures should > just be a hint for the analyzer (to speed things up) and that the > analyzer can detect whether it's parsing the right protocol. Agreed. I noted on the other ticket you filed that when we get around to reassessing DPD we make sure and fix the IRC analyzer since there definitely needs to be a way to detach it. Doing it at script land might even be the right way to go though. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 12 10:36:48 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 18:36:48 -0000 Subject: [Bro-Dev] #717: Make LogWriter output the type of data stored inside a set or vector Message-ID: <048.e2fece588a58a2f77afa832b7d55c999@tracker.bro-ids.org> #717: Make LogWriter output the type of data stored inside a set or vector --------------------+--------------------------- Reporter: amannb | Type: Merge Request Status: new | Priority: Normal Milestone: Bro2.0 | Component: Bro Version: | Keywords: --------------------+--------------------------- At the moment, when logging a set or vector the logwriter outputs something like {{{ #fields table vector [1,2,3] [a,b,c] }}} This patch changes the field description to contain the type of data contained in the field. In the example the resulting output would now be {{{ #fields table[count] vector[string] [1,2,3] [a,b,c] }}} The patch is contained in the branch topic/bernhard/log-set-description. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 12 10:39:52 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 12 Dec 2011 18:39:52 -0000 Subject: [Bro-Dev] #718: Log protocol type for notices Message-ID: <048.02d89499b6936683b1f6e5e85519d1d3@tracker.bro-ids.org> #718: Log protocol type for notices --------------------+--------------------------- Reporter: amannb | Type: Merge Request Status: new | Priority: Normal Milestone: Bro2.0 | Component: Bro Version: | Keywords: --------------------+--------------------------- At the moment, notice.log does not contain the protocol type (tcp, udp, icmp) - only the source address, destination and port. The branch topic/bernhard/notice-proto contains a small patch to add this information to notice.log. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 12 16:19:19 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 00:19:19 -0000 Subject: [Bro-Dev] #719: SMTP policy blocklist: Added originator only logging Message-ID: <047.9e4c3286edf66f09984c98d8e2df69ab@tracker.bro-ids.org> #719: SMTP policy blocklist: Added originator only logging ----------------------+------------------- Reporter: eddyg | Type: Patch Status: new | Priority: Low Milestone: Bro2.0 | Component: Bro Version: 2.0 Beta | Keywords: ----------------------+------------------- Added a boolean to the SMTP blocklist policy to prevent logging on incoming connections that are blocked by us, and only log outgoing connections that are blocked by others. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 12 16:34:13 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 00:34:13 -0000 Subject: [Bro-Dev] #719: SMTP policy blocklist: Added originator only logging In-Reply-To: <047.9e4c3286edf66f09984c98d8e2df69ab@tracker.bro-ids.org> References: <047.9e4c3286edf66f09984c98d8e2df69ab@tracker.bro-ids.org> Message-ID: <062.528c6a7013023b73d6ab5226a3166725@tracker.bro-ids.org> #719: SMTP policy blocklist: Added originator only logging --------------------+---------------------- Reporter: eddyg | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.0 Component: Bro | Version: 2.0 Beta Resolution: | Keywords: --------------------+---------------------- Comment (by eddyg): Yes - I could have done this with a policy override. However I felt that it was useful enough for everyone to have, I personally find it useless to know who I'm blocking (which is a lot of servers) vs who is blocking me which is useful. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Tue Dec 13 00:00:03 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 13 Dec 2011 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112130800.pBD803AX020511@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator Bro | 717 [7] | amannb | | Normal | Make LogWriter output the type of data stored inside a set or vector Bro | 718 [8] | amannb | | Normal | Log protocol type for notices > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 61aa592 | Seth Hall | 2011-12-12 | A few updates for SQL injection detection. [9] bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [10] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [11] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [12] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [13] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [14] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [15] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [16] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [17] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] #717: http://tracker.bro-ids.org/bro/ticket/717 [8] #718: http://tracker.bro-ids.org/bro/ticket/718 [9] fastpath: http://tracker.bro-ids.org/bro/changeset/61aa592db5a847d0e9a2538d31850aae6910c04d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From bro at tracker.bro-ids.org Tue Dec 13 06:16:51 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 14:16:51 -0000 Subject: [Bro-Dev] #720: Fix problem with loss at low packet rate Message-ID: <046.79d473381c0897fd9a040c8847c3d8e8@tracker.bro-ids.org> #720: Fix problem with loss at low packet rate ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.0 Component: Bro | Version: Keywords: | ---------------------+-------------------- Everyone that runs the 2.0 beta is having trouble with packet loss at very low volume. It seems to come from the default snaplength increase to 65535 and the inability with the old libpcap api to effectively increase the buffer size. I don't know how to solve this problem yet, but we need to fix it very soon and it's a definite blocker for the release. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 06:50:06 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 14:50:06 -0000 Subject: [Bro-Dev] #719: SMTP policy blocklist: Added originator only logging In-Reply-To: <047.9e4c3286edf66f09984c98d8e2df69ab@tracker.bro-ids.org> References: <047.9e4c3286edf66f09984c98d8e2df69ab@tracker.bro-ids.org> Message-ID: <062.e93dd693414a2cfa723df4ce3a6b2bb1@tracker.bro-ids.org> #719: SMTP policy blocklist: Added originator only logging --------------------+---------------------- Reporter: eddyg | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.0 Component: Bro | Version: 2.0 Beta Resolution: | Keywords: --------------------+---------------------- Comment (by seth): I'd rather not solve the way you did in the patch, but I definitely understand what you want. I think what we might do is change how the shorthand notice policy configuration variables work (i'm totally up for changing this for 2.0 to). What I need to know is what you ultimately want to change. Do you just want to completely filter out all non-local blocked servers? Or would you really just like to alarm or notice on the local blocked servers? I have two proposed techniques, each with things I like and don't like. Both examples would solve the problem you are trying to solve. Which do you prefer? {{{ redef Notice::ignored_notices += { [SMTP::Blocklist_Blocked_Host, LOCAL_HOSTS] }; redef Notice::shortcuts += { [SMTP::Blocklist_Blocked_Host, LOCAL_HOSTS] = Notice::ACTION_IGNORE }; }}} We also need to overhaul that notice a bit but I've been planning on going around and touching all of the notices a little bit before the release to make them all clearer. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 07:53:16 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 15:53:16 -0000 Subject: [Bro-Dev] #433: run-time error: unserialized unknown global name In-Reply-To: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> References: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> Message-ID: <063.5ecaf44b4b2b82b1aae8b7a81b3e8ff4@tracker.bro-ids.org> #433: run-time error: unserialized unknown global name ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: closed Priority: Low | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------+------------------------ Changes (by jsiwek): * status: assigned => closed * resolution: => fixed Comment: In [ae57cbe5fc975463a028df3547fb403e37d4b2a8/bro]: {{{ #!CommitTicketReference repository="bro" revision="ae57cbe5fc975463a028df3547fb403e37d4b2a8" Better persistent state config warning messages (fixes #433). }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 09:19:03 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 17:19:03 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.b99d9b927a26cb56346870459c26a30b@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): The timeout in BroControl is hardcoded at 10 seconds, I was only able to get a 10K-entry table to timeout when I changed it to 2 seconds, but if I suppose it depends on environment. I'm going to make the timeout interval a configurable option, let me know if there's other ideas. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 09:24:09 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 17:24:09 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.fc46392137f247e60d951082003c68b5@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [b41e9b539b6f3780af710e1725c239fe5643bd27/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="b41e9b539b6f3780af710e1725c239fe5643bd27" Make Broccoli communication event timeout interval configurable (addresses #608) }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 09:40:45 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 17:40:45 -0000 Subject: [Bro-Dev] #708: Framework Documentation Package 3 In-Reply-To: <046.00995ae87d9659b0e30d35895689a37c@tracker.bro-ids.org> References: <046.00995ae87d9659b0e30d35895689a37c@tracker.bro-ids.org> Message-ID: <061.893a7dd61fec1a8c499a9be63004da66@tracker.bro-ids.org> #708: Framework Documentation Package 3 ---------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ---------------------+---------------------- Changes (by jsiwek): * owner: => jsiwek * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 09:43:51 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 17:43:51 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.f627008f71a3a1af008374425668073a@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): > I'm going to make the timeout interval > a configurable option, let me know if there's other ideas. Damn, nice job. This may not make sense since I don't know where that timeout is set (broccoli-python?), but could we make the timeout dependent on activity? Presumably there's a difference between waiting to receive an entire event and waiting to receive an event in response at all. This might require special support within broccoli though. For the 2.0 release I think it makes sense to stick with the configuration option like you did though. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 10:05:28 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 18:05:28 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.3f86978b8cda556c6fca0ab8642a6a24@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): > This may not make sense since I don't know where that timeout is set (broccoli-python?), I made it a broctl.cfg option called `CommTimeout`. > but could we make the timeout dependent on activity? Presumably there's a difference between waiting to receive an entire event and waiting to receive an event in response at all. This might require special support within broccoli though. I can make the timeout for sending and receiving events (within BroControl) independent of each other, is that what you mean? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 10:08:30 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 18:08:30 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.97560e8e06cc90066519f7c1578edde8@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by aashish): Jon, Seth: Thanks for taking care of this issue. We are building some checkpoint scripts around "broctl print" functionality so this is a useful feature. Additionally, It would be good to have a adjustable timeout when bro is stopped or restarted using broctl. I have noticed that even though bro_done is not finished, after the timeout, bro process is killed. This results in some stale state on the acld. I can provide more specifics or create another ticket for it. Btw, how do I configure these timeouts once support is built for it ? Thanks Aashish On Tue, Dec 13, 2011 at 05:19:03PM -0000, Bro Tracker wrote: > #608: broctl print times out if the table is too big > ----------------------+------------------------ > Reporter: aashish | Owner: > Type: Problem | Status: new > Priority: Normal | Milestone: Bro2.0 > Component: Bro | Version: git/master > Resolution: | Keywords: > ----------------------+------------------------ > > Comment (by jsiwek): > > The timeout in BroControl is hardcoded at 10 seconds, I was only able to > get a 10K-entry table to timeout when I changed it to 2 seconds, but if I > suppose it depends on environment. I'm going to make the timeout interval > a configurable option, let me know if there's other ideas. > > -- > Ticket URL: > Bro Tracker > Bro Issue Tracker -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 10:16:36 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 18:16:36 -0000 Subject: [Bro-Dev] #721: Broccoli python doesn't support all possible data types Message-ID: <046.b4aa25f5c4962bb48b94bf6bc54ee61d@tracker.bro-ids.org> #721: Broccoli python doesn't support all possible data types -----------------------------+------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Component: broccoli-python | Version: Keywords: | -----------------------------+------------------- It has no support built in for sending or receiving tables/sets/vectors. It's support for enums appears to be incomplete as well. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 10:20:21 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 18:20:21 -0000 Subject: [Bro-Dev] #721: Broccoli python doesn't support all possible data types In-Reply-To: <046.b4aa25f5c4962bb48b94bf6bc54ee61d@tracker.bro-ids.org> References: <046.b4aa25f5c4962bb48b94bf6bc54ee61d@tracker.bro-ids.org> Message-ID: <061.197797f625ba6abd093aeaa57172fc12@tracker.bro-ids.org> #721: Broccoli python doesn't support all possible data types ------------------------------+------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Component: broccoli-python | Version: Resolution: | Keywords: ------------------------------+------------------- Comment (by amannb): Just for completeness - I think records of records are also not supported. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 10:24:45 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 18:24:45 -0000 Subject: [Bro-Dev] #721: Broccoli python doesn't support all possible data types In-Reply-To: <046.b4aa25f5c4962bb48b94bf6bc54ee61d@tracker.bro-ids.org> References: <046.b4aa25f5c4962bb48b94bf6bc54ee61d@tracker.bro-ids.org> Message-ID: <061.c51ddcf44bc885bd742c6b586b64e6f7@tracker.bro-ids.org> #721: Broccoli python doesn't support all possible data types ------------------------------+------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Component: broccoli-python | Version: Resolution: | Keywords: ------------------------------+------------------- Comment (by seth): On Dec 13, 2011, at 1:20 PM, Bro Tracker wrote: > Just for completeness - I think records of records are also not supported. You're right. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 10:27:47 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 18:27:47 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.23e6fd54ad8c5e8530ccb2a837453ba8@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): > Additionally, It would be good to have a adjustable timeout when bro is > stopped or restarted using broctl. I have noticed that even though > bro_done is not finished, after the timeout, bro process is killed. This > results in some stale state on the acld. I can provide more specifics > or create another ticket for it. That's a different timeout. The timeout option that Jon was talking about is related to how long broctl will wait for python-broccoli events to return. I think that the larger problem we need to ask is why Bro is taking so long to shutdown. What are you finding that Bro is spending so much time doing in the bro_done event? > Btw, how do I configure these timeouts once support is built for it ? From checking the commit Jon did, it looks like CommTimeout in broctl.cfg. -- Ticket URL: Bro Tracker Bro Issue Tracker From asharma at lbl.gov Tue Dec 13 11:03:26 2011 From: asharma at lbl.gov (Aashish Sharma) Date: Tue, 13 Dec 2011 11:03:26 -0800 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <064.23e6fd54ad8c5e8530ccb2a837453ba8@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> <064.23e6fd54ad8c5e8530ccb2a837453ba8@tracker.bro-ids.org> Message-ID: <20111213190324.GL18798@yaksha.lbl.gov> On Tue, Dec 13, 2011 at 06:27:47PM -0000, Bro Tracker wrote: > #608: broctl print times out if the table is too big > ----------------------+------------------------ > Reporter: aashish | Owner: > Type: Problem | Status: new > Priority: Normal | Milestone: Bro2.0 > Component: Bro | Version: git/master > Resolution: | Keywords: > ----------------------+------------------------ > > Comment (by seth): > > That's a different timeout. Right! That is another timeout which has been bothering a bit. My point is while you guys are looking at the timeout, might as well look at this one too. > taking so long to shutdown. What are you finding that Bro is spending so > much time doing in the bro_done event? In catch-and-release, bro tries to restore all the dropped addresses which are in Drop::drop_info table back on the acl before shutting down. This can take a few mins when table size is ~5-10K Aashish > is related to how long broctl will wait for python-broccoli events to > return. I think that the larger problem we need to ask is why Bro is > taking so long to shutdown. What are you finding that Bro is spending so > much time doing in the bro_done event? > > > Btw, how do I configure these timeouts once support is built for it ? > > From checking the commit Jon did, it looks like CommTimeout in broctl.cfg. > > -- > Ticket URL: > Bro Tracker > Bro Issue Tracker -- Aashish Sharma (asharma at lbl.gov) Cyber Security, Information Technology Division Lawrence Berkeley National Laboratory http://www.lbl.gov/cyber/pgp-aashish.txt Office: (510)-495-2680 Cell: (510)-457-1525 From bro at tracker.bro-ids.org Tue Dec 13 11:03:44 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 19:03:44 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.9b04cd143b7e7ed6ddbdacdc0b023eb6@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by aashish): On Tue, Dec 13, 2011 at 06:27:47PM -0000, Bro Tracker wrote: > #608: broctl print times out if the table is too big > ----------------------+------------------------ > Reporter: aashish | Owner: > Type: Problem | Status: new > Priority: Normal | Milestone: Bro2.0 > Component: Bro | Version: git/master > Resolution: | Keywords: > ----------------------+------------------------ > > Comment (by seth): > > That's a different timeout. Right! That is another timeout which has been bothering a bit. My point is while you guys are looking at the timeout, might as well look at this one too. > taking so long to shutdown. What are you finding that Bro is spending so > much time doing in the bro_done event? In catch-and-release, bro tries to restore all the dropped addresses which are in Drop::drop_info table back on the acl before shutting down. This can take a few mins when table size is ~5-10K Aashish > is related to how long broctl will wait for python-broccoli events to > return. I think that the larger problem we need to ask is why Bro is > taking so long to shutdown. What are you finding that Bro is spending so > much time doing in the bro_done event? > > > Btw, how do I configure these timeouts once support is built for it ? > > From checking the commit Jon did, it looks like CommTimeout in broctl.cfg. > > -- > Ticket URL: > Bro Tracker > Bro Issue Tracker -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 11:10:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 19:10:37 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.c9e20bfcb5cb7e373bbd96a4ba14459a@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): > My point is while you guys are looking at the timeout, might as well > look at this one too. Heh, similar name, very different functionality and fixes. :) > In catch-and-release, bro tries to restore all the dropped addresses > which are in Drop::drop_info table back on the acl before shutting down. > This can take a few mins when table size is ~5-10K Thanks for the explanation. I'll have to think about that as I implement the reaction framework. That's certainly the easiest way to do it, but I'm not sure it's the right way. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 11:16:32 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 19:16:32 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.535f5ea8bab0045d3fb3d7d5d2028e20@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): There looks like there's a hardcoded 60 second timeout between the `broctl stop` command sending a SIGTERM and when it decides to send a SIGKILL, I can easily add another Brocontrol option to make that configurable for now if it helps. -- Ticket URL: Bro Tracker Bro Issue Tracker From james.swaro at gmail.com Tue Dec 13 11:45:41 2011 From: james.swaro at gmail.com (James Swaro) Date: Tue, 13 Dec 2011 14:45:41 -0500 Subject: [Bro-Dev] Retest functionality for btest framework Message-ID: Robin, What do you think about the idea for a retest option for btest? I think the idea would go that btest will write the failed tests to a a file (.retest perhaps), and if btest is passed the option, (-r, --retest), it would only retest those failed tests. The idea for this comes from a unit testing framework that I used to use before I switched to btest. Thoughts? -- James Swaro* * -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111213/7544b1ea/attachment.html From bro at tracker.bro-ids.org Tue Dec 13 12:30:35 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 20:30:35 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.afa119da171fd1af656eced0e4b3b730@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [7d56ef47cabcd3a30c5e44c8d9362577088b6c64/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="7d56ef47cabcd3a30c5e44c8d9362577088b6c64" Add StopTimeout option to broctl.cfg (addresses #608). This option sets the number of seconds to wait after issuing the 'stop' command before sending a SIGKILL to Bro instances. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 13:43:03 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 21:43:03 -0000 Subject: [Bro-Dev] #722: &default vector initialization Message-ID: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> #722: &default vector initialization ---------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ This code: {{{ type MyRecord: record { c: count; v: vector of string &default=vector(); }; event bro_init() { local r: MyRecord = [$c=13]; print r; print |r$v|; r$v[|r$v|] = "test"; print r; print |r$v|; }}} Gives unexpected resulting output: {{{ [c=13, v=] 0 [c=13, v=] 0 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 13:46:47 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 21:46:47 -0000 Subject: [Bro-Dev] #723: notice/extend-email/hostnames.bro doesn't work Message-ID: <048.5068d58598cd1a42a848797bdf79a983@tracker.bro-ids.org> #723: notice/extend-email/hostnames.bro doesn't work ---------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ This script doesn't work because of #722, but even if that's fixed, it still doesn't work as intended with the asynchronous address lookup calls. Should we remove the script entirely? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 13 14:10:54 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 13 Dec 2011 22:10:54 -0000 Subject: [Bro-Dev] #723: notice/extend-email/hostnames.bro doesn't work In-Reply-To: <048.5068d58598cd1a42a848797bdf79a983@tracker.bro-ids.org> References: <048.5068d58598cd1a42a848797bdf79a983@tracker.bro-ids.org> Message-ID: <063.9bad08814f4cbeed0afd9655e81ebf66@tracker.bro-ids.org> #723: notice/extend-email/hostnames.bro doesn't work ----------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): > This script doesn't work because of #722, but even if that's fixed, it > still doesn't work as intended with the asynchronous address lookup calls. > Should we remove the script entirely? We could modify the notice framework slightly so that plugins can register to delay sending email with some upper limit on the delay. That's what I've been considering doing at least. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Tue Dec 13 23:18:55 2011 From: robin at icir.org (Robin Sommer) Date: Tue, 13 Dec 2011 23:18:55 -0800 Subject: [Bro-Dev] Retest functionality for btest framework In-Reply-To: References: Message-ID: <20111214071855.GF93480@icir.org> On Tue, Dec 13, 2011 at 14:45 -0500, you wrote: > I think the idea would go that btest will write the failed tests to a > a file (.retest perhaps), and if btest is passed the option, (-r, > --retest), it would only retest those failed tests. Nice idea, I like that. Shouldn't be very difficult to add. Btw, I have few more changes in the queue for btest, including parallel execution of tests and some internal cleanup of how it's producing its output. Not quite finished yet though. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Wed Dec 14 00:00:02 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 14 Dec 2011 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112140800.pBE802cf016161@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator Bro | 717 [7] | amannb | | Normal | Make LogWriter output the type of data stored inside a set or vector Bro | 718 [8] | amannb | | Normal | Log protocol type for notices > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 86cba4c | Jon Siwek | 2011-12-13 | Fix missing action in notice policy for looking up GeoIP data. [9] bro | ae57cbe | Jon Siwek | 2011-12-13 | Better persistent state config warning messages (fixes #433). [10] bro | 61aa592 | Seth Hall | 2011-12-12 | A few updates for SQL injection detection. [11] bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [12] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [13] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [14] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [15] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [16] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [17] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [18] broctl | 7d56ef4 | Jon Siwek | 2011-12-13 | Add StopTimeout option to broctl.cfg (addresses #608). [19] broctl | b41e9b5 | Jon Siwek | 2011-12-13 | Make Broccoli communication event timeout interval configurable (addresses #608) [20] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [21] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] #717: http://tracker.bro-ids.org/bro/ticket/717 [8] #718: http://tracker.bro-ids.org/bro/ticket/718 [9] fastpath: http://tracker.bro-ids.org/bro/changeset/86cba4c33f2641eefa5417c4455bec5082e35ba4/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ae57cbe5fc975463a028df3547fb403e37d4b2a8/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/61aa592db5a847d0e9a2538d31850aae6910c04d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/7d56ef47cabcd3a30c5e44c8d9362577088b6c64/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/b41e9b539b6f3780af710e1725c239fe5643bd27/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From bro at tracker.bro-ids.org Wed Dec 14 12:58:47 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 14 Dec 2011 20:58:47 -0000 Subject: [Bro-Dev] #724: Changing semantics of ConnSizeAnalyzer Message-ID: <046.17850f462f1693e7eabd016bb6cf8b36@tracker.bro-ids.org> #724: Changing semantics of ConnSizeAnalyzer ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.0 Component: Bro | Version: Keywords: | ---------------------+-------------------- I think we should change what the conn size analyzer is measuring. It currently measures the size of the connection from the IP header down (or up, depending on how you look at it). From my perspective that data is rarely (if ever?) useful. What is more useful is a counted value for the connection size. c$(orig|resp)$size takes it's measurement from sequence counting and can get confused in some cases (chinese firewall sending RST packets for instance). This is the patch I'm proposing: {{{ diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 859a69f..21a9b60 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -66,10 +66,10 @@ type endpoint: record { ## Number of packets on the wire ## Set if :bro:id:`use_conn_size_analyzer` is true. - num_pkts: count &optional; - ## Number of IP-level bytes on the wire + counted_pkts: count &optional; + ## Number of content bytes on the wire ## Set if :bro:id:`use_conn_size_analyzer` is true. - num_bytes_ip: count &optional; + counted_bytes: count &optional; }; type endpoint_stats: record { diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc index a1b892f..5d0efcd 100644 --- a/src/ConnSizeAnalyzer.cc +++ b/src/ConnSizeAnalyzer.cc @@ -39,12 +39,12 @@ void ConnSize_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, if ( is_orig ) { - orig_bytes += ip->TotalLen(); + orig_bytes += len; orig_pkts ++; } else { - resp_bytes += ip->TotalLen(); + resp_bytes += len; resp_pkts ++; } } }}} If no one has a problem with this, I'd like to make the change for the 2.0 release because I'm having trouble currently with counting bytes for the SSH analyzer and we're getting more false positives than we should be seeing. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 14 13:04:55 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 14 Dec 2011 21:04:55 -0000 Subject: [Bro-Dev] #725: Incorrect weird (unmatched_HTTP_reply) in the HTTP analyzer. Message-ID: <046.f0b2b0cf581674f47a5bca69fa93e12b@tracker.bro-ids.org> #725: Incorrect weird (unmatched_HTTP_reply) in the HTTP analyzer. ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Keywords: | ---------------------+-------------------- The HTTP analyzer is rasing the unmatched_HTTP_reply weird if it sees a response that there was no packet for. There are cases where this is legit and the case is handled correctly by the new http scripts so the weird should probably be removed since it's really just noise. I'll attach a tracefile that shows a legit response-only connection. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 14 13:35:57 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 14 Dec 2011 21:35:57 -0000 Subject: [Bro-Dev] #724: Changing semantics of ConnSizeAnalyzer In-Reply-To: <046.17850f462f1693e7eabd016bb6cf8b36@tracker.bro-ids.org> References: <046.17850f462f1693e7eabd016bb6cf8b36@tracker.bro-ids.org> Message-ID: <061.efcd473fae8ff719bec8bdbb4f5fedcb@tracker.bro-ids.org> #724: Changing semantics of ConnSizeAnalyzer ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+-------------------- Comment (by gregor): Sounds good. However, as a measurement guy I like the IP level bytes. How about counting both payload and IP level bytes? (It's fine if we only report the payload bytes per default, but I'd really like to keep support for IP level counting in the core) -Gregor -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 14 14:14:01 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 14 Dec 2011 22:14:01 -0000 Subject: [Bro-Dev] #708: Framework Documentation Package 3 In-Reply-To: <046.00995ae87d9659b0e30d35895689a37c@tracker.bro-ids.org> References: <046.00995ae87d9659b0e30d35895689a37c@tracker.bro-ids.org> Message-ID: <061.7653831064b882d2b2c246739fb0ecd5@tracker.bro-ids.org> #708: Framework Documentation Package 3 -----------------------------+-------------------- Reporter: seth | Owner: jsiwek Type: Task | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by jsiwek): * status: assigned => closed * resolution: => Solved/Applied Comment: This is finished in `topic/script-reference` and will be merged with that branch. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 14 14:56:36 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 14 Dec 2011 22:56:36 -0000 Subject: [Bro-Dev] #647: SDCH support In-Reply-To: <046.95060f0c54e55e518c6e6817c50c1af5@tracker.bro-ids.org> References: <046.95060f0c54e55e518c6e6817c50c1af5@tracker.bro-ids.org> Message-ID: <061.539091c88b08e9aa62e993d97c583e3d@tracker.bro-ids.org> #647: SDCH support ----------------------+---------------------- Reporter: seth | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Changes (by jsiwek): * milestone: Bro2.0 => Bro2.1 Comment: This is being pushed back because even supporting part 1 of the ticket requires a fair bit of change: generally, Bro needs to be able to decode multiple content encodings. And that situation is not commonly seen except on Google servers using SDCH/gzip encoding. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Dec 15 00:00:02 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 15 Dec 2011 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112150800.pBF802Rm004074@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator Bro | 717 [7] | amannb | | Normal | Make LogWriter output the type of data stored inside a set or vector Bro | 718 [8] | amannb | | Normal | Log protocol type for notices > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 86cba4c | Jon Siwek | 2011-12-13 | Fix missing action in notice policy for looking up GeoIP data. [9] bro | ae57cbe | Jon Siwek | 2011-12-13 | Better persistent state config warning messages (fixes #433). [10] bro | 61aa592 | Seth Hall | 2011-12-12 | A few updates for SQL injection detection. [11] bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [12] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [13] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [14] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [15] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [16] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [17] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [18] broctl | 7d56ef4 | Jon Siwek | 2011-12-13 | Add StopTimeout option to broctl.cfg (addresses #608). [19] broctl | b41e9b5 | Jon Siwek | 2011-12-13 | Make Broccoli communication event timeout interval configurable (addresses #608) [20] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [21] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] #717: http://tracker.bro-ids.org/bro/ticket/717 [8] #718: http://tracker.bro-ids.org/bro/ticket/718 [9] fastpath: http://tracker.bro-ids.org/bro/changeset/86cba4c33f2641eefa5417c4455bec5082e35ba4/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ae57cbe5fc975463a028df3547fb403e37d4b2a8/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/61aa592db5a847d0e9a2538d31850aae6910c04d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/7d56ef47cabcd3a30c5e44c8d9362577088b6c64/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/b41e9b539b6f3780af710e1725c239fe5643bd27/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From bro at tracker.bro-ids.org Thu Dec 15 08:44:08 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 15 Dec 2011 16:44:08 -0000 Subject: [Bro-Dev] #726: Script autodocs missing search field. Message-ID: <046.7f2e89571345c1574bd9d2b500e51858@tracker.bro-ids.org> #726: Script autodocs missing search field. ---------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | ---------------------+-------------------- In the git version of the autogenerated documentation, the search box isn't there anymore. It should be there and be fairly prominent since it's so useful. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 15 10:18:23 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 15 Dec 2011 18:18:23 -0000 Subject: [Bro-Dev] #722: &default vector initialization In-Reply-To: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> References: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> Message-ID: <063.dade96218e6ae729fc46dd29424a7db0@tracker.bro-ids.org> #722: &default vector initialization ----------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [f302f2f3f26eb5b2bebb83d27a849f262c82e513/bro]: {{{ #!CommitTicketReference repository="bro" revision="f302f2f3f26eb5b2bebb83d27a849f262c82e513" Fix &default fields in records not being initialized in coerced assignments. Addresses #722 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 15 10:23:35 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 15 Dec 2011 18:23:35 -0000 Subject: [Bro-Dev] #722: &default vector initialization In-Reply-To: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> References: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> Message-ID: <063.abc7cd4515434f77730a4c0849685491@tracker.bro-ids.org> #722: &default vector initialization ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by jsiwek): * type: Problem => Merge Request * milestone: => Bro2.0 Comment: This is fixed in `topic/jsiwek/record-coerce-default` branches in `bro` and `bro-testing` repos. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 15 11:01:52 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 15 Dec 2011 19:01:52 -0000 Subject: [Bro-Dev] #726: Script autodocs missing search field. In-Reply-To: <046.7f2e89571345c1574bd9d2b500e51858@tracker.bro-ids.org> References: <046.7f2e89571345c1574bd9d2b500e51858@tracker.bro-ids.org> Message-ID: <061.5919c65a1679428630eb19b1bab8779e@tracker.bro-ids.org> #726: Script autodocs missing search field. ----------------------+-------------------- Reporter: seth | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Changes (by jsiwek): * owner: => jsiwek * status: new => closed * resolution: => fixed Comment: In [d04558dc45468e77846d1639795722ddf9f4ecb3/bro]: {{{ #!CommitTicketReference repository="bro" revision="d04558dc45468e77846d1639795722ddf9f4ecb3" Add search box to Broxygen docs (fixes #726). }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Dec 15 13:46:24 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 15 Dec 2011 21:46:24 -0000 Subject: [Bro-Dev] #8: Handling optional fields In-Reply-To: <050.b9efee7438d8911858d4ed02e677db85@tracker.bro-ids.org> References: <050.b9efee7438d8911858d4ed02e677db85@tracker.bro-ids.org> Message-ID: <065.8eb8544748bb99e95f180a71b198af95@tracker.bro-ids.org> #8: Handling optional fields -----------------------+---------------------- Reporter: matthias | Owner: kreibich Type: Task | Status: accepted Priority: Normal | Milestone: Component: Broccoli | Version: 1.5.2 Resolution: | Keywords: -----------------------+---------------------- Comment (by matthias): No, it's a separate issue. Christian and I are currently brainstorming how to solve it best. -- Ticket URL: Bro Tracker Bro Issue Tracker From hlin33 at illinois.edu Thu Dec 15 14:54:25 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Thu, 15 Dec 2011 16:54:25 -0600 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 In-Reply-To: <285d8913d7dc403eb8e5a122105cc0e9@CITESHT4.ad.uillinois.edu> References: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> <285d8913d7dc403eb8e5a122105cc0e9@CITESHT4.ad.uillinois.edu> Message-ID: On the current work, I am doing some basic checking. Such as value range. I sometimes add thing like check(0) to some obsolete case. There is something that is coming to my mind which is not related to my work. Is that possible to have some simple state management in binpac too? Like make it possible for us to define global variable as parsing goes on. On Mon, Dec 12, 2011 at 3:53 AM, Robin Sommer wrote: > > On Fri, Dec 09, 2011 at 19:15 -0600, you wrote: > > > Does binpac++ will do something like this? > > Yes, it will eventually. Can you give a few more details on the kind > of checks you want to do? > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111215/a11ce154/attachment.html From seth at icir.org Thu Dec 15 17:11:41 2011 From: seth at icir.org (Seth Hall) Date: Thu, 15 Dec 2011 20:11:41 -0500 Subject: [Bro-Dev] Hui Lin_Where is Binpac warning for Bro 2.0 In-Reply-To: References: <7f3f2547fb06463582cab8f80500a03c@CITESHT3.ad.uillinois.edu> <285d8913d7dc403eb8e5a122105cc0e9@CITESHT4.ad.uillinois.edu> Message-ID: On Dec 15, 2011, at 5:54 PM, Hui Lin (Hugo) wrote: > There is something that is coming to my mind which is not related to my work. Is that possible to have some simple state management in binpac too? Like make it possible for us to define global variable as parsing goes on. Yes, you can do it but it's a bit of a mess since you have to use the c/c++ integration techniques (there are examples of this in many of the existing binpac analyzers like in ssl-protocol.pac). Binpac++ supports this much better since it's a turing complete programming language in itself. The rule of thumb I've tried to stick to is only store things in the analyzer that are needed to continue parsing the protocol and pass everything else to script land through events. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From noreply at bro-ids.org Fri Dec 16 00:00:02 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 16 Dec 2011 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112160800.pBG802lF001067@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator Bro | 717 [7] | amannb | | Normal | Make LogWriter output the type of data stored inside a set or vector Bro | 718 [8] | amannb | | Normal | Log protocol type for notices Bro | 722 [9] | jsiwek | | Normal | &default vector initialization > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 0b8b14a | Seth Hall | 2011-12-15 | Fixed major bug with cluster synchronization (it was broken!) [10] bro | 86cba4c | Jon Siwek | 2011-12-13 | Fix missing action in notice policy for looking up GeoIP data. [11] bro | ae57cbe | Jon Siwek | 2011-12-13 | Better persistent state config warning messages (fixes #433). [12] bro | 61aa592 | Seth Hall | 2011-12-12 | A few updates for SQL injection detection. [13] bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [14] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [15] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [16] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [17] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [18] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [19] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [20] broctl | 7d56ef4 | Jon Siwek | 2011-12-13 | Add StopTimeout option to broctl.cfg (addresses #608). [21] broctl | b41e9b5 | Jon Siwek | 2011-12-13 | Make Broccoli communication event timeout interval configurable (addresses #608) [22] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [23] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] #717: http://tracker.bro-ids.org/bro/ticket/717 [8] #718: http://tracker.bro-ids.org/bro/ticket/718 [9] #722: http://tracker.bro-ids.org/bro/ticket/722 [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0b8b14a0ed7c5fbf3ba408ab5f6cd89e4c68f2d7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/86cba4c33f2641eefa5417c4455bec5082e35ba4/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ae57cbe5fc975463a028df3547fb403e37d4b2a8/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/61aa592db5a847d0e9a2538d31850aae6910c04d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/7d56ef47cabcd3a30c5e44c8d9362577088b6c64/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/b41e9b539b6f3780af710e1725c239fe5643bd27/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From robin at icir.org Fri Dec 16 02:26:57 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 16 Dec 2011 02:26:57 -0800 Subject: [Bro-Dev] Broxygen questions Message-ID: <20111216102657.GA40528@icir.org> I just committed documentation for init-bare but for some of the entries, Broxygen includes the wrong text; see, e.g., scripts/base/init-bare.html#id-ignore_checksums. The first sentence is actually from UDP_ACTIVE (which comes right before ignore_checksums in the script). Am I doing something wrong with my markup? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From jsiwek at illinois.edu Fri Dec 16 08:42:21 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Fri, 16 Dec 2011 16:42:21 +0000 Subject: [Bro-Dev] Broxygen questions In-Reply-To: <20111216102657.GA40528@icir.org> References: <20111216102657.GA40528@icir.org> Message-ID: <599D155D-B8AF-46D8-A5EC-8153DFC3D02A@illinois.edu> > scripts/base/init-bare.html#id-ignore_checksums. The first sentence is > actually from UDP_ACTIVE (which comes right before ignore_checksums in > the script). Am I doing something wrong with my markup? I didn't implement the "##<" markup for anything but record fields and enum values. I think I can fix that easily, let me see. + Jon From bro at tracker.bro-ids.org Fri Dec 16 09:25:45 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 16 Dec 2011 17:25:45 -0000 Subject: [Bro-Dev] #727: topic/seth/notice-email-delay - Notice email delay to add async data to emails Message-ID: <046.a30cb321ed0aaa7185476ba17a3c2ac3@tracker.bro-ids.org> #727: topic/seth/notice-email-delay - Notice email delay to add async data to emails ---------------------------+-------------------- Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Keywords: | ---------------------------+-------------------- In order to add some data to notice emails, we need to delay the email before it is sent. This implementation along with a script that adds hostnames to notice emails is in branch topic/seth/notice-email-delay This is already being used on a live network and seems to work fine. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 16 09:42:20 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 16 Dec 2011 17:42:20 -0000 Subject: [Bro-Dev] #727: topic/seth/notice-email-delay - Notice email delay to add async data to emails In-Reply-To: <046.a30cb321ed0aaa7185476ba17a3c2ac3@tracker.bro-ids.org> References: <046.a30cb321ed0aaa7185476ba17a3c2ac3@tracker.bro-ids.org> Message-ID: <061.121fc2eb0ec9a5621cee34c6d8e0a87e@tracker.bro-ids.org> #727: topic/seth/notice-email-delay - Notice email delay to add async data to emails ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+---------------------- Changes (by seth): * owner: => robin * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Dec 16 18:48:41 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 17 Dec 2011 02:48:41 -0000 Subject: [Bro-Dev] #8: Handling optional fields In-Reply-To: <050.b9efee7438d8911858d4ed02e677db85@tracker.bro-ids.org> References: <050.b9efee7438d8911858d4ed02e677db85@tracker.bro-ids.org> Message-ID: <065.bc78df82fda5a49da232e248422e152c@tracker.bro-ids.org> #8: Handling optional fields -----------------------+---------------------- Reporter: matthias | Owner: kreibich Type: Task | Status: accepted Priority: Normal | Milestone: Component: Broccoli | Version: 1.5.2 Resolution: | Keywords: -----------------------+---------------------- Comment (by matthias): This may fix the issue, but I haven't tested it (yet). {{{ diff --git a/src/bro_val.c b/src/bro_val.c index 6efdadf..f163d0b 100644 --- a/src/bro_val.c +++ b/src/bro_val.c @@ -403,6 +403,9 @@ __bro_val_get_data(BroVal *val, int *type, void **data) if (! val || ! data) return FALSE; + if (val->val_type == NULL) + return FALSE; + if (! val->get_data) return FALSE; }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From hlin33 at illinois.edu Fri Dec 16 19:34:10 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Fri, 16 Dec 2011 21:34:10 -0600 Subject: [Bro-Dev] Hui Lin_alarm.bro error running manual test Message-ID: Hi, I pull to the current master and run my slide of manual test and get the following error. error in /usr/local/bro/share/bro/alarm.bro, line 3: "redef" used but not previously defined (bro_alarm_file) Any suggestion to modify bro script? Best, Hui -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111216/e5bd1e8b/attachment.html From noreply at bro-ids.org Sat Dec 17 00:00:03 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 17 Dec 2011 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112170800.pBH8035f004315@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator Bro | 717 [7] | amannb | | Normal | Make LogWriter output the type of data stored inside a set or vector Bro | 718 [8] | amannb | | Normal | Log protocol type for notices Bro | 722 [9] | jsiwek | | Normal | &default vector initialization Bro | 727 [10] | seth | robin | Normal | topic/seth/notice-email-delay - Notice email delay to add async data to emails [11] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 23177aa | Jon Siwek | 2011-12-16 | Enable warnings for malformed Broxygen xref roles. [12] bro | 8394829 | Jon Siwek | 2011-12-16 | Broxygen fix for function parameter recognition; better than 80b2451. [13] bro | 3b91df8 | Jon Siwek | 2011-12-16 | Allow Broxygen markup "##<" for more general use. [14] bro | 0b8b14a | Seth Hall | 2011-12-15 | Fixed major bug with cluster synchronization (it was broken!) [15] bro | 86cba4c | Jon Siwek | 2011-12-13 | Fix missing action in notice policy for looking up GeoIP data. [16] bro | ae57cbe | Jon Siwek | 2011-12-13 | Better persistent state config warning messages (fixes #433). [17] bro | 61aa592 | Seth Hall | 2011-12-12 | A few updates for SQL injection detection. [18] bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [19] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [20] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [21] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [22] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [23] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [24] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [25] broctl | 7d56ef4 | Jon Siwek | 2011-12-13 | Add StopTimeout option to broctl.cfg (addresses #608). [26] broctl | b41e9b5 | Jon Siwek | 2011-12-13 | Make Broccoli communication event timeout interval configurable (addresses #608) [27] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [28] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] #717: http://tracker.bro-ids.org/bro/ticket/717 [8] #718: http://tracker.bro-ids.org/bro/ticket/718 [9] #722: http://tracker.bro-ids.org/bro/ticket/722 [10] #727: http://tracker.bro-ids.org/bro/ticket/727 [11] notice-email-delay: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/notice-email-delay [1] fastpath: http://tracker.bro-ids.org/bro/changeset/23177aa0813198432ad2adaadd87833befecae07/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/8394829fb1b1004b0c86225347ffbf2032c85ef5/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3b91df8cf54fd477d4963dc30e2495892b678401/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0b8b14a0ed7c5fbf3ba408ab5f6cd89e4c68f2d7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/86cba4c33f2641eefa5417c4455bec5082e35ba4/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ae57cbe5fc975463a028df3547fb403e37d4b2a8/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/61aa592db5a847d0e9a2538d31850aae6910c04d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/7d56ef47cabcd3a30c5e44c8d9362577088b6c64/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/b41e9b539b6f3780af710e1725c239fe5643bd27/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From noreply at bro-ids.org Sun Dec 18 00:00:02 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 18 Dec 2011 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112180800.pBI802gq006772@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator Bro | 717 [7] | amannb | | Normal | Make LogWriter output the type of data stored inside a set or vector Bro | 718 [8] | amannb | | Normal | Log protocol type for notices Bro | 722 [9] | jsiwek | | Normal | &default vector initialization Bro | 727 [10] | seth | robin | Normal | topic/seth/notice-email-delay - Notice email delay to add async data to emails [11] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 23177aa | Jon Siwek | 2011-12-16 | Enable warnings for malformed Broxygen xref roles. [12] bro | 8394829 | Jon Siwek | 2011-12-16 | Broxygen fix for function parameter recognition; better than 80b2451. [13] bro | 3b91df8 | Jon Siwek | 2011-12-16 | Allow Broxygen markup "##<" for more general use. [14] bro | 0b8b14a | Seth Hall | 2011-12-15 | Fixed major bug with cluster synchronization (it was broken!) [15] bro | 86cba4c | Jon Siwek | 2011-12-13 | Fix missing action in notice policy for looking up GeoIP data. [16] bro | ae57cbe | Jon Siwek | 2011-12-13 | Better persistent state config warning messages (fixes #433). [17] bro | 61aa592 | Seth Hall | 2011-12-12 | A few updates for SQL injection detection. [18] bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [19] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [20] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [21] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [22] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [23] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [24] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [25] broctl | 7d56ef4 | Jon Siwek | 2011-12-13 | Add StopTimeout option to broctl.cfg (addresses #608). [26] broctl | b41e9b5 | Jon Siwek | 2011-12-13 | Make Broccoli communication event timeout interval configurable (addresses #608) [27] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [28] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] #717: http://tracker.bro-ids.org/bro/ticket/717 [8] #718: http://tracker.bro-ids.org/bro/ticket/718 [9] #722: http://tracker.bro-ids.org/bro/ticket/722 [10] #727: http://tracker.bro-ids.org/bro/ticket/727 [11] notice-email-delay: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/notice-email-delay [1] fastpath: http://tracker.bro-ids.org/bro/changeset/23177aa0813198432ad2adaadd87833befecae07/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/8394829fb1b1004b0c86225347ffbf2032c85ef5/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3b91df8cf54fd477d4963dc30e2495892b678401/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0b8b14a0ed7c5fbf3ba408ab5f6cd89e4c68f2d7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/86cba4c33f2641eefa5417c4455bec5082e35ba4/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ae57cbe5fc975463a028df3547fb403e37d4b2a8/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/61aa592db5a847d0e9a2538d31850aae6910c04d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/7d56ef47cabcd3a30c5e44c8d9362577088b6c64/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/b41e9b539b6f3780af710e1725c239fe5643bd27/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From robin at icir.org Sun Dec 18 15:22:51 2011 From: robin at icir.org (Robin Sommer) Date: Sun, 18 Dec 2011 15:22:51 -0800 Subject: [Bro-Dev] Hui Lin_alarm.bro error running manual test In-Reply-To: References: Message-ID: <20111218232251.GA22733@icir.org> On Fri, Dec 16, 2011 at 21:34 -0600, you wrote: > error in /usr/local/bro/share/bro/alarm.bro, line 3: "redef" used but not This seems to be a version mix-up: there's no alarm.bro in 2.0 (but there was in 2.0). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sun Dec 18 15:27:10 2011 From: robin at icir.org (Robin Sommer) Date: Sun, 18 Dec 2011 15:27:10 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Fixed major bug with cluster synchronization (it was broken!) (0b8b14a) In-Reply-To: <201112152059.pBFKxx9P001111@bro-ids.icir.org> References: <201112152059.pBFKxx9P001111@bro-ids.icir.org> Message-ID: <20111218232710.GD22733@icir.org> On Thu, Dec 15, 2011 at 12:59 -0800, you wrote: > Fixed major bug with cluster synchronization (it was broken!) Huh ... Any chance we can write a test that catches this in future? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Sun Dec 18 15:45:13 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 18 Dec 2011 23:45:13 -0000 Subject: [Bro-Dev] #706: Framework Documentation Package 1 In-Reply-To: <046.0094aad7fdf918d4b7c290b5a6d75304@tracker.bro-ids.org> References: <046.0094aad7fdf918d4b7c290b5a6d75304@tracker.bro-ids.org> Message-ID: <061.4caec0228473131067c325395605f52a@tracker.bro-ids.org> #706: Framework Documentation Package 1 -----------------------------+-------------------- Reporter: seth | Owner: robin Type: Task | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: accepted => closed * resolution: => Solved/Applied Comment: Finished in topic/script-reference. Closing ticket, will be merged with that. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sun Dec 18 15:45:40 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 18 Dec 2011 23:45:40 -0000 Subject: [Bro-Dev] #710: Add notes to event.bif regarding inactive events In-Reply-To: <047.5c2783988d44625672ff8027b8143914@tracker.bro-ids.org> References: <047.5c2783988d44625672ff8027b8143914@tracker.bro-ids.org> Message-ID: <062.648629959bfb9ae36bf0d13637558d89@tracker.bro-ids.org> #710: Add notes to event.bif regarding inactive events -----------------------------+-------------------- Reporter: robin | Owner: robin Type: Task | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Solved/Applied Comment: Finished in topic/script-reference. Closing ticket, will be merged with that. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sun Dec 18 15:57:40 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 18 Dec 2011 23:57:40 -0000 Subject: [Bro-Dev] #724: Changing semantics of ConnSizeAnalyzer In-Reply-To: <046.17850f462f1693e7eabd016bb6cf8b36@tracker.bro-ids.org> References: <046.17850f462f1693e7eabd016bb6cf8b36@tracker.bro-ids.org> Message-ID: <061.94fec119b461283c166495a4baa6752e@tracker.bro-ids.org> #724: Changing semantics of ConnSizeAnalyzer ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+-------------------- Comment (by robin): I'm reluctant to count only payload bytes as I find that not very intuitive and also non-standard (NetFlow for example counts IP bytes as well). It feels like we'd be tuning a general mechanism to a specific case (SSH login detection). The sequence number calcuation seems the right thing to use here, and I'd prefer to fix that instead. That said, for now I can see doing both as Gregor suggested, however I would log the IP bytes only and use payload bytes in scripts where helpful. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sun Dec 18 16:42:29 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 00:42:29 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.3cfca4be7baf992391900cad53c52feb@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): Allowing multiple escape strings is the right thing to do, thanks! What worries me a bit however is that this might all get quite expensive CPU- wise: the code now needs to search for all escape strings each time something's written out, and it also needs register/deregister the escape strings as it traverses the log data structures. It's fine for now, but eventually we may want to profile this and see if something can be improved (on the other hand, once logging is done in threads, this will matter much less). One other nit: why do the new header lines (`#empty_field` etc.) always escape everything? Would be more readable if only printable characters were printed as is. I'm going to merge this and then close the ticket. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sun Dec 18 16:54:27 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 00:54:27 -0000 Subject: [Bro-Dev] #718: Log protocol type for notices In-Reply-To: <048.02d89499b6936683b1f6e5e85519d1d3@tracker.bro-ids.org> References: <048.02d89499b6936683b1f6e5e85519d1d3@tracker.bro-ids.org> Message-ID: <063.77b7c0c22191cf3919c2561b636d3920@tracker.bro-ids.org> #718: Log protocol type for notices ----------------------------+-------------------- Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+-------------------- Comment (by robin): What's the context for this? Is this needed for something specific? Also, it looks like it's a more general problem: other log files also record `conn_id` but not the protocol. -- Ticket URL: Bro Tracker Bro Issue Tracker From hlin33 at illinois.edu Sun Dec 18 17:27:11 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Sun, 18 Dec 2011 19:27:11 -0600 Subject: [Bro-Dev] Hui Lin_alarm.bro error running manual test In-Reply-To: <5f01f69f890b417bb91b182487c39cb1@CITESHT3.ad.uillinois.edu> References: <5f01f69f890b417bb91b182487c39cb1@CITESHT3.ad.uillinois.edu> Message-ID: It seems that when you configure, make and make install only replace the files that exist. The files that are installed before but not exist any more now will not be removed. Anyway, I had a new virtual machine and install 2.0 beta and it is fine now. On Sun, Dec 18, 2011 at 5:22 PM, Robin Sommer wrote: > > On Fri, Dec 16, 2011 at 21:34 -0600, you wrote: > > > error in /usr/local/bro/share/bro/alarm.bro, line 3: "redef" used but not > > This seems to be a version mix-up: there's no alarm.bro in 2.0 (but > there was in 2.0). > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111218/b2e357dc/attachment.html From hlin33 at illinois.edu Sun Dec 18 18:39:01 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Sun, 18 Dec 2011 20:39:01 -0600 Subject: [Bro-Dev] Hui Lin_Any thing logged in /usr/local/bro/logs Message-ID: Hi, I have realized that Bro will generate default logs and some self-defined logs in the directory that Bro is running. However, I still see that /usr/local/bro/logs is generated which is always left as empty. So is there any case that logs will be put into this directory? Best Hui -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111218/36c26d17/attachment-0001.html From robin at icir.org Sun Dec 18 19:50:23 2011 From: robin at icir.org (Robin Sommer) Date: Sun, 18 Dec 2011 19:50:23 -0800 Subject: [Bro-Dev] Hui Lin_alarm.bro error running manual test In-Reply-To: References: <5f01f69f890b417bb91b182487c39cb1@CITESHT3.ad.uillinois.edu> Message-ID: <20111219035023.GE23762@icir.org> On Sun, Dec 18, 2011 at 19:27 -0600, you wrote: > It seems that when you configure, make and make install only replace the > files that exist. The files that are installed before but not exist any > more now will not be removed. That's right. > > This seems to be a version mix-up: there's no alarm.bro in 2.0 (but > > there was in 2.0). (The latter "2.0" was supposed to be "1.5" of course.) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Sun Dec 18 19:51:15 2011 From: robin at icir.org (Robin Sommer) Date: Sun, 18 Dec 2011 19:51:15 -0800 Subject: [Bro-Dev] Hui Lin_Any thing logged in /usr/local/bro/logs In-Reply-To: References: Message-ID: <20111219035115.GF23762@icir.org> On Sun, Dec 18, 2011 at 20:39 -0600, you wrote: > However, I still see that /usr/local/bro/logs is generated which is always > left as empty. So is there any case that logs will be put into this > directory? Yes, when using broctl, logs will be archived there. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Sun Dec 18 23:39:49 2011 From: vern at icir.org (Vern Paxson) Date: Sun, 18 Dec 2011 23:39:49 -0800 Subject: [Bro-Dev] question & meta-question regarding "path" field in smtp.log In-Reply-To: <881F296B-60C6-4D3A-8F02-4DE6716943DB@icir.org> (Fri, 02 Dec 2011 23:32:36 EST). Message-ID: <20111219073949.5FC052C4005@rock.ICSI.Berkeley.EDU> [catching up] > Hah, you're finding all of the places that I debated with myself for a > long time. I ended up adding the orig_h and resp_h for the current > connection to the path field because I wanted an easy way to reliably > find the address that originally sent the message. If you are watching > the actual message being sent from the MUA then it obviously won't have > any received headers yet but it was handy to have the orig_h for the > connection there anyway. > > Do you think we should cut those out? It certainly made log processing > easier when I added it. Hmmm, I'm somewhat torn. I'm not a big fan of synthesizing information that looks just like information directly extracted from the application dialog, but I appreciate your finding that doing so made the log processing easier. I guess as long as "path" is carefully defined to not suggest it's simply the overt application dialog, then leaving this as it is seems okay to me. Vern From noreply at bro-ids.org Mon Dec 19 00:00:02 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 19 Dec 2011 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112190800.pBJ802Su017036@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 692 [1] | seth | robin | Normal | ssl_extension event doesn't indicate originator Bro | 702 [2] | seth | robin | Normal | topic/seth/dns-updates - Fixed some DNS issues [3] Bro | 711 [4] | robin | seth | Normal | topic/robin/pp-alarms [5] Bro | 712 [6] | amannb | jsiwek | Normal | LogMgr should escape the set separator Bro | 717 [7] | amannb | | Normal | Make LogWriter output the type of data stored inside a set or vector Bro | 718 [8] | amannb | | Normal | Log protocol type for notices Bro | 722 [9] | jsiwek | | Normal | &default vector initialization Bro | 727 [10] | seth | robin | Normal | topic/seth/notice-email-delay - Notice email delay to add async data to emails [11] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 23177aa | Jon Siwek | 2011-12-16 | Enable warnings for malformed Broxygen xref roles. [12] bro | 8394829 | Jon Siwek | 2011-12-16 | Broxygen fix for function parameter recognition; better than 80b2451. [13] bro | 3b91df8 | Jon Siwek | 2011-12-16 | Allow Broxygen markup "##<" for more general use. [14] bro | 0b8b14a | Seth Hall | 2011-12-15 | Fixed major bug with cluster synchronization (it was broken!) [15] bro | 86cba4c | Jon Siwek | 2011-12-13 | Fix missing action in notice policy for looking up GeoIP data. [16] bro | ae57cbe | Jon Siwek | 2011-12-13 | Better persistent state config warning messages (fixes #433). [17] bro | 61aa592 | Seth Hall | 2011-12-12 | A few updates for SQL injection detection. [18] bro | 76a0b9a | Seth Hall | 2011-12-10 | Fixed some DPD signatures for IRC. Fixes ticket #311. [19] bro | 6478b4a | Seth Hall | 2011-12-10 | Removing Off_Port_Protocol_Found notice. [20] bro | 00fb187 | Seth Hall | 2011-12-10 | SSH::Interesting_Hostname_Login cleanup. Fixes #664. [21] bro | 2cf7bb5 | Jon Siwek | 2011-12-09 | Teach Broxygen to more generally reference attribute values by name. [22] bro | 3391270 | Seth Hall | 2011-12-08 | Fixed a really dumb bug that was causing the malware hash registry script to break. [23] bro | 80b2451 | Jon Siwek | 2011-12-07 | Fix Broxygen confusing scoped id at start of line as function parameter. [24] bro | ab31594 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [25] broctl | 7d56ef4 | Jon Siwek | 2011-12-13 | Add StopTimeout option to broctl.cfg (addresses #608). [26] broctl | b41e9b5 | Jon Siwek | 2011-12-13 | Make Broccoli communication event timeout interval configurable (addresses #608) [27] cmake | 0c0a469 | Jon Siwek | 2011-12-07 | Remove remnant of libmagic optionality [28] [1] #692: http://tracker.bro-ids.org/bro/ticket/692 [2] #702: http://tracker.bro-ids.org/bro/ticket/702 [3] dns-updates: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/dns-updates [4] #711: http://tracker.bro-ids.org/bro/ticket/711 [5] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [6] #712: http://tracker.bro-ids.org/bro/ticket/712 [7] #717: http://tracker.bro-ids.org/bro/ticket/717 [8] #718: http://tracker.bro-ids.org/bro/ticket/718 [9] #722: http://tracker.bro-ids.org/bro/ticket/722 [10] #727: http://tracker.bro-ids.org/bro/ticket/727 [11] notice-email-delay: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/notice-email-delay [1] fastpath: http://tracker.bro-ids.org/bro/changeset/23177aa0813198432ad2adaadd87833befecae07/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/8394829fb1b1004b0c86225347ffbf2032c85ef5/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/3b91df8cf54fd477d4963dc30e2495892b678401/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0b8b14a0ed7c5fbf3ba408ab5f6cd89e4c68f2d7/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/86cba4c33f2641eefa5417c4455bec5082e35ba4/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/ae57cbe5fc975463a028df3547fb403e37d4b2a8/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/61aa592db5a847d0e9a2538d31850aae6910c04d/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/76a0b9ad3c06c45ca8f0eeafaf32562f65e8ad4f/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/6478b4acafaaef51f5bcbc2d86996a59dedc39e1/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/00fb187927b6369f941d30e98a396c85f9e8218d/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/2cf7bb578886ec64d11df509cc52adc725965b08/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/3391270527f0eb75dba943d9dd75531032c462e7/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/80b24513e770c7f935be2da5297b2ea53bfadae3/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/ab315949d6e08b622f786e3941cd66173b0ef222/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/7d56ef47cabcd3a30c5e44c8d9362577088b6c64/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/b41e9b539b6f3780af710e1725c239fe5643bd27/broctl [2] fastpath: http://tracker.bro-ids.org/bro/changeset/0c0a4697687df7f17c09391a1d0d95b25297a662/cmake From bro at tracker.bro-ids.org Mon Dec 19 06:57:01 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 14:57:01 -0000 Subject: [Bro-Dev] #722: &default vector initialization In-Reply-To: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> References: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> Message-ID: <063.face1864c2df18420a37294572a343f6@tracker.bro-ids.org> #722: &default vector initialization ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): For the records, looks like this is not only fixing defaults of vectors (as I expected originally), but field defaults in general. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 07:55:23 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 15:55:23 -0000 Subject: [Bro-Dev] #298: Automatic build tests on NMI testbed. In-Reply-To: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> References: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> Message-ID: <061.c80d8e05052135bfea5f5a28c4ca8df8@tracker.bro-ids.org> #298: Automatic build tests on NMI testbed. ---------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: nmi ---------------------+-------------------- Comment (by slagell): Not sure if we want to mark this off as complete. It isn't really anything that will ever be finished as every time they change something, we have to fix all the platforms again. Let me describe where we are now. After we got them to install libmagic, we are back to every platform target building again. The internal tests fail on *some* platforms, but not consistently. For example, there are a sometimes a bunch of errors on Ubuntu 32 bit, but the same version on a VM here works fine. These pseudo- random failures seem to be due to timeouts and overload on the NMI B&T VMs. As far as the external tests go, I am not sure. I'll let Daniel comment on those, but he is out for the holidays. Anyway, I don't think there is anything here holding back the 2.0 release. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 08:08:45 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 16:08:45 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.012ab4930be93792af43836bb522b9a5@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by jsiwek): > Allowing multiple escape strings is the right thing to do, thanks! What worries me a bit however is that this might all get quite expensive CPU- wise I was a bit concerned about that, too. > One other nit: why do the new header lines (`#empty_field` etc.) always escape everything? Would be more readable if only printable characters were printed as is. I was mostly just following the example set by `#separator` which is always fully escaped. I guess it's a bit weird since space is considered a printing character, but we need to escape it. And maybe consistently escaping everything makes it a bit easier for log-consuming programs. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 08:46:51 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 16:46:51 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.cf36a9f2522c2fbcfe7f15f36eed7b60@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): > I was mostly just following the example set by `#separator` which is > always fully escaped. I guess it's a bit weird since space is considered > a printing character, but we need to escape it. And maybe consistently > escaping everything makes it a bit easier for log-consuming programs. Ok, I'm changing this to escape only when necessary (space or not printable). Shouldn't be hard to deal with for log-consuming programs and better for humans. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 09:03:09 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 17:03:09 -0000 Subject: [Bro-Dev] #718: Log protocol type for notices In-Reply-To: <048.02d89499b6936683b1f6e5e85519d1d3@tracker.bro-ids.org> References: <048.02d89499b6936683b1f6e5e85519d1d3@tracker.bro-ids.org> Message-ID: <063.aa2dd0399d01bd867c7bb80b82a65b0d@tracker.bro-ids.org> #718: Log protocol type for notices ----------------------------+-------------------- Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------------+-------------------- Comment (by amannb): During some trials I just noticed that logged notices do not contain protocol information. I asked Seth about it and he told me that that was an oversight and I should file a bug report - and I just filed a small patch instead. But you are right, it probably is a more general problem. -- Ticket URL: Bro Tracker Bro Issue Tracker From jsiwek at illinois.edu Mon Dec 19 09:43:20 2011 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Mon, 19 Dec 2011 17:43:20 +0000 Subject: [Bro-Dev] RecordType::Init dead code Message-ID: <917B9BDB-E438-423C-A1E0-B5AC1756660A@illinois.edu> I was exploring the internals of records and noticed in RecordType::Init that there's an "assert(false)". Is this dead code that can be removed? Removing it would also involve removing the RecordField class, the "fields" and "base" members of RecordType, the two-arg RecordType ctor, and the "refined_type" rule from the parser (used in type and event declarations). What was the use for this "refined" record type? I already experimented with removing all that stuff with all unit tests passing, want me to commit it so it can get merged? +Jon From vern at icir.org Mon Dec 19 10:51:43 2011 From: vern at icir.org (Vern Paxson) Date: Mon, 19 Dec 2011 10:51:43 -0800 Subject: [Bro-Dev] RecordType::Init dead code In-Reply-To: <917B9BDB-E438-423C-A1E0-B5AC1756660A@illinois.edu> (Mon, 19 Dec 2011 17:43:20 GMT). Message-ID: <20111219185143.2200E2C40AB@rock.ICSI.Berkeley.EDU> > What was the use for this "refined" record type? IIRC, this was an experiment regarding of providing a form of inheritance. I don't remember how far it went; perhaps Robin does. Vern From bro at tracker.bro-ids.org Mon Dec 19 11:22:36 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:36 -0000 Subject: [Bro-Dev] #664: Interesting_Hostname_Login misleading In-Reply-To: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> References: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> Message-ID: <062.20865998406e7fa9d57791520a15b625@tracker.bro-ids.org> #664: Interesting_Hostname_Login misleading ----------------------+-------------------- Reporter: robin | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Comment (by robin): In [4e17ef63f01f98b011fa4c24fe221316c5992a57/bro]: {{{ #!CommitTicketReference repository="bro" revision="4e17ef63f01f98b011fa4c24fe221316c5992a57" Merge remote branch 'origin/fastpath' * origin/fastpath: Fix missing action in notice policy for looking up GeoIP data. Better persistent state config warning messages (fixes #433). A few updates for SQL injection detection. Fixed some DPD signatures for IRC. Fixes ticket #311. Removing Off_Port_Protocol_Found notice. SSH::Interesting_Hostname_Login cleanup. Fixes #664. Teach Broxygen to more generally reference attribute values by name. Fixed a really dumb bug that was causing the malware hash registry script to break. Fix Broxygen confusing scoped id at start of line as function parameter. Remove remnant of libmagic optionality }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:36 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:36 -0000 Subject: [Bro-Dev] #433: run-time error: unserialized unknown global name In-Reply-To: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> References: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> Message-ID: <063.52fda5ba4462f9977146ab65e6eaab77@tracker.bro-ids.org> #433: run-time error: unserialized unknown global name ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: closed Priority: Low | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------+------------------------ Comment (by robin): In [4e17ef63f01f98b011fa4c24fe221316c5992a57/bro]: {{{ #!CommitTicketReference repository="bro" revision="4e17ef63f01f98b011fa4c24fe221316c5992a57" Merge remote branch 'origin/fastpath' * origin/fastpath: Fix missing action in notice policy for looking up GeoIP data. Better persistent state config warning messages (fixes #433). A few updates for SQL injection detection. Fixed some DPD signatures for IRC. Fixes ticket #311. Removing Off_Port_Protocol_Found notice. SSH::Interesting_Hostname_Login cleanup. Fixes #664. Teach Broxygen to more generally reference attribute values by name. Fixed a really dumb bug that was causing the malware hash registry script to break. Fix Broxygen confusing scoped id at start of line as function parameter. Remove remnant of libmagic optionality }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:36 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:36 -0000 Subject: [Bro-Dev] #664: Interesting_Hostname_Login misleading In-Reply-To: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> References: <047.2320a3af2d40dde4b0878f0150e175de@tracker.bro-ids.org> Message-ID: <062.b9b403b19f4b5f05cd7ad2a558d1fb89@tracker.bro-ids.org> #664: Interesting_Hostname_Login misleading ----------------------+-------------------- Reporter: robin | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Comment (by robin): In [84e6caed2cadd0bce942adcb7c09b295403d694d/bro]: {{{ #!CommitTicketReference repository="bro" revision="84e6caed2cadd0bce942adcb7c09b295403d694d" Merge remote branch 'origin/master' * origin/master: Cleanup some misc Broxygen css/js stuff. Add search box to Broxygen docs (fixes #726). Some markup for the tracker to close the recently addresses tickets: Closes #726. Closes #433. Closes #311. Closes #664. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #433: run-time error: unserialized unknown global name In-Reply-To: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> References: <048.b7f6a90db7ea47a175189fdbe3df691e@tracker.bro-ids.org> Message-ID: <063.4b2b3a2bce4dc406597c82831b2caa68@tracker.bro-ids.org> #433: run-time error: unserialized unknown global name ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: closed Priority: Low | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------+------------------------ Comment (by robin): In [84e6caed2cadd0bce942adcb7c09b295403d694d/bro]: {{{ #!CommitTicketReference repository="bro" revision="84e6caed2cadd0bce942adcb7c09b295403d694d" Merge remote branch 'origin/master' * origin/master: Cleanup some misc Broxygen css/js stuff. Add search box to Broxygen docs (fixes #726). Some markup for the tracker to close the recently addresses tickets: Closes #726. Closes #433. Closes #311. Closes #664. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #726: Script autodocs missing search field. In-Reply-To: <046.7f2e89571345c1574bd9d2b500e51858@tracker.bro-ids.org> References: <046.7f2e89571345c1574bd9d2b500e51858@tracker.bro-ids.org> Message-ID: <061.7fcc6fac703e90aead7a4360c9e1d643@tracker.bro-ids.org> #726: Script autodocs missing search field. ----------------------+-------------------- Reporter: seth | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Comment (by robin): In [84e6caed2cadd0bce942adcb7c09b295403d694d/bro]: {{{ #!CommitTicketReference repository="bro" revision="84e6caed2cadd0bce942adcb7c09b295403d694d" Merge remote branch 'origin/master' * origin/master: Cleanup some misc Broxygen css/js stuff. Add search box to Broxygen docs (fixes #726). Some markup for the tracker to close the recently addresses tickets: Closes #726. Closes #433. Closes #311. Closes #664. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC In-Reply-To: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> References: <046.3f8eace7381b3dd1aa7e05363fb06431@tracker.bro-ids.org> Message-ID: <061.c5f273e2ba0eea9d6e754d102494c41a@tracker.bro-ids.org> #311: DPD mistakenly thinking HTTP is IRC ----------------------+-------------------- Reporter: vern | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Changes (by robin): * owner: => robin * resolution: Solved/Applied => fixed Comment: In [84e6caed2cadd0bce942adcb7c09b295403d694d/bro]: {{{ #!CommitTicketReference repository="bro" revision="84e6caed2cadd0bce942adcb7c09b295403d694d" Merge remote branch 'origin/master' * origin/master: Cleanup some misc Broxygen css/js stuff. Add search box to Broxygen docs (fixes #726). Some markup for the tracker to close the recently addresses tickets: Closes #726. Closes #433. Closes #311. Closes #664. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #702: topic/seth/dns-updates - Fixed some DNS issues In-Reply-To: <046.2f4b2ad86a7b89075747e60a28802b6f@tracker.bro-ids.org> References: <046.2f4b2ad86a7b89075747e60a28802b6f@tracker.bro-ids.org> Message-ID: <061.2a09d952faec64da56c879b8ee71b1ae@tracker.bro-ids.org> #702: topic/seth/dns-updates - Fixed some DNS issues ----------------------------+-------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [0a3e160a8db272fe4d40a6820f1b1fb8454764aa/bro]: {{{ #!CommitTicketReference repository="bro" revision="0a3e160a8db272fe4d40a6820f1b1fb8454764aa" Merge remote branch 'origin/topic/seth/dns-updates' * origin/topic/seth/dns-updates: Fixed some bugs with capturing data in the base DNS script. Some updates to the base DNS script. Closes #702. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #722: &default vector initialization In-Reply-To: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> References: <048.85f31e9d1a6d91b6beeb07c2c2bf019a@tracker.bro-ids.org> Message-ID: <063.384df68d1701d1c498be18c2512d3e22@tracker.bro-ids.org> #722: &default vector initialization ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [01e4588737663e3b5dcdffd458bc5e3082e0a427/bro]: {{{ #!CommitTicketReference repository="bro" revision="01e4588737663e3b5dcdffd458bc5e3082e0a427" Merge remote branch 'origin/topic/jsiwek/record-coerce-default' * origin/topic/jsiwek/record-coerce-default: Fix &default fields in records not being initialized in coerced assignments. Closes #722. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #727: topic/seth/notice-email-delay - Notice email delay to add async data to emails In-Reply-To: <046.a30cb321ed0aaa7185476ba17a3c2ac3@tracker.bro-ids.org> References: <046.a30cb321ed0aaa7185476ba17a3c2ac3@tracker.bro-ids.org> Message-ID: <061.d74325230c541dd874d6080aa1dbcf0d@tracker.bro-ids.org> #727: topic/seth/notice-email-delay - Notice email delay to add async data to emails ----------------------------+-------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [26ff8e1dab6a92fc5b836b18a7c8e8dc32c71829/bro]: {{{ #!CommitTicketReference repository="bro" revision="26ff8e1dab6a92fc5b836b18a7c8e8dc32c71829" Merge remote branch 'origin/topic/seth/notice-email-delay' * origin/topic/seth/notice-email-delay: The hostname notice email extension works now. Fixed more bugs with delayed emails. Working around a problem with setting default container types. Ugh, still major failure. I'm just cutting the timeout handling for now. Fixed a small bug major problem with email delay timeout catching. Initial fixes for the problem of async actions with notice email extensions. Closes #727. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #692: ssl_extension event doesn't indicate originator In-Reply-To: <046.b4c10cc63df92a28ac1c80a434befd3a@tracker.bro-ids.org> References: <046.b4c10cc63df92a28ac1c80a434befd3a@tracker.bro-ids.org> Message-ID: <061.e343189c92da7cfce38710783534566f@tracker.bro-ids.org> #692: ssl_extension event doesn't indicate originator ----------------------------+-------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: fixed | Keywords: ----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [f3c2811e14b6102cb4aa888e1a9a636be6190bf4/bro]: {{{ #!CommitTicketReference repository="bro" revision="f3c2811e14b6102cb4aa888e1a9a636be6190bf4" Merge remote branch 'origin/topic/seth/ssl-updates-for-2.0' * origin/topic/seth/ssl-updates-for-2.0: Added is_orig fields to the SSL events and adapted script. Closes #692. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #712: LogMgr should escape the set separator In-Reply-To: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> References: <048.c321eaf4df8e5fdff59a66df53929163@tracker.bro-ids.org> Message-ID: <063.10c2e391e985850ecb54ae5c05ddd42b@tracker.bro-ids.org> #712: LogMgr should escape the set separator ----------------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [3220bbce555f05baef12ebff35d42a45eeac6ccc/bro]: {{{ #!CommitTicketReference repository="bro" revision="3220bbce555f05baef12ebff35d42a45eeac6ccc" Merge remote branch 'origin/topic/jsiwek/log-escaping' * origin/topic/jsiwek/log-escaping: Add missing ascii writer options to log header. Escape the ASCII log's set separator (addresses #712) Rewrite ODesc character escaping functionality. (addresses #681) Closes #712. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:22:37 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:22:37 -0000 Subject: [Bro-Dev] #681: Control characters is ASCII output In-Reply-To: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> References: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> Message-ID: <062.f1ad8e0caeb1eea341617eeb3fba3cf4@tracker.bro-ids.org> #681: Control characters is ASCII output ----------------------+---------------------- Reporter: robin | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ----------------------+---------------------- Comment (by robin): In [3220bbce555f05baef12ebff35d42a45eeac6ccc/bro]: {{{ #!CommitTicketReference repository="bro" revision="3220bbce555f05baef12ebff35d42a45eeac6ccc" Merge remote branch 'origin/topic/jsiwek/log-escaping' * origin/topic/jsiwek/log-escaping: Add missing ascii writer options to log header. Escape the ASCII log's set separator (addresses #712) Rewrite ODesc character escaping functionality. (addresses #681) Closes #712. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:23:25 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:23:25 -0000 Subject: [Bro-Dev] #608: broctl print times out if the table is too big In-Reply-To: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> References: <049.8e88348ff12d18f23c9143d4a84c4f7d@tracker.bro-ids.org> Message-ID: <064.c2a4eb137a28c7cc204f713ac3f34cd3@tracker.bro-ids.org> #608: broctl print times out if the table is too big ----------------------+------------------------ Reporter: aashish | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [6d70f47fa12e6dabecc120cfab6e02d2ef4d7987/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="6d70f47fa12e6dabecc120cfab6e02d2ef4d7987" Merge remote branch 'origin/fastpath' * origin/fastpath: Add StopTimeout option to broctl.cfg (addresses #608). Make Broccoli communication event timeout interval configurable (addresses #608) Closes #608. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:39:23 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:39:23 -0000 Subject: [Bro-Dev] #717: Make LogWriter output the type of data stored inside a set or vector In-Reply-To: <048.e2fece588a58a2f77afa832b7d55c999@tracker.bro-ids.org> References: <048.e2fece588a58a2f77afa832b7d55c999@tracker.bro-ids.org> Message-ID: <063.539d06ca36a8ee79f467527a60609f8e@tracker.bro-ids.org> #717: Make LogWriter output the type of data stored inside a set or vector -----------------------------+-------------------- Reporter: amannb | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:40:26 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:40:26 -0000 Subject: [Bro-Dev] #477: Signing releases In-Reply-To: <047.31cdcff14734fc4bfcbdff3de17930a5@tracker.bro-ids.org> References: <047.31cdcff14734fc4bfcbdff3de17930a5@tracker.bro-ids.org> Message-ID: <062.cf7d4c9672d3427a79f262145b96a849@tracker.bro-ids.org> #477: Signing releases ---------------------+-------------------- Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: ---------------------+-------------------- Comment (by robin): Closing this ticket. We have PGP keys in place now, and the rest will happen when creating the distributions. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:41:20 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:41:20 -0000 Subject: [Bro-Dev] #306: Write a new user manual In-Reply-To: <046.b5f6eda94a2759af201753eaf30711c5@tracker.bro-ids.org> References: <046.b5f6eda94a2759af201753eaf30711c5@tracker.bro-ids.org> Message-ID: <061.500f0e9229103cc385e8cde2bafd8bf7@tracker.bro-ids.org> #306: Write a new user manual ---------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: ---------------------+-------------------- Changes (by robin): * milestone: Bro2.0 => Bro2.1 Comment: Changing milestone back to 2.1. As discussed, we'll have the script reference in place for 2.0, but everything else needs to wait. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:42:10 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:42:10 -0000 Subject: [Bro-Dev] #681: Control characters is ASCII output In-Reply-To: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> References: <047.094925a06443edab94de1f00a1c21805@tracker.bro-ids.org> Message-ID: <062.2f9da4d1a7ceb70157d9a568d9ae3eaf@tracker.bro-ids.org> #681: Control characters is ASCII output -----------------------------+-------------------- Reporter: robin | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => Solved/Applied Comment: Looks like this should be fixed now along with #712. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:42:42 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:42:42 -0000 Subject: [Bro-Dev] #685: Change default constant for empty or unset field of LogWriterAscii In-Reply-To: <048.4a3ac67b40f5405235e87970b76f67ce@tracker.bro-ids.org> References: <048.4a3ac67b40f5405235e87970b76f67ce@tracker.bro-ids.org> Message-ID: <063.ef520ff43959ca57142bb87cec330239@tracker.bro-ids.org> #685: Change default constant for empty or unset field of LogWriterAscii -----------------------------+-------------------- Reporter: amannb | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Solved/Applied Comment: Empty fields are now marked by `empty`. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:43:47 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:43:47 -0000 Subject: [Bro-Dev] #723: notice/extend-email/hostnames.bro doesn't work In-Reply-To: <048.5068d58598cd1a42a848797bdf79a983@tracker.bro-ids.org> References: <048.5068d58598cd1a42a848797bdf79a983@tracker.bro-ids.org> Message-ID: <063.4bd8efa598746aaa9518ea3c5fa58674@tracker.bro-ids.org> #723: notice/extend-email/hostnames.bro doesn't work ----------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): This was merged via #727. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 11:44:41 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:44:41 -0000 Subject: [Bro-Dev] #477: Signing releases In-Reply-To: <047.31cdcff14734fc4bfcbdff3de17930a5@tracker.bro-ids.org> References: <047.31cdcff14734fc4bfcbdff3de17930a5@tracker.bro-ids.org> Message-ID: <062.233285a8404bd0f4d7428ee97006ac6c@tracker.bro-ids.org> #477: Signing releases -----------------------------+-------------------- Reporter: robin | Owner: Type: Task | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Mon Dec 19 11:49:52 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 19 Dec 2011 11:49:52 -0800 Subject: [Bro-Dev] RecordType::Init dead code In-Reply-To: <20111219185143.2200E2C40AB@rock.ICSI.Berkeley.EDU> References: <917B9BDB-E438-423C-A1E0-B5AC1756660A@illinois.edu> <20111219185143.2200E2C40AB@rock.ICSI.Berkeley.EDU> Message-ID: <20111219194952.GB59378@icir.org> On Mon, Dec 19, 2011 at 10:51 -0800, you wrote: > IIRC, this was an experiment regarding of providing a form of inheritance. > I don't remember how far it went; perhaps Robin does. No, I don't think I was involved with that. But I think we had actually already decided a while ago that this can be removed, we just never followed up with doing it. So, Jon, yes, please move ahead. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Mon Dec 19 11:53:20 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 19:53:20 -0000 Subject: [Bro-Dev] #298: Automatic build tests on NMI testbed. In-Reply-To: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> References: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> Message-ID: <061.9a6329341b8e7a5d90292b3fb04c5ff6@tracker.bro-ids.org> #298: Automatic build tests on NMI testbed. -----------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: Rejected | Keywords: nmi -----------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Rejected Comment: Ok, this is painful enough that I think we should just close the ticket and ignore it for 2.0. Hopefully things will be get better in the future. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Dec 19 12:40:49 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 20:40:49 -0000 Subject: [Bro-Dev] #298: Automatic build tests on NMI testbed. In-Reply-To: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> References: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> Message-ID: <061.24dc2e205dc405bb5e86b8aebcec6bbd@tracker.bro-ids.org> #298: Automatic build tests on NMI testbed. ---------------------+---------------------- Reporter: seth | Owner: Type: Task | Status: reopened Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: nmi ---------------------+---------------------- Changes (by jsiwek): * status: closed => reopened * resolution: Rejected => Comment: Since I was looking into the current status of testing failures on NMI, > The internal tests fail on *some* platforms, but not consistently. For example, there are a sometimes a bunch of errors on Ubuntu 32 bit, but the same version on a VM here works fine. These pseudo-random failures seem to be due to timeouts and overload on the NMI B&T VMs. All of these failures appeared to be communication-related tests that possibly timed out due to either 1) too short a timeout interval or 2) high load on certain NMI platforms (Ubuntu 10.04 32-bit). I've increased timeout intervals to address (1) and emailed NMI support about (2). But I didn't see anything concerning here that would hold back release in the case we can't get it resolved. > As far as the external tests go, I am not sure. I'll let Daniel comment on those, but he is out for the holidays. Anyway, I don't think there is anything here holding back the 2.0 release. Both external tests were failing on all platforms. The NMI scripts weren't doing a `cat` on the diag.log, so I don't have a good idea of the reason yet, but I'd like to at least see that output before we say it shouldn't hold back the 2.0 release. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Mon Dec 19 13:21:13 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 19 Dec 2011 13:21:13 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/remove-refined-type: Remove dead code related to record type inheritance. (436be4e) In-Reply-To: <201112192119.pBJLJMHN004717@bro-ids.icir.org> References: <201112192119.pBJLJMHN004717@bro-ids.icir.org> Message-ID: <20111219212113.GB60329@icir.org> On Mon, Dec 19, 2011 at 13:19 -0800, Jonathan Siwek wrote: > - static const uint32 DATA_FORMAT_VERSION = 20; > + static const uint32 DATA_FORMAT_VERSION = 21; This looks like it may need a Broccoli change as well. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Mon Dec 19 13:21:26 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 21:21:26 -0000 Subject: [Bro-Dev] #728: topic/jsiwek/remove-refined-type Message-ID: <048.d037661707ff70ae4730c22fbb12b984@tracker.bro-ids.org> #728: topic/jsiwek/remove-refined-type ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This branch is in the `bro` and `broccoli` repos and removes dead code related to record type inheritance. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Mon Dec 19 13:21:51 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 19 Dec 2011 13:21:51 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/remove-refined-type: Remove dead code related to record type inheritance. (436be4e) In-Reply-To: <20111219212113.GB60329@icir.org> References: <201112192119.pBJLJMHN004717@bro-ids.icir.org> <20111219212113.GB60329@icir.org> Message-ID: <20111219212151.GC60329@icir.org> On Mon, Dec 19, 2011 at 13:21 -0800, I wrote: > This looks like it may need a Broccoli change as well. Never mind, saw your follow-up change now. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Mon Dec 19 13:36:07 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 19 Dec 2011 21:36:07 -0000 Subject: [Bro-Dev] #723: notice/extend-email/hostnames.bro doesn't work In-Reply-To: <048.5068d58598cd1a42a848797bdf79a983@tracker.bro-ids.org> References: <048.5068d58598cd1a42a848797bdf79a983@tracker.bro-ids.org> Message-ID: <063.0d66a56d2d03a656c25bd34bedd9d27a@tracker.bro-ids.org> #723: notice/extend-email/hostnames.bro doesn't work -----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by jsiwek): * status: new => closed * resolution: => Solved/Applied Comment: This works for me now. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Tue Dec 20 00:00:02 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 20 Dec 2011 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112200800.pBK8020L023292@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [6] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro From bro at tracker.bro-ids.org Tue Dec 20 08:17:57 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 20 Dec 2011 16:17:57 -0000 Subject: [Bro-Dev] #659: NMI builds check for compiler warnings In-Reply-To: <048.98a7f5e7f513339f0f639eb6aee714a6@tracker.bro-ids.org> References: <048.98a7f5e7f513339f0f639eb6aee714a6@tracker.bro-ids.org> Message-ID: <063.80bc0f58f7910ed922b9f951cbf0ff67@tracker.bro-ids.org> #659: NMI builds check for compiler warnings ------------------------------+------------------------ Reporter: jsiwek | Owner: dnthayer Type: Feature Request | Status: new Priority: Low | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: nmi ------------------------------+------------------------ Changes (by jsiwek): * milestone: Bro2.0 => Bro2.1 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 20 08:26:47 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 20 Dec 2011 16:26:47 -0000 Subject: [Bro-Dev] #298: Automatic build tests on NMI testbed. In-Reply-To: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> References: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> Message-ID: <061.950a261f4b12539ad6b5b71b28307e54@tracker.bro-ids.org> #298: Automatic build tests on NMI testbed. ---------------------+---------------------- Reporter: seth | Owner: Type: Task | Status: reopened Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: nmi ---------------------+---------------------- Comment (by jsiwek): > Both external tests were failing on all platforms. The NMI scripts weren't doing a `cat` on the diag.log, so I don't have a good idea of the reason yet, but I'd like to at least see that output before we say it shouldn't hold back the 2.0 release. These were only failing because of these reasons: 1) An empty debug.log is generated since Bro was configured with --enable- debug and the `diff-all` script doesn't find a baseline for that. 2) The reporter.log contains an error about GeoIP support not being configured which we should ignore 3) Varying versions of OpenSSL render X.509 Distinguished Name components differently (e.g. "street" vs. "streetAddress"), we should canonicalize log fields that contain DNs like we currently canonicalize log fields containing mime types. So fixing this doesn't have to hold back the release, but it's very close to working IMO. -- Ticket URL: Bro Tracker Bro Issue Tracker From hlin33 at illinois.edu Tue Dec 20 09:01:42 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Tue, 20 Dec 2011 11:01:42 -0600 Subject: [Bro-Dev] I am bit-wise logical operations in Bro script? Message-ID: Hi, I am wondering whether there is bitwise-And, bitwise-Or or even bitwise-exclusiveOr operation in bro's script. I use "&" for bitwise-And, but it generates syntax errors. Hui -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111220/9fe45203/attachment.html From bro at tracker.bro-ids.org Tue Dec 20 09:50:43 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 20 Dec 2011 17:50:43 -0000 Subject: [Bro-Dev] #298: Automatic build tests on NMI testbed. In-Reply-To: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> References: <046.52cb04f5dd135b7d304d18bd01deebaf@tracker.bro-ids.org> Message-ID: <061.f608d0ec11eda06324512f046187fefe@tracker.bro-ids.org> #298: Automatic build tests on NMI testbed. ---------------------+---------------------- Reporter: seth | Owner: Type: Task | Status: reopened Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: Resolution: | Keywords: nmi ---------------------+---------------------- Comment (by jsiwek): In [ff1768f857abcd01599854b65677a87e293b1cf6/bro]: {{{ #!CommitTicketReference repository="bro" revision="ff1768f857abcd01599854b65677a87e293b1cf6" Minor fixes to external test process. (addresses #298) - Skip diffing of debug.log always. - Skip diffing of reporter.log if it only contains an error about missing GeoIP support. - Canonicalize X.509 Distinguished Name subjects since that can vary depending on installed OpenSSL version. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 20 10:55:00 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 20 Dec 2011 18:55:00 -0000 Subject: [Bro-Dev] #716: BroControl: Improve installation when changing Spool directory location In-Reply-To: <047.390058a9cc5ea96a4e4a67c8b256a555@tracker.bro-ids.org> References: <047.390058a9cc5ea96a4e4a67c8b256a555@tracker.bro-ids.org> Message-ID: <062.8e999f21dead255e18f302fafb2bcb84@tracker.bro-ids.org> #716: BroControl: Improve installation when changing Spool directory location -------------------------+---------------------- Reporter: eddyg | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.0 Component: BroControl | Version: 2.0 Beta Resolution: | Keywords: -------------------------+---------------------- Comment (by jsiwek): In [132248192898e24e27efb91aa73b3c9e2c4f4183/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="132248192898e24e27efb91aa73b3c9e2c4f4183" Patch by Edward Groenendaal dealing with missing/new spool directories. - Changed locking code to create the spool dir if required to help with initial install and new spool directories. - Changed cron HTTP stats code to create the statsdir if required - Changed the Df code to skip missing directories at install, they will be created later, but warn about invalid df output in that case. Addresses #716. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 20 11:41:07 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 20 Dec 2011 19:41:07 -0000 Subject: [Bro-Dev] #729: Linux bro build failure after distclean Message-ID: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> #729: Linux bro build failure after distclean ------------------------+--------------------- Reporter: amannb | Type: Problem Status: new | Priority: Normal Milestone: | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- When building bro on a linux box after either make distclean or a completely fresh checkout, the first "make install" will fail with an error. The error only occurs on the first "make install" directly after a make distclean / clean checkout for me. When doing "make" and "make install" seperately or doing "make install" for the second time everything works as intended. Furthermore, this error occurs only on Linux for me, on MacOs it works as intended. Steps I took: {{{ make distclean && ./configure --prefix=/n/shokuji/db/bernhard/broinstall && make install }}} Resulting error: {{{ -- Installing: /n/shokuji/db/bernhard/broinstall/bin/capstats -- Set runtime path of "/n/shokuji/db/bernhard/broinstall/bin/capstats" to "/n/shokuji/db/bernhard/broinstall/lib" -- Up-to-date: /n/shokuji/db/bernhard/broinstall/bin/trace-summary -- Up-to-date: /n/shokuji/db/bernhard/broinstall/bin/bro-cut -- Skipping: /n/shokuji/db/bernhard/broinstall/etc/broccoli.conf (already exists) -- Installing: /n/shokuji/db/bernhard/broinstall/bin/broccoli-config -- Installing: /n/shokuji/db/bernhard/broinstall/lib/libbroccoli.so.3.0.0 -- Up-to-date: /n/shokuji/db/bernhard/broinstall/lib/libbroccoli.so.3 CMake Error at aux/broccoli/src/cmake_install.cmake:41 (FILE): file INSTALL cannot find file "/n/shokuji/db/bernhard/bro/build/aux/broccoli/src/libbroccoli.so" to install. Call Stack (most recent call first): aux/broccoli/cmake_install.cmake:61 (INCLUDE) cmake_install.cmake:56 (INCLUDE) }}} When trying it a second time after this error (without make distclean), it works as intended. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 20 12:03:11 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 20 Dec 2011 20:03:11 -0000 Subject: [Bro-Dev] #729: Linux bro build failure after distclean In-Reply-To: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> References: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> Message-ID: <063.810ccd266b7c601a9aa3bade2e28f01f@tracker.bro-ids.org> #729: Linux bro build failure after distclean ----------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): What CMake version did you use? With 2.6-patch 4, I see the same error as you. With 2.8.4, it works. Can we declare this a CMake bug that's now fixed? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Dec 20 12:12:21 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 20 Dec 2011 20:12:21 -0000 Subject: [Bro-Dev] #729: Linux bro build failure after distclean In-Reply-To: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> References: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> Message-ID: <063.69935e053c4b9060559cffa1de3918ef@tracker.bro-ids.org> #729: Linux bro build failure after distclean ----------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by amannb): Yes, it is 2.6-patch 4. So - cmake bug. Sorry for the hassle... -- Ticket URL: Bro Tracker Bro Issue Tracker From vern at icir.org Tue Dec 20 20:17:49 2011 From: vern at icir.org (Vern Paxson) Date: Tue, 20 Dec 2011 20:17:49 -0800 Subject: [Bro-Dev] I am bit-wise logical operations in Bro script? In-Reply-To: (Tue, 20 Dec 2011 11:01:42 CST). Message-ID: <20111221041750.0C0272C4007@rock.ICSI.Berkeley.EDU> > I am wondering whether there is bitwise-And, bitwise-Or or even > bitwise-exclusiveOr operation in bro's script. I use "&" for bitwise-And, > but it generates syntax errors. Not available. Can you explain why you need it? Vern From noreply at bro-ids.org Wed Dec 21 00:00:04 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 21 Dec 2011 00:00:04 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112210800.pBL804fH005471@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From bro at tracker.bro-ids.org Wed Dec 21 07:25:03 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 21 Dec 2011 15:25:03 -0000 Subject: [Bro-Dev] #729: Linux bro build failure after distclean In-Reply-To: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> References: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> Message-ID: <063.7bc8c795412e4605e3a1dd1639dbd810@tracker.bro-ids.org> #729: Linux bro build failure after distclean ----------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): On Tue, Dec 20, 2011 at 20:03 -0000, you wrote: > With 2.6-patch 4, I see the same error as you. With 2.8.4, it works. Don't we already require 2.8 for building Bro? If not, we probably should to make it clear what's going on. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 21 07:35:20 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 21 Dec 2011 15:35:20 -0000 Subject: [Bro-Dev] #729: Linux bro build failure after distclean In-Reply-To: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> References: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> Message-ID: <063.fd669529d582ea4fef82e03317036dc5@tracker.bro-ids.org> #729: Linux bro build failure after distclean ----------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by amannb): No, there is no warning (or anything that I noticed) displayed, when building with 2.6. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Dec 21 07:59:54 2011 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 21 Dec 2011 15:59:54 -0000 Subject: [Bro-Dev] #729: Linux bro build failure after distclean In-Reply-To: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> References: <048.362f11858a0e385e76c0767099d4a9b9@tracker.bro-ids.org> Message-ID: <063.96de1ca856d1a1d900a907cc5b06beff@tracker.bro-ids.org> #729: Linux bro build failure after distclean ----------------------+------------------------ Reporter: amannb | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.0 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by jsiwek): * owner: => jsiwek * status: new => assigned * milestone: => Bro2.0 Comment: Replying to [comment:2 robin]: > Don't we already require 2.8 for building Bro? If not, we probably > should to make it clear what's going on. CMake 2.6 works fine as long as you do the "make" and "make install" separately (and that's what the INSTALL directions say to do), so I'd rather keep support for it. Actually, let me just try making the top- level Makefile's "install" target depend on "all" as a workaround. -- Ticket URL: Bro Tracker Bro Issue Tracker From hlin33 at illinois.edu Wed Dec 21 08:14:58 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Wed, 21 Dec 2011 10:14:58 -0600 Subject: [Bro-Dev] I am bit-wise logical operations in Bro script? In-Reply-To: <7d20c59230ca4c4ba9c2c792409dd4ae@CITESHT4.ad.uillinois.edu> References: <7d20c59230ca4c4ba9c2c792409dd4ae@CITESHT4.ad.uillinois.edu> Message-ID: In the DNP3 protocol analyzer that I am writing, I need to check some certain byte value (or even single bit) within the parsed field. It will be easy to do that if we have bitwise logical operator. However, I have already used "/" and "*" to manually calculate the bytes out from a field. So far so good. On Tue, Dec 20, 2011 at 10:17 PM, Vern Paxson wrote: > > I am wondering whether there is bitwise-And, bitwise-Or or even > > bitwise-exclusiveOr operation in bro's script. I use "&" for bitwise-And, > > but it generates syntax errors. > > Not available. Can you explain why you need it? > > Vern > -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111221/1cc361bf/attachment.html From noreply at bro-ids.org Thu Dec 22 00:00:05 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 22 Dec 2011 00:00:05 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112220800.pBM805tM021388@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From vallentin at icir.org Thu Dec 22 13:33:44 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Thu, 22 Dec 2011 13:33:44 -0800 Subject: [Bro-Dev] Current status of PAPI support Message-ID: What is the current status of PAPI support in Bro? I recall that we added support for it at some point, but do not remember any details. Is it possible to profile the interpreter, or do we get just performance counters for core functionality? Also, at what granularity are these counters given to the user? per event? per packet? per connection? Matthias From vallentin at icir.org Thu Dec 22 13:37:29 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Thu, 22 Dec 2011 13:37:29 -0800 Subject: [Bro-Dev] Event and packet scheduling in Bro Message-ID: What algorithms does Bro use to pick the next packet from the input queue of a packet source? Is it plain FIFO or something more sophisticated? Same thing at the event layer: is there a concrete strategy to select the next event from the queue? Matthias From noreply at bro-ids.org Fri Dec 23 00:00:07 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 23 Dec 2011 00:00:07 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112230800.pBN807pd019113@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From vern at icir.org Fri Dec 23 07:27:13 2011 From: vern at icir.org (Vern Paxson) Date: Fri, 23 Dec 2011 07:27:13 -0800 Subject: [Bro-Dev] I am bit-wise logical operations in Bro script? In-Reply-To: (Thu, 22 Dec 2011 07:44:23 PST). Message-ID: <20111223152713.3140E2C4003@rock.ICSI.Berkeley.EDU> > In the DNP3 protocol analyzer that I am writing, I need to check some > certain byte value (or even single bit) within the parsed field. It will be > easy to do that if we have bitwise logical operator. Note, the usual idiom for doing this sort of thing would be to have the analyzer code (i.e., the C++/BinPAC that handles the parsing) break out the fields and make them available directly to the scripting layer, such as via a record. Generally the only reason not to do that is if it would be too messy. Vern From robin at icir.org Fri Dec 23 10:18:44 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 23 Dec 2011 10:18:44 -0800 Subject: [Bro-Dev] Current status of PAPI support In-Reply-To: References: Message-ID: <20111223181844.GB50606@icir.org> On Thu, Dec 22, 2011 at 13:33 -0800, you wrote: > What is the current status of PAPI support in Bro? Iirc, PAPI support exists only in the old superlinear branch in SVN (i.e., the multi-threaded Bro prototype). The code there measures peformance counters per connection and per event I believe. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Fri Dec 23 10:19:19 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 23 Dec 2011 10:19:19 -0800 Subject: [Bro-Dev] Event and packet scheduling in Bro In-Reply-To: References: Message-ID: <20111223181919.GC50606@icir.org> On Thu, Dec 22, 2011 at 13:37 -0800, you wrote: > What algorithms does Bro use to pick the next packet from the input > queue of a packet source? Is it plain FIFO or something more > sophisticated? Same thing at the event layer: is there a concrete > strategy to select the next event from the queue? Just FIFO in both cases. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Sat Dec 24 00:00:07 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 24 Dec 2011 00:00:07 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112240800.pBO807j9008198@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From vallentin at icir.org Sat Dec 24 02:25:31 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Sat, 24 Dec 2011 02:25:31 -0800 Subject: [Bro-Dev] Current status of PAPI support In-Reply-To: <20111223181844.GB50606@icir.org> References: <20111223181844.GB50606@icir.org> Message-ID: > Iirc, PAPI support exists only in the old superlinear branch in SVN > (i.e., the multi-threaded Bro prototype). The code there measures > peformance counters per connection and per event I believe. That's exactly what I need. Do you think that porting it to current master will be doable in a few days? Matthias From robin at icir.org Sat Dec 24 09:34:26 2011 From: robin at icir.org (Robin Sommer) Date: Sat, 24 Dec 2011 09:34:26 -0800 Subject: [Bro-Dev] Current status of PAPI support In-Reply-To: References: <20111223181844.GB50606@icir.org> Message-ID: <20111224173426.GA31498@icir.org> On Sat, Dec 24, 2011 at 02:25 -0800, you wrote: > That's exactly what I need. Do you think that porting it to current > master will be doable in a few days? Yeah, shouldn't be too hard. The code is easy to find, it's enclosed in "#ifdef USE_PAPI". Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Sun Dec 25 00:00:05 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 25 Dec 2011 00:00:05 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112250800.pBP805OX013009@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From hlin33 at illinois.edu Sun Dec 25 18:05:36 2011 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Sun, 25 Dec 2011 20:05:36 -0600 Subject: [Bro-Dev] assignment clash error when initializing local table Message-ID: Hi, >From old manual, we can initialize global table when it is declared, like this. global a: table[count] of string = { [11] = "eleven", [5] = "five", }; However, if I put them within event or function, assignment clash error happens. Is there any way that I can do the same thing for the local defined table? Best, Hui -- Hui Lin Research Assistant DEPEND Research Group, ECE Department University of Illinois at Urbana-Champaign hlin33 at illinois.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111225/0e8477e9/attachment.html From noreply at bro-ids.org Mon Dec 26 00:00:05 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 26 Dec 2011 00:00:05 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112260800.pBQ805NP019327@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From noreply at bro-ids.org Tue Dec 27 00:00:07 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 27 Dec 2011 00:00:07 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112270800.pBR807EN022417@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From noreply at bro-ids.org Wed Dec 28 00:00:05 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 28 Dec 2011 00:00:05 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112280800.pBS805cE020492@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From vallentin at icir.org Wed Dec 28 06:59:08 2011 From: vallentin at icir.org (Matthias Vallentin) Date: Wed, 28 Dec 2011 15:59:08 +0100 Subject: [Bro-Dev] Current status of PAPI support In-Reply-To: <20111224173426.GA31498@icir.org> References: <20111223181844.GB50606@icir.org> <20111224173426.GA31498@icir.org> Message-ID: > Yeah, shouldn't be too hard. The code is easy to find, it's enclosed in > "#ifdef USE_PAPI". Great. Would you mind pointing me to the old branch? I cannot get to it via the old SVN: svn ls svn+ssh://svn.icir.org/bro/branches svn: E210002: Unable to connect to a repository at URL 'svn+ssh://svn.icir.org/bro' svn: E210002: To better debug SSH connection problems, remove the -q option from 'ssh' in the [tunnels] section of your Subversion configuration file. svn: E210002: Network connection closed unexpectedly Another related PAPI question: does anyone know how to measure (i.e., what counters to read/combine) whether the memory bus is congested? Matthias From noreply at bro-ids.org Thu Dec 29 00:00:04 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 29 Dec 2011 00:00:04 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112290800.pBT804hi030185@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From noreply at bro-ids.org Fri Dec 30 00:00:05 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 30 Dec 2011 00:00:05 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112300800.pBU805da009698@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl From noreply at bro-ids.org Sat Dec 31 00:00:09 2011 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 31 Dec 2011 00:00:09 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201112310800.pBV809qV017911@bro-ids.icir.org> > Open Merge Requests for Bro2.0 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 711 [1] | robin | seth | Normal | topic/robin/pp-alarms [2] Bro | 718 [3] | amannb | | Normal | Log protocol type for notices Bro | 728 [4] | jsiwek | | Normal | topic/jsiwek/remove-refined-type [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | ff1768f | Jon Siwek | 2011-12-20 | Minor fixes to external test process. (addresses #298) [6] bro | 578cd06 | Jon Siwek | 2011-12-19 | Increase timeout interval of communication-related btests. [7] broctl | 1322481 | Jon Siwek | 2011-12-20 | Patch by Edward Groenendaal dealing with missing/new spool directories. [8] [1] #711: http://tracker.bro-ids.org/bro/ticket/711 [2] pp-alarms: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/robin/pp-alarms [3] #718: http://tracker.bro-ids.org/bro/ticket/718 [4] #728: http://tracker.bro-ids.org/bro/ticket/728 [5] remove-refined-type: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/remove-refined-type [6] fastpath: http://tracker.bro-ids.org/bro/changeset/ff1768f857abcd01599854b65677a87e293b1cf6/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/578cd0617648ebafdfb7402c7cfba388690847d6/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/132248192898e24e27efb91aa73b3c9e2c4f4183/broctl