From bro at tracker.icir.org Tue Feb 1 17:25:27 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 02 Feb 2011 01:25:27 -0000 Subject: [Bro-Dev] #11: Remove global_attr from the script interpreter code In-Reply-To: <044.8ca53fddbbe56ab0f6995438eeb91750@tracker.icir.org> References: <044.8ca53fddbbe56ab0f6995438eeb91750@tracker.icir.org> Message-ID: <059.7e5e483eb177b26e3adb774e0dae0d7a@tracker.icir.org> #11: Remove global_attr from the script interpreter code -----------------------------+--------------------------------- Reporter: robin | Owner: robin Type: Task | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: branches-robin-work Resolution: Merged/Applied | Keywords: -----------------------------+--------------------------------- Changes (by robin): * status: accepted => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 2 18:09:58 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 02:09:58 -0000 Subject: [Bro-Dev] #367: internal_error with &optional fields in records used as indexes In-Reply-To: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> References: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> Message-ID: <058.5cadd7bbc2def0497364728f42a0cf79@tracker.icir.org> #367: internal_error with &optional fields in records used as indexes ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: logging ----------------------+------------------------ Comment (by robin): This is addressed in `topic/robin/optional-fields`. Seth, can you see if that works for you? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 2 18:11:12 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 02:11:12 -0000 Subject: [Bro-Dev] #378: Test for problem with optional record fields. Message-ID: <044.a75b191af7934eaaf199d9189fb97d2e@tracker.icir.org> #378: Test for problem with optional record fields. -------------------------------+-------------------- Reporter: robin | Owner: Type: Test Case Missing | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | -------------------------------+-------------------- A test script for the problem in #367, to be added to the now test-suite once we have it. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 2 18:42:17 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 02:42:17 -0000 Subject: [Bro-Dev] #367: internal_error with &optional fields in records used as indexes In-Reply-To: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> References: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> Message-ID: <058.24d7336b9017ca8eba95848f5fcfde74@tracker.icir.org> #367: internal_error with &optional fields in records used as indexes ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: logging ----------------------+------------------------ Comment (by seth): > This is addressed in `topic/robin/optional-fields`. Seth, can you see if > that works for you? Just tested it and it works great for me! Thanks! -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 13:29:08 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 21:29:08 -0000 Subject: [Bro-Dev] #379: Delete cluster-adds.hot.bro Message-ID: <044.d95341f101c38e5c3b8d1ed5197aa9b4@tracker.icir.org> #379: Delete cluster-adds.hot.bro --------------------+------------------- Reporter: robin | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Component: Bro | Version: 1.5.3 Keywords: | --------------------+------------------- No longer used, and breaks cluster installations. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 13:40:29 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 21:40:29 -0000 Subject: [Bro-Dev] #72: Use 64Bit integers in Bro by default In-Reply-To: <045.e3497c69dfe36a4cddde29c01881d602@tracker.icir.org> References: <045.e3497c69dfe36a4cddde29c01881d602@tracker.icir.org> Message-ID: <060.26dc7a26e89e663adff8328038f621da@tracker.icir.org> #72: Use 64Bit integers in Bro by default ---------------------+-------------------------------------------- Reporter: gregor | Owner: Type: Task | Status: seen Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: | Keywords: integer size, 64 bit, inttypes ---------------------+-------------------------------------------- Comment (by robin): Note #263, we need to adapt Broccoli. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 13:46:05 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 21:46:05 -0000 Subject: [Bro-Dev] #374: Add type testing operator In-Reply-To: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> References: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> Message-ID: <058.02ee5d306bd1ff50df62f565dd96e63a@tracker.icir.org> #374: Add type testing operator ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by robin): How about instead using `rec$cid`. With the '?', it would look quite similar to the '?$' operator for optional fields, which however returns a boolean. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 14:05:02 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 22:05:02 -0000 Subject: [Bro-Dev] #374: Add type testing operator In-Reply-To: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> References: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> Message-ID: <058.4bf3cd0401b61a057def35578d087749@tracker.icir.org> #374: Add type testing operator ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by seth): > How about instead using `rec$cid`. > > With the '?', it would look quite similar to the '?$' operator for > optional fields, which however returns a boolean. Oh, good point. I wanted that similarity to the '?$' operator, but I didn't consider the difference in what's returned. The question we haven't asked yet I don't think is what happens in the case that cid is not of type conn_id? Is that something that would be tested for statically to make sure that the type is tested as that type (with an if statement) before it's accessed at runtime? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 14:20:39 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 22:20:39 -0000 Subject: [Bro-Dev] #374: Add type testing operator In-Reply-To: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> References: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> Message-ID: <058.77090e3bc459200989e04836e28e4918@tracker.icir.org> #374: Add type testing operator ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by robin): On Thu, Feb 03, 2011 at 22:05 -0000, you wrote: > didn't consider the difference in what's returned. The question we > haven't asked yet I don't think is what happens in the case that cid is > not of type conn_id? A run_time error I would say, with aborting the function. About the only use case I envision for this is when one knows for sure what field (w/ type) the record should have, and using the operator then just acts as dynamic check to make sure that's indeed the case; if it's not, that's a bug in the script because the function shouldn't have been called in the first place. That's also why I don't think I'd add a boolean "query operator" in addition (like the `rec?$cid`) as that would only encourage using it for dynamic dispatching based on type, which I don't really like. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 14:41:46 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 03 Feb 2011 22:41:46 -0000 Subject: [Bro-Dev] #372: bifcl cannot pass specific enum types In-Reply-To: <044.b8c2079313fca2a6187512304835f0f1@tracker.icir.org> References: <044.b8c2079313fca2a6187512304835f0f1@tracker.icir.org> Message-ID: <059.4d7a84a11b9a6273eacb9100db33fa52@tracker.icir.org> #372: bifcl cannot pass specific enum types ----------------------+--------------------- Reporter: robin | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ----------------------+--------------------- Comment (by robin): Attaching a tiny patch that teaches bifcl to accept scoped names. That seems to do the trick already. Gregor, can you post short example of how you're then accessing the enum for reference? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 18:18:21 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 02:18:21 -0000 Subject: [Bro-Dev] #375: Extending record type fields In-Reply-To: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> References: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> Message-ID: <058.6e958ef8526d6e719f50b853ace3075e@tracker.icir.org> #375: Extending record type fields ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by gregor): A problem with this extension is that the order of fields in the record will then depend on the order of the redefs and thus possibly on the order in which policy scripts are loaded. (Maybe this won't happen for the logging framework but it can happen in general). So, if the event engine uses positions/indexes to assign values to record fields then there might be a problem. The event engine could do lookups for the field names instead, but this seems to be hardly used -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 3 21:58:34 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 05:58:34 -0000 Subject: [Bro-Dev] #380: Fix links to log files in standalone mode. Message-ID: <044.11c5b35dc6798467f278f2eb0c70e788@tracker.icir.org> #380: Fix links to log files in standalone mode. ------------------------+------------------- Reporter: robin | Owner: robin Type: Patch | Status: new Priority: Normal | Milestone: Component: BroControl | Version: 1.5.3 Keywords: | ------------------------+------------------- Backport git revision 459e762d198d8b99a972039ff549c57f470ad80d -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 09:06:45 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 17:06:45 -0000 Subject: [Bro-Dev] #375: Extending record type fields In-Reply-To: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> References: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> Message-ID: <058.e3c1642ad03541b713a02d161c7b9969@tracker.icir.org> #375: Extending record type fields ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by robin): Don't really see this a problem as the type is still fully (and statically) defined after parsing all the scripts. Just reodering the field's shouldn;t make a difference (and the original definition must always come first as otherwise the `+=` wouldn't be allowed). Is there something I'm missing? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 10:18:39 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 18:18:39 -0000 Subject: [Bro-Dev] #375: Extending record type fields In-Reply-To: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> References: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> Message-ID: <058.ec97d811b9d03e22185617305146bc8c@tracker.icir.org> #375: Extending record type fields ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by gregor): Reordering the fields makes a difference for the C++ part, when you use Assign(). The problem is when you have *multiple* extensions with +=. Then the order of the fields depends on the order in which these extensions are parsed. (One question I guess is: is this likely to happen. Since the C++ layer would have to know that the record is extended. However, this might happen in bif's) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 11:20:19 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 19:20:19 -0000 Subject: [Bro-Dev] #375: Extending record type fields In-Reply-To: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> References: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> Message-ID: <058.72c58436b469bfa1ec62d61c0957e698@tracker.icir.org> #375: Extending record type fields ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by robin): On Fri, Feb 04, 2011 at 18:18 -0000, you wrote: > (One question I guess is: is this likely to happen. Since the C++ layer > would have to know that the record is extended. However, this might happen > in bif's) I can only see bifs accessing the static part, as otherwise they couldn't know whether the extensions have been loaded or not. And for the static part, this is not an issue: its definition must always come first and therefore its indices are well-defined. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 12:07:13 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 20:07:13 -0000 Subject: [Bro-Dev] #381: Switch to DPD by default Message-ID: <044.78d90be2e52022fca356dc69969e0acc@tracker.icir.org> #381: Switch to DPD by default --------------------+-------------------- Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | --------------------+-------------------- Seems we reached an agreement on this (well, at least I didn't hear any objections :) Things to do: - Load DPD signatures by default - Set the packet filter to include all packets (also see #264 for its packet filter adaptions) - Make sure we make people aware of the change and its potential performance impact. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 13:45:54 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 21:45:54 -0000 Subject: [Bro-Dev] #382: Design an internal API for logging backends Message-ID: <044.1bec2fcec10edc2608651458c92f895a@tracker.icir.org> #382: Design an internal API for logging backends ---------------------+-------------------- Reporter: robin | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: logging | ---------------------+-------------------- Even if initially we do only the CSV ASCII logging, we should already put the internal API in place to later add other backends. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 13:48:32 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 21:48:32 -0000 Subject: [Bro-Dev] #297: Remove trace rewriter In-Reply-To: <043.f4e0eb0a9924070cf852ace700beb6bf@tracker.icir.org> References: <043.f4e0eb0a9924070cf852ace700beb6bf@tracker.icir.org> Message-ID: <058.30aba2cc8ccf2cb93931e022660675c1@tracker.icir.org> #297: Remove trace rewriter ---------------------+--------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: cleanup ---------------------+--------------------- Changes (by robin): * keywords: => cleanup -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 13:49:10 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 21:49:10 -0000 Subject: [Bro-Dev] #324: Remove EXPIRE_DFA_STATES code In-Reply-To: <044.1d76ad3b3cc62054fae99370dccd0543@tracker.icir.org> References: <044.1d76ad3b3cc62054fae99370dccd0543@tracker.icir.org> Message-ID: <059.1a5c2a1dcd691d9c167806535aaa4090@tracker.icir.org> #324: Remove EXPIRE_DFA_STATES code ---------------------+------------------------ Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: cleanup ---------------------+------------------------ Changes (by robin): * keywords: => cleanup -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 13:49:26 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 21:49:26 -0000 Subject: [Bro-Dev] #325: Remove ACTIVE_MAPPING code In-Reply-To: <044.35fa7a347d936d84e134297408ded21b@tracker.icir.org> References: <044.35fa7a347d936d84e134297408ded21b@tracker.icir.org> Message-ID: <059.c88d03030d055b8d961e00f914f0900f@tracker.icir.org> #325: Remove ACTIVE_MAPPING code ---------------------+------------------------ Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: cleanup ---------------------+------------------------ Changes (by robin): * keywords: => cleanup -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 14:24:51 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 22:24:51 -0000 Subject: [Bro-Dev] #375: Extending record type fields In-Reply-To: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> References: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> Message-ID: <058.2e40c1be70d99b185f86de20b6847d8b@tracker.icir.org> #375: Extending record type fields ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by gregor): Well, by convention the bif might only ever be called if the appropriate extension is loaded (maybe it's only called from the .bro file that adds the extension). Then if another policy script does the same, there can be problems. But I do agree that these are probably rare cases and that bif or C++ developers should lookup the fieldname instead of assuming its position for any extension fields. However, we probably can't force that and it may generate bugs in user-written Bif's that might be hard to track down. I'm not against this extension, I just wanted to raise awareness of potential problems. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 14:49:22 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 04 Feb 2011 22:49:22 -0000 Subject: [Bro-Dev] #370: Plugin interface for BroControl In-Reply-To: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> References: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> Message-ID: <058.2cc69d6d827e8953f85a085d4425df98@tracker.icir.org> #370: Plugin interface for BroControl ------------------------------+-------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: | Keywords: ------------------------------+-------------------- Comment (by dop): So primarily the feature I'm looking for here is that the hooks to execute external scripts can be customized on a per-worker basis. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 16:04:19 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 05 Feb 2011 00:04:19 -0000 Subject: [Bro-Dev] #372: bifcl cannot pass specific enum types In-Reply-To: <044.b8c2079313fca2a6187512304835f0f1@tracker.icir.org> References: <044.b8c2079313fca2a6187512304835f0f1@tracker.icir.org> Message-ID: <059.5aee1aab3c7cb754b1721f83290ad59c@tracker.icir.org> #372: bifcl cannot pass specific enum types ----------------------+--------------------- Reporter: robin | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ----------------------+--------------------- Comment (by gregor): {{{ #!rst How use enums in C++, bif, and .bro ----------------------------------- That's actually pretty straight forward. The functionality has been in Bro for quite a while but it has been scarcely used. In ``const.bif`` you can define enums. These are then available in the policy layer as well as in the C++/bif layer. E.g.,:: enum foobar %{ foo, bar %} Will make the enum ``foobar`` available in the policy layer. For the C++ layer the bif will automatically the following code that is included in ``NetVar.h`` (and also the necessary initialization code):: extern EnumType* enum_foobar; namespace BroEnum { enum foobar { foo, bar };} Some code snippets showing how you can make use of those in C++ and bif:: BroEnum::foobar x; x = BroEnum::foo; if (x == BroEnum::bar) do_something(); .... EnumVal *y = new EnumVal(x, enum_foobar); EnumVal *z = new EnumVal(BroEnum::bar, enum_foobar); // y and z can now be passed to an event or returned from a bif. // In the policy script the type would be foobar. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 17:28:13 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 05 Feb 2011 01:28:13 -0000 Subject: [Bro-Dev] #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code Message-ID: <044.38bb1aa3d6b5a387e38f7407f6499494@tracker.icir.org> #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code -------------------+----------------------------- Reporter: leres | Type: Feature Request Status: new | Priority: Normal Milestone: | Component: Bro Version: 1.5.1 | Keywords: setsockopt -------------------+----------------------------- Current, bro tries to set the send and receive socket buffers to 1024K. Under FreeBSD at least, the default system maximum is 256K so trying to set it higher fails and you end up running with 8K buffers. Attached is (doesn't-quite-compile) patch that shows how I usually deal with this issue; start at the desired value and work down until you find one that the system accepts. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 17:34:39 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 05 Feb 2011 01:34:39 -0000 Subject: [Bro-Dev] #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code In-Reply-To: <044.38bb1aa3d6b5a387e38f7407f6499494@tracker.icir.org> References: <044.38bb1aa3d6b5a387e38f7407f6499494@tracker.icir.org> Message-ID: <059.d17622b9f7b56fbc097fc7590f3e49c1@tracker.icir.org> #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code ------------------------------+------------------------ Reporter: leres | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Component: Bro | Version: 1.5.1 Resolution: | Keywords: setsockopt ------------------------------+------------------------ Comment (by robin): Cool, thanks. I'll try this, and it may be something to integrate into 1.5.x as well. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 17:53:51 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 05 Feb 2011 01:53:51 -0000 Subject: [Bro-Dev] #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code In-Reply-To: <044.38bb1aa3d6b5a387e38f7407f6499494@tracker.icir.org> References: <044.38bb1aa3d6b5a387e38f7407f6499494@tracker.icir.org> Message-ID: <059.2c2971015161cd2b480c5afd81ea33d4@tracker.icir.org> #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code ---------------------+------------------------ Reporter: leres | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.1 Resolution: | Keywords: setsockopt ---------------------+------------------------ Changes (by robin): * type: Feature Request => Patch * milestone: => Bro1.6 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 4 18:40:51 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 05 Feb 2011 02:40:51 -0000 Subject: [Bro-Dev] #384: Nearly any broccoli/ssl error causes bro to crash Message-ID: <044.a28f494a460ad398fbc33365da861083@tracker.icir.org> #384: Nearly any broccoli/ssl error causes bro to crash -------------------+--------------------- Reporter: leres | Type: Problem Status: new | Priority: Normal Milestone: | Component: Bro Version: 1.5.1 | Keywords: -------------------+--------------------- I'm trying to get broccoli working with ssl and I'm finding that this makes for an exceedingly fragile configuration. If a configured cert file is missing, bro starts and runs ok but the first time a client connects to the ssl port, bro crashes from ChunkedIOSSL::WriteData() with something cryptic in remote.log: Feb 4 16:37:36 [error] [child] [#10000/128.3.64.22:62180] can't init peer io: [33558530,0,544108320] SSL error: error:02001002:system library:fopen:No such file or directory Before I figured out that ssl_private_key file needs to be the concatenation of the private key and public cert, the crash error in remote.log was: 1296871198.439331 [error] [child] [#10000/127.0.0.1:63488] can't init peer io: [151441516,0,1937011567] SSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line Finally, a client that try to connect without ssl to the ssl port crashes bro with this error: Feb 4 18:36:22 [error] [child] [#10000/128.3.64.22:60066] can't init peer io: [336130315,1,-1] SSL error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number It would be nice if there was some way to check the format of ssl cert files at startup and complain then if there are obvious problems with them. And certainly it is desirable if the worst detected ssl I/O errors did was cause the client to be dropped. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Sun Feb 6 06:03:39 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sun, 06 Feb 2011 14:03:39 -0000 Subject: [Bro-Dev] #370: Plugin interface for BroControl In-Reply-To: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> References: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> Message-ID: <058.bf5858a948b3a95aadf62305e3a10abc@tracker.icir.org> #370: Plugin interface for BroControl ------------------------------+-------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: | Keywords: ------------------------------+-------------------- Comment (by seth): > So primarily the feature I'm looking for here is that the hooks to execute > external scripts can be customized on a per-worker basis. I was thinking that plugin scripts would only execute on the manager. You would be able to run commands over ssh on various nodes from scripts there though. Could you give an example of what you'd like to do with scripts from the workers? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 06:04:15 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 14:04:15 -0000 Subject: [Bro-Dev] #370: Plugin interface for BroControl In-Reply-To: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> References: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> Message-ID: <058.470aeef7ab75cfb06612651bb829f7ce@tracker.icir.org> #370: Plugin interface for BroControl ------------------------------+-------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: | Keywords: ------------------------------+-------------------- Comment (by seth): Hooks into the cron command could be useful too. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 06:19:31 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 14:19:31 -0000 Subject: [Bro-Dev] #353: Restore and improve IDMEF support In-Reply-To: <043.68b445e31106dba307ec798618814419@tracker.icir.org> References: <043.68b445e31106dba307ec798618814419@tracker.icir.org> Message-ID: <058.b637cc95ac16d7adea5afe50f2d306fe@tracker.icir.org> #353: Restore and improve IDMEF support ---------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: Resolution: | Keywords: ---------------------+-------------------- Comment (by seth): Look into libprelude for exporting IDMEF events. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 06:22:19 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 14:22:19 -0000 Subject: [Bro-Dev] #363: Sets of records with optional values is broken In-Reply-To: <043.ac0562b4c61c89e48c3efe1b91abe100@tracker.icir.org> References: <043.ac0562b4c61c89e48c3efe1b91abe100@tracker.icir.org> Message-ID: <058.a54fa64262a59f1d7db68535d5c971a5@tracker.icir.org> #363: Sets of records with optional values is broken ------------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: Duplicate | Keywords: ------------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Duplicate Comment: Did I seriously file this same ticket twice? Sheesh. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 08:21:17 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 16:21:17 -0000 Subject: [Bro-Dev] #367: internal_error with &optional fields in records used as indexes In-Reply-To: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> References: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> Message-ID: <058.ea2d6143a50ab62ff3ee14f20511a187@tracker.icir.org> #367: internal_error with &optional fields in records used as indexes ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: logging ----------------------+------------------------ Comment (by seth): This patch doesn't seem to work in all cases. Here's another example that fails. {{{ type FOO: record { a: string; b: string &optional; }; global table_test: table[string] of set[FOO]; event bro_init() { table_test["one"] = set(); add table_test["one"][[$a="test"]]; } }}} It gives this error: {{{ 1297095615.428758 and ./test-367.bro, line 9 ([a=test, b=] and list of record { a:string; b:string; }): error, index type doesn't match table }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 08:56:26 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 16:56:26 -0000 Subject: [Bro-Dev] #370: Plugin interface for BroControl In-Reply-To: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> References: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> Message-ID: <058.91872742d1ed1cdc0fee4520369e7f0f@tracker.icir.org> #370: Plugin interface for BroControl ------------------------------+-------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: | Keywords: ------------------------------+-------------------- Comment (by dop): Running remote commands over ssh would be acceptable. The primary use case is for the instrumented ssh daemon where events get pushed in using bropipe. For a clean restart we need to kill the existing processes and then run bropipe separately to create the brocsock before continuing to write events to it. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 13:37:59 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 21:37:59 -0000 Subject: [Bro-Dev] #370: Plugin interface for BroControl In-Reply-To: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> References: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> Message-ID: <058.b0a68bb4096cf34b8106638144993512@tracker.icir.org> #370: Plugin interface for BroControl ------------------------------+-------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: | Keywords: ------------------------------+-------------------- Comment (by robin): I've put a proposal together: http://bro.icir.org/devel/projects/broctl- plugins.html Feedback welcome, and feel free to edit directly. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 14:14:41 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 22:14:41 -0000 Subject: [Bro-Dev] #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif In-Reply-To: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> References: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> Message-ID: <058.45cefee6fa02a7a58a8dc35ae17bb869@tracker.icir.org> #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif ----------------------------+---------------------- Reporter: seth | Owner: seth Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: | Keywords: sprint ----------------------------+---------------------- Comment (by robin): Uh, I STILL get errors of the same kind after merging the branch into current master. Example: {{{1105764737.624240 error: '>' not found in argument to RCPT: TO: }}} Can you please confirm one more time that they are indeed gone for you? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 14:47:57 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 07 Feb 2011 22:47:57 -0000 Subject: [Bro-Dev] #367: internal_error with &optional fields in records used as indexes In-Reply-To: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> References: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> Message-ID: <058.d1656cc67ca3462fac97aed990368687@tracker.icir.org> #367: internal_error with &optional fields in records used as indexes ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: logging ----------------------+------------------------ Comment (by robin): Fix commited to the logging branch. Your example now works for me. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 16:11:02 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 00:11:02 -0000 Subject: [Bro-Dev] #375: Extending record type fields In-Reply-To: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> References: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> Message-ID: <058.e3e360ee1b3e32385c7013f0268f2706@tracker.icir.org> #375: Extending record type fields ------------------------------+--------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by robin): Implementation for testing in `topic/robin/extend-records` -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 17:45:38 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 01:45:38 -0000 Subject: [Bro-Dev] #385: Add the new code for setting the socket buffer size Message-ID: <044.b2b74839782e7c780d60b3c5d25feb8f@tracker.icir.org> #385: Add the new code for setting the socket buffer size --------------------+------------------- Reporter: robin | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Component: Bro | Version: 1.5.3 Keywords: | --------------------+------------------- See 4d12ac861da59ca13d009586da5f1624aaeb299f -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 17:46:42 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 01:46:42 -0000 Subject: [Bro-Dev] #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif In-Reply-To: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> References: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> Message-ID: <058.96240941654e89338c6ad4c938b16875@tracker.icir.org> #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif ----------------------------+---------------------- Reporter: seth | Owner: seth Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: | Keywords: sprint ----------------------------+---------------------- Comment (by seth): > {{{1105764737.624240 error: '>' not found in argument to RCPT: TO: > }}} > > Can you please confirm one more time that they are indeed gone for you? I can't replicate this error. Did you pull my latest changes from last week? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 17:46:46 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 01:46:46 -0000 Subject: [Bro-Dev] #386: Fix trace-summaries sampling Message-ID: <044.b70363d6050aa2f29b860931df653bf3@tracker.icir.org> #386: Fix trace-summaries sampling ------------------------+------------------- Reporter: robin | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Component: BroControl | Version: 1.5.3 Keywords: | ------------------------+------------------- See fc940bbb72abbaef2e5f10ea4ab616ec9b61fe0a -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 17:51:48 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 01:51:48 -0000 Subject: [Bro-Dev] #386: Fix trace-summaries sampling In-Reply-To: <044.b70363d6050aa2f29b860931df653bf3@tracker.icir.org> References: <044.b70363d6050aa2f29b860931df653bf3@tracker.icir.org> Message-ID: <059.34ef26e95717bb3157d898d27a87f6b5@tracker.icir.org> #386: Fix trace-summaries sampling -------------------------+------------------- Reporter: robin | Owner: robin Type: Patch | Status: new Priority: Normal | Milestone: Component: BroControl | Version: 1.5.3 Resolution: | Keywords: -------------------------+------------------- Changes (by robin): * type: Problem => Patch -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 19:45:20 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 03:45:20 -0000 Subject: [Bro-Dev] #209: topic/seth/ssl-analyzer-work - small patch SSLv3 for detect Extensions Length in bro v1.5.1 In-Reply-To: <044.7c191d0120e9467534546d45a5a29a54@tracker.icir.org> References: <044.7c191d0120e9467534546d45a5a29a54@tracker.icir.org> Message-ID: <059.aeeb9168bf3a1d3cb6d0c8ba63a097b1@tracker.icir.org> #209: topic/seth/ssl-analyzer-work - small patch SSLv3 for detect Extensions Length in bro v1.5.1 ----------------------------+----------------------------------- Reporter: rmkml | Owner: Type: Merge Request | Status: seen Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: | Keywords: ssl extensions sprint ----------------------------+----------------------------------- Comment (by robin): I'm currently running this on one of the cluster for testing. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 7 19:49:48 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 03:49:48 -0000 Subject: [Bro-Dev] #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif In-Reply-To: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> References: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> Message-ID: <058.b7c67c2df0334bfc3f8abc6bba72c0ec@tracker.icir.org> #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif ----------------------------+---------------------- Reporter: seth | Owner: seth Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: | Keywords: sprint ----------------------------+---------------------- Comment (by robin): Hah, after doing a fresh merge, it now passes. I think what happened was that I merged with my local copy of the topic branch rather than the remote/origin/* version; and that one was not updated. Normally, I don't keep local copies of the branches, but here I did and I didn't notice I was merging from that one. Will do some more testing soon, and then commit. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 09:35:10 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 17:35:10 -0000 Subject: [Bro-Dev] #329: Optimizing detect-protocols.bro In-Reply-To: <043.4171f047fca9bbca4e3e8c6e560433d7@tracker.icir.org> References: <043.4171f047fca9bbca4e3e8c6e560433d7@tracker.icir.org> Message-ID: <058.ef09071a81757ddc8496dfb405863a7d@tracker.icir.org> #329: Optimizing detect-protocols.bro ---------------------+---------------------- Reporter: seth | Owner: Type: Task | Status: assigned Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: sprint ---------------------+---------------------- Changes (by robin): * owner: robin => * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 09:40:50 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 17:40:50 -0000 Subject: [Bro-Dev] #365: Conn.log rollover time In-Reply-To: <043.a626e691ffb447bbf308f50fc2a6fb58@tracker.icir.org> References: <043.a626e691ffb447bbf308f50fc2a6fb58@tracker.icir.org> Message-ID: <058.5a4bb7ed43de439f30369aba0e375f17@tracker.icir.org> #365: Conn.log rollover time -------------------------+-------------------- Reporter: seth | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: | Keywords: -------------------------+-------------------- Comment (by robin): Can this be closed? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 09:47:37 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 17:47:37 -0000 Subject: [Bro-Dev] #387: SSL communication not robust to config errors Message-ID: <044.4646bc95fc29ebb04716894bf327e1c1@tracker.icir.org> #387: SSL communication not robust to config errors ---------------------+------------------------ Reporter: robin | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ If SSL communication is configured improperly, Bro can crash once a client connects. (Reported by Craig). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 09:49:55 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 17:49:55 -0000 Subject: [Bro-Dev] #387: SSL communication not robust to config errors In-Reply-To: <044.4646bc95fc29ebb04716894bf327e1c1@tracker.icir.org> References: <044.4646bc95fc29ebb04716894bf327e1c1@tracker.icir.org> Message-ID: <059.985bf5f65810338775e3dc83540d37ae@tracker.icir.org> #387: SSL communication not robust to config errors ----------------------+------------------------ Reporter: robin | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): Is this a duplicate of #384? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 09:50:53 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 17:50:53 -0000 Subject: [Bro-Dev] #384: Nearly any broccoli/ssl error causes bro to crash In-Reply-To: <044.a28f494a460ad398fbc33365da861083@tracker.icir.org> References: <044.a28f494a460ad398fbc33365da861083@tracker.icir.org> Message-ID: <059.2318930b0688a65e30dd07d80473ef73@tracker.icir.org> #384: Nearly any broccoli/ssl error causes bro to crash ----------------------+---------------------- Reporter: leres | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Component: Bro | Version: 1.5.1 Resolution: | Keywords: ----------------------+---------------------- Changes (by robin): * owner: => robin * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 09:51:33 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 17:51:33 -0000 Subject: [Bro-Dev] #387: SSL communication not robust to config errors In-Reply-To: <044.4646bc95fc29ebb04716894bf327e1c1@tracker.icir.org> References: <044.4646bc95fc29ebb04716894bf327e1c1@tracker.icir.org> Message-ID: <059.b701ab56cc12c3753a9984ccb9aef56e@tracker.icir.org> #387: SSL communication not robust to config errors ------------------------+------------------------ Reporter: robin | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: Duplicate | Keywords: ------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => Duplicate Comment: Doh, of course, and I had even seen that one! -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 13:29:30 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 21:29:30 -0000 Subject: [Bro-Dev] #367: internal_error with &optional fields in records used as indexes In-Reply-To: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> References: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> Message-ID: <058.84de1cf1ab0666ef6754917adcdfd7f7@tracker.icir.org> #367: internal_error with &optional fields in records used as indexes ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: logging ----------------------+------------------------ Comment (by seth): Thanks for the fix. I found more problems though. If there is an "any" type in the record it fails in every way possible. :) Example with an optional "any" field. Not attempting to fill it in at assignment: {{{ type FOO: record { a: string; b: any &optional; }; global table_test: table[string] of set[FOO]; event bro_init() { table_test["one"] = set(); add table_test["one"][[$a="test"]]; } }}} Results in: {{{ [seth at Blake build (topic/logging-framework)]$ ./src/bro test-367.bro 1297200320.323972 internal error: bad index type in CompositeHash::CompositeHash Abort trap }}} Example with a non-optional any field, filling it in with a string on assignment: {{{ type FOO: record { a: string; b: any; }; global table_test: table[string] of set[FOO]; event bro_init() { table_test["one"] = set(); add table_test["one"][[$a="test", $b="asdf"]]; } }}} Results in: {{{ [seth at Blake build (topic/logging-framework)]$ ./src/bro test-367.bro 1297200425.455970 and ./test-367.bro, line 6 ([a=test, b=asdf] and list of record { a:string; b:any; }): error, index type doesn't match table }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 13:32:49 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 21:32:49 -0000 Subject: [Bro-Dev] #365: Conn.log rollover time In-Reply-To: <043.a626e691ffb447bbf308f50fc2a6fb58@tracker.icir.org> References: <043.a626e691ffb447bbf308f50fc2a6fb58@tracker.icir.org> Message-ID: <058.beff2c1d592f112a243ec5a5985657e5@tracker.icir.org> #365: Conn.log rollover time -------------------------+-------------------- Reporter: seth | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: Solved | Keywords: -------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Solved Comment: I think so. I'll go ahead and close it, I'm almost positive that it was from an older version. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Tue Feb 8 14:01:42 2011 From: gregor at icir.org (Gregor Maier) Date: Tue, 08 Feb 2011 14:01:42 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/fix-compiler-warnings: PRI macros are currently not working for some reason. (275c6e6) In-Reply-To: <201102081747.p18HlIG1026254@envoy.icir.org> References: <201102081747.p18HlIG1026254@envoy.icir.org> Message-ID: <4D51BD46.10907@icir.org> Annoyingly, C++ compilers don't enable these macros per default as they are in the C99 standard. Grrr. You have to define #define _ISOC99_SOURCE #define __STDC_LIMIT_MACROS #define __STDC_CONSTANT_MACROS #define __STDC_FORMAT_MACROS before you include any of the header files. util.h or so might be a good place to add these defines. (For the printf macros to work, you probably only need the first and the last define, but I the others are probably handy too). See also: http://publib.boulder.ibm.com/infocenter/zos/v1r9/topic/com.ibm.zos.r9.cbcpx01/c99ftmacros.htm cu Gregor On 2/8/11 9:47 , Seth Hall wrote: > Repository : ssh://bro at envoy.icir.org/bro > > On branch : topic/seth/fix-compiler-warnings > >> --------------------------------------------------------------- > > commit 275c6e64cce6a0a9e187c347864c909e04b4ef03 > Author: Seth Hall > Date: Tue Feb 8 12:47:10 2011 -0500 > > PRI macros are currently not working for some reason. > > >> --------------------------------------------------------------- > > src/RemoteSerializer.cc | 29 +++++++++++++++-------------- > src/SMB.cc | 4 +++- > 2 files changed, 18 insertions(+), 15 deletions(-) > > diff --git a/src/RemoteSerializer.cc b/src/RemoteSerializer.cc > index 6709ea0..7d731c5 100644 > --- a/src/RemoteSerializer.cc > +++ b/src/RemoteSerializer.cc > @@ -159,6 +159,7 @@ > #include > #include > #include > +#include > > #include "config.h" > #ifdef TIME_WITH_SYS_TIME > @@ -1505,13 +1506,13 @@ bool RemoteSerializer::DoMessage() > { > // We shut the connection to this peer down, > // so we ignore all further messages. > - DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%llu", > + DEBUG_COMM(fmt("parent: ignoring %s due to shutdown of peer #%" PRId64, > msgToStr(current_msgtype), > current_peer ? current_peer->id : 0)); > return true; > } > > - DEBUG_COMM(fmt("parent: %s from child; peer is #%llu", > + DEBUG_COMM(fmt("parent: %s from child; peer is #%" PRId64, > msgToStr(current_msgtype), > current_peer ? current_peer->id : 0)); > > @@ -2610,7 +2611,7 @@ bool RemoteSerializer::SendCMsgToChild(char msg_type, Peer* peer) > > bool RemoteSerializer::SendToChild(char type, Peer* peer, char* str, int len) > { > - DEBUG_COMM(fmt("parent: (->child) %s (#%d, %s)", msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), str)); > + DEBUG_COMM(fmt("parent: (->child) %s (#%" PRId64 ", %s)", msgToStr(type), peer ? peer->id : PEER_NONE, str)); > > if ( ! child_pid ) > return false; > @@ -2634,8 +2635,8 @@ bool RemoteSerializer::SendToChild(char type, Peer* peer, int nargs, ...) > > #ifdef DEBUG > va_start(ap, nargs); > - DEBUG_COMM(fmt("parent: (->child) %s (#%d,%s)", > - msgToStr(type), (uint32_t) (peer ? peer->id : PEER_NONE), fmt_uint32s(nargs, ap))); > + DEBUG_COMM(fmt("parent: (->child) %s (#%" PRId64 ",%s)", > + msgToStr(type), peer ? peer->id : PEER_NONE, fmt_uint32s(nargs, ap))); > va_end(ap); > #endif > > @@ -3235,7 +3236,7 @@ bool SocketComm::ForwardChunkToPeer() > { > #ifdef DEBUG > if ( parent_peer ) > - DEBUG_COMM(fmt("child: not connected to #%d", (uint) parent_id)); > + DEBUG_COMM(fmt("child: not connected to #%" PRId64, parent_id)); > #endif > } > > @@ -3318,8 +3319,8 @@ bool SocketComm::ProcessRemoteMessage(SocketComm::Peer* peer) > > CMsg* msg = (CMsg*) c->data; > > - DEBUG_COMM(fmt("child: %s from peer #%d", > - msgToStr(msg->Type()), (uint) peer->id)); > + DEBUG_COMM(fmt("child: %s from peer #%" PRId64, > + msgToStr(msg->Type()), peer->id)); > > switch ( msg->Type() ) { > case MSG_PHASE_DONE: > @@ -3795,7 +3796,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, const char* str, int len) > #ifdef DEBUG > // str may already by constructed with fmt() > const char* tmp = copy_string(str); > - DEBUG_COMM(fmt("child: (->parent) %s (#%d, %s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), tmp)); > + DEBUG_COMM(fmt("child: (->parent) %s (#%" PRId64 ", %s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, tmp)); > delete [] tmp; > #endif > if ( sendToIO(io, type, peer ? peer->id : RemoteSerializer::PEER_NONE, > @@ -3814,7 +3815,7 @@ bool SocketComm::SendToParent(char type, Peer* peer, int nargs, ...) > > #ifdef DEBUG > va_start(ap,nargs); > - DEBUG_COMM(fmt("child: (->parent) %s (#%d,%s)", msgToStr(type), (uint) (peer ? peer->id : RemoteSerializer::PEER_NONE), fmt_uint32s(nargs, ap))); > + DEBUG_COMM(fmt("child: (->parent) %s (#%" PRId64 ",%s)", msgToStr(type), peer ? peer->id : RemoteSerializer::PEER_NONE, fmt_uint32s(nargs, ap))); > va_end(ap); > #endif > > @@ -3850,7 +3851,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, const char* str, int len) > #ifdef DEBUG > // str may already by constructed with fmt() > const char* tmp = copy_string(str); > - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", msgToStr(type), (uint) peer->id, tmp)); > + DEBUG_COMM(fmt("child: (->peer) %s to #%" PRId64 " (%s)", msgToStr(type), peer->id, tmp)); > delete [] tmp; > #endif > > @@ -3869,8 +3870,8 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) > > #ifdef DEBUG > va_start(ap,nargs); > - DEBUG_COMM(fmt("child: (->peer) %s to #%d (%s)", > - msgToStr(type), (uint) peer->id, fmt_uint32s(nargs, ap))); > + DEBUG_COMM(fmt("child: (->peer) %s to #%" PRId64 " (%s)", > + msgToStr(type), peer->id, fmt_uint32s(nargs, ap))); > va_end(ap); > #endif > > @@ -3890,7 +3891,7 @@ bool SocketComm::SendToPeer(Peer* peer, char type, int nargs, ...) > > bool SocketComm::SendToPeer(Peer* peer, ChunkedIO::Chunk* c) > { > - DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%d", c->len, (uint) peer->id)); > + DEBUG_COMM(fmt("child: (->peer) chunk of size %d to #%" PRId64, c->len, peer->id)); > if ( ! sendToIO(peer->io, c) ) > { > Error(fmt("child: write error %s", io->Error()), peer); > diff --git a/src/SMB.cc b/src/SMB.cc > index a950302..5520ef4 100644 > --- a/src/SMB.cc > +++ b/src/SMB.cc > @@ -6,6 +6,7 @@ > #include "SMB.h" > #include "smb_pac.h" > #include "Val.h" > +#include "inttypes.h" > > namespace { > const bool DEBUG_smb_ipc = true; > @@ -166,7 +167,8 @@ void SMB_Session::Deliver(int is_orig, int len, const u_char* data) > const u_char* tmp = data_start + next; > if ( data_start + next < data + body.length() ) > { > - Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %ld", next, data + body.length() - data_start)); > + //Weird(fmt("ANDX buffer overlapping: next = %d, buffer_end = %" PRId32, next, data + body.length() - data_start)); > + printf("ANDX buffer overlapping: next = %" PRId64 ", buffer_end = %" PRId32 " ", next, data + body.length() - data_start); > break; > } > > > _______________________________________________ > bro-commits mailing list > bro-commits at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits > -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From bro at tracker.icir.org Tue Feb 8 14:22:52 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 22:22:52 -0000 Subject: [Bro-Dev] #367: internal_error with &optional fields in records used as indexes In-Reply-To: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> References: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> Message-ID: <058.48cbe98f27a9d0dcc3ac9c2485f60038@tracker.icir.org> #367: internal_error with &optional fields in records used as indexes ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: logging ----------------------+------------------------ Comment (by vern): Seth, this is almost more feature than bug! Sure, Bro shouldn't crash with an internal error. However, disallowing use of "any" by generating a type error strikes me as just fine. It's not meant to be used at all by user-level code; it's just there for built-ins that are too darn handy in generic form to go without. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 14:37:36 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 22:37:36 -0000 Subject: [Bro-Dev] #384: Nearly any broccoli/ssl error causes bro to crash In-Reply-To: <044.a28f494a460ad398fbc33365da861083@tracker.icir.org> References: <044.a28f494a460ad398fbc33365da861083@tracker.icir.org> Message-ID: <059.c5c45c5b4ba348ca91dd83a170f2d82c@tracker.icir.org> #384: Nearly any broccoli/ssl error causes bro to crash ----------------------+---------------------- Reporter: leres | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.1 Resolution: | Keywords: ----------------------+---------------------- Changes (by robin): * milestone: => Bro1.6 Comment: Fix in `topic/robin/comm-ssl` for testing. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 14:50:32 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 22:50:32 -0000 Subject: [Bro-Dev] #335: Fix compiler warnings In-Reply-To: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> References: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> Message-ID: <058.36285ce46bc46e693441b78e775252de@tracker.icir.org> #335: Fix compiler warnings ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: sprint ----------------------+-------------------- Comment (by robin): From Gregor: {{{ C++ compilers don't enable these macros per default as they are in the C99 standard. Grrr. You have to define #define _ISOC99_SOURCE #define __STDC_LIMIT_MACROS #define __STDC_CONSTANT_MACROS #define __STDC_FORMAT_MACROS before you include any of the header files. util.h or so might be a good place to add these defines. (For the printf macros to work, you probably only need the first and the last define, but I the others are probably handy too). See also: http://publib.boulder.ibm.com/infocenter/zos/v1r9/topic/com.ibm.zos.r9.cbcpx01/c99ftmacros.htm }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 14:51:10 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 08 Feb 2011 22:51:10 -0000 Subject: [Bro-Dev] #335: Fix compiler warnings In-Reply-To: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> References: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> Message-ID: <058.870ab1fff5c9e5164cfebced327dcd59@tracker.icir.org> #335: Fix compiler warnings ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: sprint ----------------------+-------------------- Comment (by robin): Seth's changes in `topic/seth/fix-compiler-warnings` -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 17:05:01 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 01:05:01 -0000 Subject: [Bro-Dev] #367: internal_error with &optional fields in records used as indexes In-Reply-To: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> References: <043.81b272eefc82d70a12d6ae939c639044@tracker.icir.org> Message-ID: <058.ec807bc30fe47a22400527fa002c9e0d@tracker.icir.org> #367: internal_error with &optional fields in records used as indexes ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: logging ----------------------+------------------------ Comment (by seth): I agree. I hate using the any type anyway, and I think I'll do something differently here. I was just implementing some prototype code that Robin and I had worked on that worked this way, but it's obviously not a good path to proceed down. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 17:30:09 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 01:30:09 -0000 Subject: [Bro-Dev] #335: topic/seth/fix-compiler-warnings - Fix compiler warnings (was: Fix compiler warnings) In-Reply-To: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> References: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> Message-ID: <058.8c8c6f6d5bc31aaefeed3eab3019193f@tracker.icir.org> #335: topic/seth/fix-compiler-warnings - Fix compiler warnings ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: sprint ----------------------------+---------------------- Changes (by seth): * owner: => robin * status: new => assigned * type: Problem => Merge Request Comment: This should be ready for merging now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 20:02:58 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 04:02:58 -0000 Subject: [Bro-Dev] #381: Switch to DPD by default In-Reply-To: <044.78d90be2e52022fca356dc69969e0acc@tracker.icir.org> References: <044.78d90be2e52022fca356dc69969e0acc@tracker.icir.org> Message-ID: <059.bba923ae88a41b4dc118e1c1a4b49235@tracker.icir.org> #381: Switch to DPD by default ---------------------+-------------------- Reporter: robin | Owner: robin Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: ---------------------+-------------------- Comment (by seth): I'm all for this change. It's one less thing I'll have to manually configure every time I do a new installation! -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 20:54:35 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 04:54:35 -0000 Subject: [Bro-Dev] #352: Make --enable-ipv6 default In-Reply-To: <044.12c39bf282859c1efd399c7a7103e7ce@tracker.icir.org> References: <044.12c39bf282859c1efd399c7a7103e7ce@tracker.icir.org> Message-ID: <059.177892701d16de2a44cf0039eb610095@tracker.icir.org> #352: Make --enable-ipv6 default ---------------------+-------------------- Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: Resolution: | Keywords: ---------------------+-------------------- Comment (by robin): Note that Broccoli needs to be adapted too; it expects v4 serializations. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 8 21:27:27 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 05:27:27 -0000 Subject: [Bro-Dev] #388: Fix more compiler warnings Message-ID: <044.38e1f84ebf1ea4f44c90d7606c51eebc@tracker.icir.org> #388: Fix more compiler warnings --------------------+-------------------- Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | --------------------+-------------------- #335 fixes a bunch of warnings in Bro itself, but other pieces of our distribution still generate further warning (including bro-aux, and Broccoli). Need to fix that too. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 02:13:14 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 10:13:14 -0000 Subject: [Bro-Dev] #368: Patch for Reverse DNS Lookups and DNS TTL support In-Reply-To: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> References: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> Message-ID: <066.e88d524e64c8b450a1e46c3e319fd127@tracker.icir.org> #368: Patch for Reverse DNS Lookups and DNS TTL support ---------------------------+----------------------------- Reporter: thomas.other | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Component: Bro | Version: 1.5.2 Resolution: | Keywords: DNS TTL Resolve ---------------------------+----------------------------- Comment (by thomas.other): The initially submitted '''resolve.patch''' had following flaws, it was: 1. Reimplementing DNS lookup functionality for bro scripts 2. Doing so in a synchronous (blocking) way Therefore it was abandoned in favor of the already present 'when( host = lookup_addr( someip ) ) { ... }' constructs, which use asynchronous DNS queries (that won't stall bro execution during DNS lookups). The initially submitted '''dnsttl.patch''' was extended and does now provide TTL checking for async DNS lookup functions as well. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 06:22:33 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 14:22:33 -0000 Subject: [Bro-Dev] #368: Patch for Reverse DNS Lookups and DNS TTL support In-Reply-To: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> References: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> Message-ID: <066.2a5065f4fbfaf81dbe73ad9d2a81caf6@tracker.icir.org> #368: Patch for Reverse DNS Lookups and DNS TTL support ---------------------------+----------------------------- Reporter: thomas.other | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Component: Bro | Version: 1.5.2 Resolution: | Keywords: DNS TTL Resolve ---------------------------+----------------------------- Comment (by seth): I think we can probably make this enabled by default and remove the compile time option. Following the TTLs just makes sense. :) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 06:25:32 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 14:25:32 -0000 Subject: [Bro-Dev] #389: Extend script level DNS to do different query classes Message-ID: <043.fb17ab25756f3b4378acc410cf9158ec@tracker.icir.org> #389: Extend script level DNS to do different query classes -----------------------------+-------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: Keywords: | -----------------------------+-------------------- It would be helpful to be able to do DNS TXT queries (or others) in script-land. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 06:27:34 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 14:27:34 -0000 Subject: [Bro-Dev] #368: Patch for Reverse DNS Lookups and DNS TTL support In-Reply-To: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> References: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> Message-ID: <066.60c3ef994a51a48ecaf83f02c861c8eb@tracker.icir.org> #368: Patch for Reverse DNS Lookups and DNS TTL support ---------------------------+----------------------------- Reporter: thomas.other | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Component: Bro | Version: 1.5.2 Resolution: | Keywords: DNS TTL Resolve ---------------------------+----------------------------- Comment (by seth): One other comment, it would be nice if the DNS query mechanism made the TTL of the queried name available in script-land. This isn't aimed at you though, Thomas, unless you feel like taking it on. ;) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 07:42:45 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 15:42:45 -0000 Subject: [Bro-Dev] #368: Patch for Reverse DNS Lookups and DNS TTL support In-Reply-To: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> References: <051.d0f4965bdff7b3c1b00d8279da7dd66d@tracker.icir.org> Message-ID: <066.50b3d5e95988ceba7c2a6eb2d3bf490b@tracker.icir.org> #368: Patch for Reverse DNS Lookups and DNS TTL support ---------------------------+----------------------------- Reporter: thomas.other | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: | Keywords: DNS TTL Resolve ---------------------------+----------------------------- Changes (by robin): * milestone: => Bro1.6 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 08:00:48 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 16:00:48 -0000 Subject: [Bro-Dev] #386: Fix trace-summaries sampling In-Reply-To: <044.b70363d6050aa2f29b860931df653bf3@tracker.icir.org> References: <044.b70363d6050aa2f29b860931df653bf3@tracker.icir.org> Message-ID: <059.b844e0e3eaa5f61a23cae6b18fb9bb0f@tracker.icir.org> #386: Fix trace-summaries sampling -------------------------+------------------- Reporter: robin | Owner: robin Type: Patch | Status: new Priority: Normal | Milestone: Component: BroControl | Version: 1.5.3 Resolution: | Keywords: -------------------------+------------------- Comment (by robin): trace-summary's 04548693f6ffd29e5aa4b01cee0d47fb9a605868 can go in here too. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 08:18:20 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 16:18:20 -0000 Subject: [Bro-Dev] #209: topic/seth/ssl-analyzer-work - small patch SSLv3 for detect Extensions Length in bro v1.5.1 In-Reply-To: <044.7c191d0120e9467534546d45a5a29a54@tracker.icir.org> References: <044.7c191d0120e9467534546d45a5a29a54@tracker.icir.org> Message-ID: <059.4029fdc93156ecffa2a889f90adc1591@tracker.icir.org> #209: topic/seth/ssl-analyzer-work - small patch SSLv3 for detect Extensions Length in bro v1.5.1 -----------------------------+----------------------------------- Reporter: rmkml | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: Merged/Applied | Keywords: ssl extensions sprint -----------------------------+----------------------------------- Changes (by robin): * status: seen => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 08:18:20 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 16:18:20 -0000 Subject: [Bro-Dev] #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif In-Reply-To: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> References: <043.1e378c2cf2d2f272b054d3bd5b2f44d9@tracker.icir.org> Message-ID: <058.d5b167d99d12f352c69a6eea6a0246fd@tracker.icir.org> #272: topic/seth/strings-without-checkstring - Use Bytes() and Len() instead of CheckString() in strings.bif -----------------------------+-------------------- Reporter: seth | Owner: seth Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: Merged/Applied | Keywords: sprint -----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 08:18:20 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 16:18:20 -0000 Subject: [Bro-Dev] #335: topic/seth/fix-compiler-warnings - Fix compiler warnings In-Reply-To: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> References: <043.c670c730a2bb23ea92564c42e5dd23a9@tracker.icir.org> Message-ID: <058.97c51ee062a2c3c00f4a16e775eeab85@tracker.icir.org> #335: topic/seth/fix-compiler-warnings - Fix compiler warnings -----------------------------+-------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: Merged/Applied | Keywords: sprint -----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Wed Feb 9 09:06:33 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 9 Feb 2011 09:06:33 -0800 Subject: [Bro-Dev] Combining HTTP scripts? Message-ID: <20110209170633.GG53224@icir.org> Here's another "should we change the default" question: the HTTP scripts have always been inconsistent with others in the way they split functionality across a set of scripts; and one then has to load the right ones depending on which pieces are desired. I think we should unify this so that in the future there's just a single HTTP script to load, potentially then with options for selecting specifics. Seth's http-ext already does much of that in fact. Is there a consensus that that's the right way to go? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Wed Feb 9 09:19:14 2011 From: seth at icir.org (Seth Hall) Date: Wed, 9 Feb 2011 12:19:14 -0500 Subject: [Bro-Dev] Combining HTTP scripts? In-Reply-To: <20110209170633.GG53224@icir.org> References: <20110209170633.GG53224@icir.org> Message-ID: On Feb 9, 2011, at 12:06 PM, Robin Sommer wrote: > I think we should unify this so that in the future there's just a > single HTTP script to load, potentially then with options for > selecting specifics. Seth's http-ext already does much of that in > fact. > > Is there a consensus that that's the right way to go? I'd say that's probably the right way to go. I think some confusion has come from those scripts being separated as they are. Based on how the logging framework's shaping up though, we may have some more options about how this is structured. I think you may be right though that the ultimate answer could be configuration options in the http script. It would match well for the auto generated documentation too. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From vern at icir.org Wed Feb 9 10:10:46 2011 From: vern at icir.org (Vern Paxson) Date: Wed, 09 Feb 2011 10:10:46 -0800 Subject: [Bro-Dev] Combining HTTP scripts? In-Reply-To: <20110209170633.GG53224@icir.org> (Wed, 09 Feb 2011 09:06:33 PST). Message-ID: <20110209181046.F388036A031@taffy.ICSI.Berkeley.EDU> > Is there a consensus that that's the right way to go? In general I like that. However, where do you draw the line? Processing individual headers and/or capturing transferred entities gets expensive. It's certainly reasonable that a default config gets response processing along with request processing; but I'm not sure about what other stuff it should include, due to load / log space considerations. Vern From seth at icir.org Wed Feb 9 11:13:56 2011 From: seth at icir.org (Seth Hall) Date: Wed, 9 Feb 2011 14:13:56 -0500 Subject: [Bro-Dev] Combining HTTP scripts? In-Reply-To: <20110209181046.F388036A031@taffy.ICSI.Berkeley.EDU> References: <20110209181046.F388036A031@taffy.ICSI.Berkeley.EDU> Message-ID: On Feb 9, 2011, at 1:10 PM, Vern Paxson wrote: >> Is there a consensus that that's the right way to go? > > In general I like that. However, where do you draw the line? Processing > individual headers and/or capturing transferred entities gets expensive. > It's certainly reasonable that a default config gets response processing > along with request processing; but I'm not sure about what other stuff it > should include, due to load / log space considerations. That a good point and one that I've certainly debated back and forth with myself quite a bit. Here's what I came down to in my http-ext script... https://github.com/sethhall/bro_scripts/blob/master/logging.http-ext.bro#L24 Not all of those fields are filled in by default (ex. md5, which is the md5 sum of the response body) but with the combination of record extensions and the logging framework, it should be really easy for users to add their own data to this record while maintaining the separation between shipped scripts and locally written ones. For cases like writing out the http response body, the normal file writing and printing functions and statements are still there so that the key-value logging framework can be bypassed. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.icir.org Wed Feb 9 13:12:37 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 21:12:37 -0000 Subject: [Bro-Dev] #390: Problem with _logStats method in BroControl Message-ID: <043.44051fe7dfe56717621df1195fa8a270@tracker.icir.org> #390: Problem with _logStats method in BroControl ------------------------+------------------------ Reporter: seth | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: git/master Keywords: | ------------------------+------------------------ In some installations (I don't know what criteria yet), the _logStats method will cause the cron command to never finish. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 14:04:08 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 09 Feb 2011 22:04:08 -0000 Subject: [Bro-Dev] #370: Plugin interface for BroControl In-Reply-To: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> References: <043.95b2acb07df54963a84b633b546fafcb@tracker.icir.org> Message-ID: <058.f76f917bd9e55e5a822fccd18be7b03c@tracker.icir.org> #370: Plugin interface for BroControl ------------------------------+-------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: | Keywords: ------------------------------+-------------------- Comment (by seth): Having a way to trigger a plugin when a non-responsive host is detected would be helpful too. The cflow support could be moved to a plugin and it would make it easier for other runtime frontend modification. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 9 16:37:52 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 10 Feb 2011 00:37:52 -0000 Subject: [Bro-Dev] #391: topic/gregor/fix-val-64bit -- Integer type fixes Message-ID: <045.a5c7b255430f1848f40bdcf113c88ce1@tracker.icir.org> #391: topic/gregor/fix-val-64bit -- Integer type fixes ---------------------------+----------------- Reporter: gregor | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Component: Bro | Version: Keywords: | ---------------------------+----------------- CHANGES entry: * Fixing endianess error in XDR when data is not 4-byte aligned * Fix for Val constructor with new int64 typedefs. * Updated fix for OS X 10.5 compile error wrt llabs() * Fix more compiler warning wrt printf format strings -------------------------------- Some more details * Val::Val had prototypes for int, long, int64, etc. But depending on the architecture some of those might be the same (int64 and long) thus yielding a compile error. Fix: only use int32, int64, etc. for prototype. ints and longs can still be passed, since they will match one of these fixed-width types regardless of platform. * Passes the test suite -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 10 05:12:15 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 10 Feb 2011 13:12:15 -0000 Subject: [Bro-Dev] #376: Parse git commits to change ticket status In-Reply-To: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> References: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> Message-ID: <059.9bf059de1627c53654a995eda3df2ecd@tracker.icir.org> #376: Parse git commits to change ticket status ------------------------------+------------------ Reporter: robin | Owner: seth Type: Feature Request | Status: new Priority: Normal | Milestone: Component: TicketTracker | Version: Resolution: | Keywords: ------------------------------+------------------ Comment (by seth): I added the post-commit hook to all of the repositories. It's untested though. I'll close the ticket once it's tested. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 10 08:10:35 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 10 Feb 2011 16:10:35 -0000 Subject: [Bro-Dev] #376: Parse git commits to change ticket status In-Reply-To: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> References: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> Message-ID: <059.fe42fdf795f2df2d7a1dc88871199b17@tracker.icir.org> #376: Parse git commits to change ticket status ------------------------------+------------------ Reporter: robin | Owner: seth Type: Feature Request | Status: new Priority: Normal | Milestone: Component: TicketTracker | Version: Resolution: | Keywords: ------------------------------+------------------ Comment (by robin): Cool, thanks. Is it the same keywords as previously with svn? Is there a link describing it we can put on ou r git page? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 10 12:50:43 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 10 Feb 2011 20:50:43 -0000 Subject: [Bro-Dev] #392: Broctl fails silently if ifconfig binary is not found Message-ID: <043.62a1359fd071640a6384fb3611da02fd@tracker.icir.org> #392: Broctl fails silently if ifconfig binary is not found ------------------------+-------------------- Reporter: seth | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Keywords: | ------------------------+-------------------- When broctl can't find the ifconfig binary (Redhat & Centos seem to keep it out of roots path) broctl will always fails with: {{{ error: script must be run on manager node }}} It seems that either some directories need statically added to the path or at least a warning about a needed tool not being found should be printed out. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 10 13:06:03 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 10 Feb 2011 21:06:03 -0000 Subject: [Bro-Dev] #393: Test ticket Message-ID: <043.584a871af2cf9572fe212f285bbffaf1@tracker.icir.org> #393: Test ticket ---------------------+----------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: Keywords: | ---------------------+----------------- please ignore -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 10 13:35:03 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 10 Feb 2011 21:35:03 -0000 Subject: [Bro-Dev] #393: Test ticket In-Reply-To: <043.584a871af2cf9572fe212f285bbffaf1@tracker.icir.org> References: <043.584a871af2cf9572fe212f285bbffaf1@tracker.icir.org> Message-ID: <058.18f11b566f13302ec5a5dd5718761fd0@tracker.icir.org> #393: Test ticket ----------------------+-------------------- Reporter: seth | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Component: Bro | Version: Resolution: fixed | Keywords: ----------------------+-------------------- Changes (by seth): * owner: => seth * status: new => closed * resolution: => fixed Comment: In [00a2aef7a2cfd90cd9c7cf067a18b02524c2ed70/bro]: {{{ #!CommitTicketReference repository="bro" revision="00a2aef7a2cfd90cd9c7cf067a18b02524c2ed70" Testing close ticket:393 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Thu Feb 10 14:09:02 2011 From: seth at icir.org (Seth Hall) Date: Thu, 10 Feb 2011 17:09:02 -0500 Subject: [Bro-Dev] Closing tickets in commit messages Message-ID: <3062BF47-395D-4A9A-AD55-CCA7CC091830@icir.org> If you want to close a ticket through a commit message, the git->trac integration works now. You just need to reference the ticket in your commit message like this: ticket:393. I'm not completely sure of the full syntax available for commit messages, but my commits I just did a little bit ago closed my test ticket with this syntax. We'll just have to be careful with this since we've frequently been changing tickets to merge requests so that the person committing the fix is often not the person that actually closes the ticket. I also fixed another problem with viewing changesets through the tracker while I was working on this. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.icir.org Thu Feb 10 14:10:02 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 10 Feb 2011 22:10:02 -0000 Subject: [Bro-Dev] #376: Parse git commits to change ticket status In-Reply-To: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> References: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> Message-ID: <059.56e34837f0d8ff025d323aad376b8856@tracker.icir.org> #376: Parse git commits to change ticket status ------------------------------+-------------------- Reporter: robin | Owner: seth Type: Feature Request | Status: closed Priority: Normal | Milestone: Component: TicketTracker | Version: Resolution: Solved | Keywords: ------------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Solved -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Thu Feb 10 14:15:37 2011 From: seth at icir.org (Seth Hall) Date: Thu, 10 Feb 2011 17:15:37 -0500 Subject: [Bro-Dev] Closing tickets in commit messages In-Reply-To: <3062BF47-395D-4A9A-AD55-CCA7CC091830@icir.org> References: <3062BF47-395D-4A9A-AD55-CCA7CC091830@icir.org> Message-ID: <0F0D0477-A680-4B67-8D19-0996C9800ED8@icir.org> On Feb 10, 2011, at 5:09 PM, Seth Hall wrote: > If you want to close a ticket through a commit message, the git->trac integration works now. You just need to reference the ticket in your commit message like this: ticket:393. I'm not completely sure of the full syntax available for commit messages, but my commits I just did a little bit ago closed my test ticket with this syntax. We'll just have to be careful with this since we've frequently been changing tickets to merge requests so that the person committing the fix is often not the person that actually closes the ticket. Nevermind, I found a place that documents the behavior. (down at the bottom of the page: http://www.topazproject.org/trac/wiki/CommitGuidelines) =======begin======== Closing/Commenting-on Tickets You can automatically comment on or close one or more tickets by including special "commands" in the commit message. These can be anywhere, as the whole commit message is searched. The message is searched for strings of the form: ? command #1 ? command #1, #2 ? command #1 & #2 ? command #1 and #2 where 'command' is one of "close", "closes", "closed", "fix", "fixes", "fixed", "addresses", "re", "refs", "references", or "see", and N in #N is the ticket number. All of these cause the commit message to be added as a note to the tickets; additionally the close* and fix* commands cause the corresponding tickets to be closed. Note that you can both fix and reference as many tickets as desired in the commit message. ========end====== I'll add this to the git documentation page later. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.icir.org Thu Feb 10 18:12:29 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 02:12:29 -0000 Subject: [Bro-Dev] #392: Broctl fails silently if ifconfig binary is not found In-Reply-To: <043.62a1359fd071640a6384fb3611da02fd@tracker.icir.org> References: <043.62a1359fd071640a6384fb3611da02fd@tracker.icir.org> Message-ID: <058.a3b6d63d29c43b3c49b6143434acd1b7@tracker.icir.org> #392: Broctl fails silently if ifconfig binary is not found -------------------------+-------------------- Reporter: seth | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Resolution: Duplicate | Keywords: -------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Duplicate Comment: Oops, duplicate -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 10 20:19:41 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 04:19:41 -0000 Subject: [Bro-Dev] #374: Add type testing operator In-Reply-To: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> References: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> Message-ID: <058.6cf98b06f944ab0ea0ee149d7437d37b@tracker.icir.org> #374: Add type testing operator ------------------------------+--------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Comment (by robin): Per the email discussion, the branch `topic/robin/record-coercion` now implements a different way of doing this, allowing non-matching record types to be passed into a function as long as all necessary fields are present. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 10 20:21:49 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 04:21:49 -0000 Subject: [Bro-Dev] #319: Changes Xprintf() formats to use PRIxyz, e.g., PRIu64, PRIx32 In-Reply-To: <045.48d6fe6e9203210c71977a92e0b469cc@tracker.icir.org> References: <045.48d6fe6e9203210c71977a92e0b469cc@tracker.icir.org> Message-ID: <060.d3aab2deecb86d1463d9871c9d39873c@tracker.icir.org> #319: Changes Xprintf() formats to use PRIxyz, e.g., PRIu64, PRIx32 -----------------------------+---------------------- Reporter: gregor | Owner: robin Type: Task | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: Merged/Applied | Keywords: inttypes -----------------------------+---------------------- Changes (by robin): * status: new => closed * resolution: => Merged/Applied Comment: This was part of #335, at least for those where the compiler generated warnings. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 09:51:40 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 17:51:40 -0000 Subject: [Bro-Dev] #394: all.bro loads non-existent policy and segfaults Message-ID: <045.8886ff9e67d9c2f2571dc694c41ec1bd@tracker.icir.org> #394: all.bro loads non-existent policy and segfaults ---------------------+-------------------- Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Keywords: | ---------------------+-------------------- * all.bro tries to load ssl-worm.sig (vie ssl-worm.bro). However, the sig files doesn't exist but the .bro file does. Is the sig just missing from git or should the bro file be removed? * when I remove the ssl-worm.bro from all bro it runs but eventually segfaults: {{{ Reading symbols for shared libraries b........ done #0 0x0000000000000000 in ?? () (gdb) bt #0 0x0000000000000000 in ?? () #1 0x00000001001d8c8d in Serializer::StartSerialization (this=0x10290c240, info=0x7fff5fbfea40, descr=0x10028b4b8 "call", tag=101 'e') at /Users/gregor/projects/bro-git/src/Serializer.cc:60 #2 0x00000001001da2b7 in Serializer::Serialize (this=0x10290c240, info=0x7fff5fbfea40, func=0x100b33100 "rotate_interval", args=0x102e67fb0) at /Users/gregor/projects/bro-git/src/Serializer.cc:133 #3 0x0000000100095316 in Event::Dispatch (this=0x100b1de70, no_remote=true) at Event.h:40 #4 0x00000001000953bc in EventMgr::Dispatch (this=0x1003e2cc0, event=0x100b1de70, no_remote=true) at Event.h:81 #5 0x000000010012ead6 in BroFile::CloseCachedFiles () at /Users/gregor/projects/bro-git/src/File.cc:614 #6 0x00000001000914a2 in termination_signal () at /Users/gregor/projects /bro-git/src/main.cc:309 #7 0x0000000100188201 in net_run () at /Users/gregor/projects/bro- git/src/Net.cc:578 #8 0x00000001000938ca in main (argc=2, argv=0x7fff5fbff278) at /Users/gregor/projects/bro-git/src/main.cc:1001 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 09:51:51 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 17:51:51 -0000 Subject: [Bro-Dev] #394: all.bro loads non-existent policy and segfaults In-Reply-To: <045.8886ff9e67d9c2f2571dc694c41ec1bd@tracker.icir.org> References: <045.8886ff9e67d9c2f2571dc694c41ec1bd@tracker.icir.org> Message-ID: <060.3a00dd8ca710ecc7ae5faffdae2a8c67@tracker.icir.org> #394: all.bro loads non-existent policy and segfaults ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by gregor): * version: => git/master -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 15:21:04 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 23:21:04 -0000 Subject: [Bro-Dev] #375: Extending record type fields In-Reply-To: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> References: <043.8edae7eaa6a3609d14220f5e1643d239@tracker.icir.org> Message-ID: <058.6631190bf683bde85377ba9530d91594@tracker.icir.org> #375: Extending record type fields ------------------------------+--------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: testing Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Changes (by robin): * status: new => testing -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 15:25:25 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 23:25:25 -0000 Subject: [Bro-Dev] #374: Add type testing operator In-Reply-To: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> References: <043.8b359cb3ae787df001044e74fe896074@tracker.icir.org> Message-ID: <058.422937aad302b76e07568e1bf4e0310f@tracker.icir.org> #374: Add type testing operator ------------------------------+--------------------- Reporter: seth | Owner: robin Type: Feature Request | Status: testing Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ------------------------------+--------------------- Changes (by robin): * status: new => testing -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 15:25:47 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 23:25:47 -0000 Subject: [Bro-Dev] #384: Nearly any broccoli/ssl error causes bro to crash In-Reply-To: <044.a28f494a460ad398fbc33365da861083@tracker.icir.org> References: <044.a28f494a460ad398fbc33365da861083@tracker.icir.org> Message-ID: <059.4bad36f2d1786f2ef6d6599a7baa07c2@tracker.icir.org> #384: Nearly any broccoli/ssl error causes bro to crash ----------------------+--------------------- Reporter: leres | Owner: robin Type: Problem | Status: testing Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.1 Resolution: | Keywords: ----------------------+--------------------- Changes (by robin): * status: assigned => testing -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 15:32:25 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 11 Feb 2011 23:32:25 -0000 Subject: [Bro-Dev] #395: Cannot add global to module if it already exists in global namespace Message-ID: <045.a0dc314d3416569a1ca3428faf00cfe3@tracker.icir.org> #395: Cannot add global to module if it already exists in global namespace ---------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ {{{ #!rst The following policy snippet doesn't work:: global a = 1; # the above can also be in a different file module FOO; export { global a = 2; } I get the error: ``(a): error, already defined`` When I define the a's in a different order (module first, then global) it works as expected. From a quick glance it seems that the problem is that when bro parses the ``global`` in the module it searches all its scopes to check whether the identifier already exists. I think this scanning of all scopes is necessary to make redefs of globals in modules work (global xyz and redef xyz are handled pretty much the same in ``parse.y``). The problem also exists when trying to "overload" types (i.e., have type xyz in the global scope and then try to redefine in in the module scope). }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 16:45:09 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 12 Feb 2011 00:45:09 -0000 Subject: [Bro-Dev] #396: cmake does not create broccoli-config with execute perms Message-ID: <044.1a71c7aef9a42b869853de5f3c9b5321@tracker.icir.org> #396: cmake does not create broccoli-config with execute perms ----------------------+----------------------- Reporter: leres | Owner: kreibich Type: Problem | Status: new Priority: Low | Milestone: Component: Broccoli | Version: git/topic Keywords: | ----------------------+----------------------- After building broccoli from the git repo (topic/robin/comm-ssl), I found that the build/broccoli-config script is mode 644. Since this file is generated I'm sure there's some way to automatically make it executable but since I totally don't understand how cmake works I am unable to provide a patch. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 11 18:45:56 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 12 Feb 2011 02:45:56 -0000 Subject: [Bro-Dev] #397: double quoted broccoli config values broken due to misordering of lex rules Message-ID: <044.d55f158ee8058347ec1d2b758ae5f404@tracker.icir.org> #397: double quoted broccoli config values broken due to misordering of lex rules ----------------------+----------------------- Reporter: leres | Owner: kreibich Type: Problem | Status: new Priority: Normal | Milestone: Component: Broccoli | Version: git/topic Keywords: | ----------------------+----------------------- I was having trouble getting ssl working with an empty cert password: /broccoli/host_pass "" This is because the rule that matches a BROWORD appears before the rule that matches a BROSTRING; this means any string value that uses double quotes will have the double quotes in the value string. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Sat Feb 12 00:51:09 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 12 Feb 2011 08:51:09 -0000 Subject: [Bro-Dev] #398: "make dist" requires cmake and swig Message-ID: <044.44dda21316bfb5b511c7d89dca7fd78d@tracker.icir.org> #398: "make dist" requires cmake and swig -------------------+----------------------------- Reporter: leres | Type: Feature Request Status: new | Priority: Normal Milestone: | Component: Bro Version: | Keywords: -------------------+----------------------------- Let me start out by saying I don't understand cmake yet. Meanwhile, I see aspects of the current setup that seem like problems to me. One is that to do "make dist" in a working tree, you must have cmake and swig installed. I assume there are parallels between cmake the auto* tools. That is when you want to change the cmake configuration you have to run a command or script. But I think there's a lot of value in using the same configure scripts for development as end users; rare problems are found prior to release and rough edges get cleaned up. But also I've always tried to make my packages self replicating. So if I have a source control working tree or an unpacked distribution, I can always build a new distribution without special tools. Sure, if I want to change the configure script I probably need some extra software but to make a small tweak and repackage I just need tar. So, ideally I'd like to see scripts named "configure" be the same as what gets packaged into distributions and the current script be called something else. In any case, it seems like a bug to me that while "make dist" complains if cmake is not on the path, it doesn't also check for swig; clearly it's needed since the process bombs if it's not installed. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Sun Feb 13 12:17:32 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sun, 13 Feb 2011 20:17:32 -0000 Subject: [Bro-Dev] #396: cmake does not create broccoli-config with execute perms In-Reply-To: <044.1a71c7aef9a42b869853de5f3c9b5321@tracker.icir.org> References: <044.1a71c7aef9a42b869853de5f3c9b5321@tracker.icir.org> Message-ID: <059.e6c569f986104cc1e00db5aea1e0119d@tracker.icir.org> #396: cmake does not create broccoli-config with execute perms -----------------------+----------------------- Reporter: leres | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Component: Broccoli | Version: git/topic Resolution: | Keywords: -----------------------+----------------------- Changes (by robin): * owner: kreibich => jsiwek * priority: Low => Normal * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Sun Feb 13 12:19:42 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sun, 13 Feb 2011 20:19:42 -0000 Subject: [Bro-Dev] #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code In-Reply-To: <044.38bb1aa3d6b5a387e38f7407f6499494@tracker.icir.org> References: <044.38bb1aa3d6b5a387e38f7407f6499494@tracker.icir.org> Message-ID: <059.2159cdd390d8cb98a32c717aef6e1f89@tracker.icir.org> #383: RemoteSerializer: Improve "all or nothing" socket buffer size change code -----------------------------+------------------------ Reporter: leres | Owner: Type: Patch | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.1 Resolution: Merged/Applied | Keywords: setsockopt -----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Sun Feb 13 12:20:13 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sun, 13 Feb 2011 20:20:13 -0000 Subject: [Bro-Dev] #398: "make dist" requires cmake and swig In-Reply-To: <044.44dda21316bfb5b511c7d89dca7fd78d@tracker.icir.org> References: <044.44dda21316bfb5b511c7d89dca7fd78d@tracker.icir.org> Message-ID: <059.92fae6a47ac8cfc0184888e1ee849937@tracker.icir.org> #398: "make dist" requires cmake and swig ------------------------------+---------------------- Reporter: leres | Owner: jsiwek Type: Feature Request | Status: assigned Priority: Normal | Milestone: Component: Bro | Version: Resolution: | Keywords: ------------------------------+---------------------- Changes (by robin): * owner: => jsiwek * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Sun Feb 13 18:59:06 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 14 Feb 2011 02:59:06 -0000 Subject: [Bro-Dev] #399: Installing from aux/broccoli uses the default prefix Message-ID: <044.68628c93682fa903099656baaf1d83a8@tracker.icir.org> #399: Installing from aux/broccoli uses the default prefix ----------------------+----------------------- Reporter: leres | Owner: kreibich Type: Problem | Status: new Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Keywords: | ----------------------+----------------------- If configure with the defaults then build and install /usr/local/bro appears to be the default prefix. But if I later want to reinstall just aux/broccoli and execute "make install" in that directory, files are installed with /usr/local as the prefix. See attached log. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 14 07:44:49 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 14 Feb 2011 15:44:49 -0000 Subject: [Bro-Dev] #399: Installing from aux/broccoli uses the default prefix In-Reply-To: <044.68628c93682fa903099656baaf1d83a8@tracker.icir.org> References: <044.68628c93682fa903099656baaf1d83a8@tracker.icir.org> Message-ID: <059.04af9330b50b7384c395f008a788cf2b@tracker.icir.org> #399: Installing from aux/broccoli uses the default prefix -----------------------+----------------------- Reporter: leres | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Resolution: | Keywords: -----------------------+----------------------- Changes (by jsiwek): * owner: kreibich => jsiwek * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 14 10:57:01 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 14 Feb 2011 18:57:01 -0000 Subject: [Bro-Dev] #399: Installing from aux/broccoli uses the default prefix In-Reply-To: <044.68628c93682fa903099656baaf1d83a8@tracker.icir.org> References: <044.68628c93682fa903099656baaf1d83a8@tracker.icir.org> Message-ID: <059.b9acbff0abe0e384f058588012770a5d@tracker.icir.org> #399: Installing from aux/broccoli uses the default prefix -----------------------+----------------------- Reporter: leres | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Resolution: Invalid | Keywords: -----------------------+----------------------- Changes (by jsiwek): * status: assigned => closed * resolution: => Invalid Comment: I think this is generally just a misconception of how configuring/building Bro as a monolithic project works. When configuring Bro from the top- level directory, none of the configuration state is shared with sub- projects. You need to either: 1) execute the `make install` from the top-level directory to install broccoli again (it will also check if the other Bro components need to be installed) 2) configure/build broccoli as it's own independent package that points to the install prefix that you want (this is effectively what you were doing, but you didn't do a `./configure --prefix=...` so the default was used) The default install prefix for broccoli could be changed to `/usr/local/bro` (or bro's changed to `/usr/local/`) to make them consistent, but I think they make sense the way they are. I'm going to close this, but anyone feel free to reopen with comments if you have them. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 14 11:43:36 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 14 Feb 2011 19:43:36 -0000 Subject: [Bro-Dev] #398: "make dist" requires cmake and swig In-Reply-To: <044.44dda21316bfb5b511c7d89dca7fd78d@tracker.icir.org> References: <044.44dda21316bfb5b511c7d89dca7fd78d@tracker.icir.org> Message-ID: <059.2199f436db7f2ffb86851fe236b40c78@tracker.icir.org> #398: "make dist" requires cmake and swig ------------------------------+---------------------- Reporter: leres | Owner: jsiwek Type: Feature Request | Status: assigned Priority: Normal | Milestone: Component: Bro | Version: Resolution: | Keywords: ------------------------------+---------------------- Comment (by jsiwek): > One is that to do "make dist" in a working tree, you must have cmake and swig installed. I think the problem is more general than that: to do `make dist` you need to satisfy all of Bro's dependencies. This is because "make dist" relies on CMake doing a `./configure ...`, but the actual logic behind that will look for build-time dependencies and fail if they aren't present. Yeah, that's not ideal, but it's also not a big issue for us since we'll always be creating source distributions from systems that satisfy the build dependencies. > I assume there are parallels between cmake the auto* tools. That is when you want to change the cmake configuration you have to run a command or script. But I think there's a lot of value in using the same configure scripts for development as end users; rare problems are found prior to release and rough edges get cleaned up. The `./configure` script is now a wrapper to CMake. To change a build configuration `./configure` can just be run again (with desired options). This should be equivalent to how Autotools does things and there's also no difference between how developers and end-users will build from source (i.e. CMake is always a requirement to build Bro from source). > So, ideally I'd like to see scripts named "configure" be the same as what gets packaged into distributions and the current script be called something else. This should already be true -- "configure" is a static script that will be packaged into distributions. I'm not sure what your request is or what you mean by "the current script". > In any case, it seems like a bug to me that while "make dist" complains if cmake is not on the path, it doesn't also check for swig; clearly it's needed since the process bombs if it's not installed. So the reason the `make dist` bombs is not for lack of checking for swig, but actually because it *is* checking for it when it isn't strictly necessary for source packaging. The difference between that and the check for `cmake` is that we have to do that in the Makefile, which has the side effect of giving you an earlier error message. If you're able to come up with a `make dist` target that doesn't depend on CMake/CPack like it currently does, I'd be willing to incorporate that change. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 15 08:42:42 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 15 Feb 2011 16:42:42 -0000 Subject: [Bro-Dev] #357: Only log missing support for libgeoip a single time. In-Reply-To: <043.5e3eefc4db47729fe7e887317f7619e6@tracker.icir.org> References: <043.5e3eefc4db47729fe7e887317f7619e6@tracker.icir.org> Message-ID: <058.e389d728da39e6daf9d681b695ece950@tracker.icir.org> #357: Only log missing support for libgeoip a single time. ----------------------+------------------------ Reporter: seth | Owner: robin Type: Problem | Status: accepted Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: sprint ----------------------+------------------------ Comment (by seth): Thinking about this more, should we have some mechanism where system configuration messages that aren't going to change during the run can be logged a single time? It occurs to me that there must be other instances of this. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 15 08:48:19 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 15 Feb 2011 16:48:19 -0000 Subject: [Bro-Dev] #357: Only log missing support for libgeoip a single time. In-Reply-To: <043.5e3eefc4db47729fe7e887317f7619e6@tracker.icir.org> References: <043.5e3eefc4db47729fe7e887317f7619e6@tracker.icir.org> Message-ID: <058.bc76df9073b40c9c9a6f9d9f18042a86@tracker.icir.org> #357: Only log missing support for libgeoip a single time. ----------------------+------------------------ Reporter: seth | Owner: robin Type: Problem | Status: accepted Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: sprint ----------------------+------------------------ Comment (by seth): We could also have those messages written to their own separate log file so they don't get lost in the mess of other log messages. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 15 08:56:45 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 15 Feb 2011 16:56:45 -0000 Subject: [Bro-Dev] #357: Only log missing support for libgeoip a single time. In-Reply-To: <043.5e3eefc4db47729fe7e887317f7619e6@tracker.icir.org> References: <043.5e3eefc4db47729fe7e887317f7619e6@tracker.icir.org> Message-ID: <058.7f76037b7eff743acf3ac88644391d61@tracker.icir.org> #357: Only log missing support for libgeoip a single time. ----------------------+------------------------ Reporter: seth | Owner: robin Type: Problem | Status: accepted Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: sprint ----------------------+------------------------ Comment (by robin): > We could also have those messages written to their own separate log file > so they don't get lost in the mess of other log messages. Yes, I was thinking about something like that. That would also address some of Craig's SSL problems where misconfigurations are currently only reported once a clietn connects. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 15 14:37:08 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 15 Feb 2011 22:37:08 -0000 Subject: [Bro-Dev] #72: Use 64Bit integers in Bro by default In-Reply-To: <045.e3497c69dfe36a4cddde29c01881d602@tracker.icir.org> References: <045.e3497c69dfe36a4cddde29c01881d602@tracker.icir.org> Message-ID: <060.cfef69af3de6033ad26e906e61259e2d@tracker.icir.org> #72: Use 64Bit integers in Bro by default ---------------------+-------------------------------------------- Reporter: gregor | Owner: robin Type: Task | Status: testing Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: 1.5.2 Resolution: | Keywords: integer size, 64 bit, inttypes ---------------------+-------------------------------------------- Changes (by robin): * status: seen => testing -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 15 14:40:06 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 15 Feb 2011 22:40:06 -0000 Subject: [Bro-Dev] #382: Design an internal API for logging backends In-Reply-To: <044.1bec2fcec10edc2608651458c92f895a@tracker.icir.org> References: <044.1bec2fcec10edc2608651458c92f895a@tracker.icir.org> Message-ID: <059.0c4170111d01cb281965457745219ba5@tracker.icir.org> #382: Design an internal API for logging backends ----------------------+---------------------- Reporter: robin | Owner: robin Type: Problem | Status: accepted Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: Resolution: | Keywords: logging ----------------------+---------------------- Comment (by robin): Proposal now here http://bro.icir.org/devel/projects/logging-api.html #proposal-for-internal-api. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Tue Feb 15 15:31:52 2011 From: gregor at icir.org (Gregor Maier) Date: Tue, 15 Feb 2011 15:31:52 -0800 Subject: [Bro-Dev] Bif tuning / overhaul Message-ID: <4D5B0CE8.4020203@icir.org> Hi, I've revamped the Bro bif language a bit. Mainly to add support for namespaces and features that would be handy for my RPC/NFS analyzers. I've also documented what one can do with bifs. Find it at: http://bro.icir.org/devel/bif-doc/ an overview of all of it: http://bro.icir.org/devel/bif-doc/example.html The main changes (from current master version): * support for policy-layer namespaces. Either using fully qualified names (MODULE::foobar) or using the "module XYZ;" statement. * C/C++ variables, and functions have their own namespaces: BifConst for consts BifTypePtr for type declartions (RecordType*, EnumType*) BifEnum for C-enums derived from BiFs BifFunc for bif functions BifEvent for (some parts) of events. I haven't moved all of the event related C++ variables into this namespace, because this would substantial refactoring of existing code Question: Could also use BroConst, etc. instead of BifConst * const: + can now use any type for consts (previously: only bools) + can now only declare but not define consts. You must define the const in bro.init. The bif only creates the netvar glue code. This will help streamline automatically generated documentation and it was necessary for supporting types other than bool * forward type delcaration: can you declare but not define Bro types (records, sets, etc.) in BiF to make them available to C++. The bif only generates the netvar glue. The types must be defined in bro.init Comments? cu Gregor etc.) -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From robin at icir.org Wed Feb 16 08:30:50 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 16 Feb 2011 08:30:50 -0800 Subject: [Bro-Dev] Bif tuning / overhaul In-Reply-To: <4D5B0CE8.4020203@icir.org> References: <4D5B0CE8.4020203@icir.org> Message-ID: <20110216163050.GB41102@icir.org> On Tue, Feb 15, 2011 at 15:31 -0800, you wrote: > I've also documented what one can do with bifs. Find it at: > http://bro.icir.org/devel/bif-doc/ Thanks for putting this together! I need to read a bit more carefully, and I guess play with it, but overall this looks good to me. Nice stuff. > BifConst for consts > BifTypePtr for type declartions (RecordType*, EnumType*) > BifEnum for C-enums derived from BiFs > BifFunc for bif functions > BifEvent for (some parts) of events. I haven't moved all of > the event related C++ variables into this namespace, > because this would substantial refactoring of existing > code > > Question: Could also use BroConst, etc. instead of BifConst I actually like the Bif prefix, it clearly indicates where the stuff is coming from. But how about using "BifType" instead of "BifTypePtr". Types are always passed around as pointers anyway, so I don't see a problem with leaving that hint out, and it makes the name more intuitive. > + can now only declare but not define consts. You must define > the const in bro.init. The bif only creates the netvar glue code. Is the reason for this just the work it would require to implement it fully, or something else? Seems in principle bifcl could just as well generate everything, with all the definitions (for consts, types, etc.) being right there in the bif as well. That would be ideal as it would follow the rule of "having things only in one place". (I'm not asking you to implement it; just curious). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.icir.org Wed Feb 16 08:42:50 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 16 Feb 2011 16:42:50 -0000 Subject: [Bro-Dev] #376: Parse git commits to change ticket status In-Reply-To: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> References: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> Message-ID: <059.4dbc8777f73281e19e79ca57c0a56ade@tracker.icir.org> #376: Parse git commits to change ticket status ------------------------------+---------------------- Reporter: robin | Owner: seth Type: Feature Request | Status: reopened Priority: Normal | Milestone: Component: TicketTracker | Version: Resolution: | Keywords: ------------------------------+---------------------- Changes (by robin): * status: closed => reopened * resolution: Solved => Comment: Is this also installed for other repositories than Bro? There's an "addresses #n" in 452f6f93486f8937d8ef5cf2edb46bf8926f5ed6 for Broccoli, but the ticket didn't get updated? Also, I think you haven't added the link to the documention for this to the git page yet. I'd add some words to the "writing commit messages" I think. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Wed Feb 16 09:02:35 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 16 Feb 2011 17:02:35 -0000 Subject: [Bro-Dev] #376: Parse git commits to change ticket status In-Reply-To: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> References: <044.94d2de55f3d5e894caa22879955b5dc2@tracker.icir.org> Message-ID: <059.10075e9954352f4c57c6c6b621355d4f@tracker.icir.org> #376: Parse git commits to change ticket status ------------------------------+---------------------- Reporter: robin | Owner: seth Type: Feature Request | Status: reopened Priority: Normal | Milestone: Component: TicketTracker | Version: Resolution: | Keywords: ------------------------------+---------------------- Comment (by seth): > Is this also installed for other repositories than Bro? There's an > "addresses #n" in 452f6f93486f8937d8ef5cf2edb46bf8926f5ed6 for Broccoli, > but the ticket didn't get updated? Done. I ran out of time on the day I was doing that. > Also, I think you haven't added the link to the documention for this to > the git page yet. I'd add some words to the "writing commit messages" I > think. Will do that this afternoon. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Wed Feb 16 11:03:25 2011 From: gregor at icir.org (Gregor Maier) Date: Wed, 16 Feb 2011 11:03:25 -0800 Subject: [Bro-Dev] Bif tuning / overhaul In-Reply-To: <20110216163050.GB41102@icir.org> References: <4D5B0CE8.4020203@icir.org> <20110216163050.GB41102@icir.org> Message-ID: <4D5C1F7D.8020001@icir.org> > I actually like the Bif prefix, it clearly indicates where the stuff > is coming from. But how about using "BifType" instead of "BifTypePtr". > Types are always passed around as pointers anyway, so I don't see a > problem with leaving that hint out, and it makes the name more > intuitive. Can do. (I guess that's a leftover from an earlier version where all the namespaces were called Bro* and BroType obviously already exists ;-) >> + can now only declare but not define consts. You must define >> the const in bro.init. The bif only creates the netvar glue code. > > Is the reason for this just the work it would require to implement it > fully, or something else? Seems in principle bifcl could just as well > generate everything, with all the definitions (for consts, types, > etc.) being right there in the bif as well. That would be ideal as it > would follow the rule of "having things only in one place". (I'm not > asking you to implement it; just curious). I agree that it would be great to be able to do all this stuff in BiF. The reason why I haven't implemented it is indeed, that it would require a lot of work to do it. Bro's syntax for defining types, and consts is very rich and implementing that would require to add a good chunk of the Bro syntax to Bifcl. We would probably have to rewrite most of the Bif parser. If we want that, we might want to consider using the Bro-parser and extending it to support generation of C/C++ (basically have two modes for the Bro-parser: BiF and script). This would be something to keep in mind when we move towards compiling Bro scripts (into HILTI) and/or when we think of adding "plugins" so that analyzers can be developed externally and then loaded as a plugin. Then BiF's could be just one such plugin. cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From appleman at ncsa.illinois.edu Wed Feb 16 12:44:20 2011 From: appleman at ncsa.illinois.edu (Don Appleman) Date: Wed, 16 Feb 2011 14:44:20 -0600 (CST) Subject: [Bro-Dev] Compile errors In-Reply-To: <1514676560.4456.1297888807941.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <32788825.4495.1297889060252.JavaMail.root@zimbra-1.ncsa.uiuc.edu> I'm currently working to get automated builds going on the NMI build/test lab. I have all the necessary prerequisites to build bro on the NMI x86_64_ubuntu_10.04 platform, which is the same platform as my laptop. I can build without error on my laptop, but I get compile errors when building on the NMI build target. Can someone give me an idea of how to resolve the following errors? > In file included from /home/condor/execute/dir_4281/userdir/bro/src/Conn.h:11, > from /home/condor/execute/dir_4281/userdir/bro/src/Analyzer.h:11, > from /home/condor/execute/dir_4281/userdir/bro/src/binpac_bro.h:11, > from /home/condor/execute/dir_4281/userdir/bro/build/src/bittorrent_pac.h:11, > from /home/condor/execute/dir_4281/userdir/bro/build/src/bittorrent_pac.cc:3: > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:130: error: 'Val::Val(int64, TypeTag)' cannot be overloaded > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:100: error: with 'Val::Val(long int, TypeTag)' > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:140: error: 'Val::Val(uint64, TypeTag)' cannot be overloaded > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:120: error: with 'Val::Val(long unsigned int, TypeTag)' Thanks much, Don -- Don Appleman National Center for Supercomputing Applications 2006B NCSA, 1205 W. Clark St. Urbana, IL 61801 217/333-6340 appleman at ncsa.illinois.edu From jsiwek at ncsa.illinois.edu Wed Feb 16 13:27:35 2011 From: jsiwek at ncsa.illinois.edu (Jonathan Siwek) Date: Wed, 16 Feb 2011 15:27:35 -0600 (CST) Subject: [Bro-Dev] Compile errors In-Reply-To: <32788825.4495.1297889060252.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <9813059.34.1297891653852.JavaMail.jsiwek@tangent.ncsa.illinois.edu> > Can someone give me an idea of how to resolve the following errors? > > > In file included from > > /home/condor/execute/dir_4281/userdir/bro/src/Conn.h:11, > > from > > /home/condor/execute/dir_4281/userdir/bro/src/Analyzer.h:11, > > from > > /home/condor/execute/dir_4281/userdir/bro/src/binpac_bro.h:11, > > from > > /home/condor/execute/dir_4281/userdir/bro/build/src/bittorrent_pac.h:11, > > from > > /home/condor/execute/dir_4281/userdir/bro/build/src/bittorrent_pac.cc:3: > > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:130: error: > > 'Val::Val(int64, TypeTag)' cannot be overloaded > > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:100: error: with > > 'Val::Val(long int, TypeTag)' > > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:140: error: > > 'Val::Val(uint64, TypeTag)' cannot be overloaded > > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:120: error: with > > 'Val::Val(long unsigned int, TypeTag)' I don't have a resolution, but can suggest what to look at to (maybe) figure one out or at least better define what the problem is. int64 looks like it's typedef'd in src/util.h depending on the definition of SIZEOF_LONG_LONG and SIZEOF_LONG_INT, which are both determined at configure time by cmake/CheckTypes.cmake and the result gets put in build/config.h. So you can check the differences in the config.h's that get generated, but I think it looks like you'd always get this error if SIZEOF_LONG_LONG != 8 and SIZEOF_LONG_INT == 8, causing two declarations of the Val(long int, TypeTag) constructor. Either the Val constructors or the logic for typedef'ing int64 probably need to be revised. - Jon From robin at icir.org Wed Feb 16 13:41:25 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 16 Feb 2011 13:41:25 -0800 Subject: [Bro-Dev] Compile errors In-Reply-To: <32788825.4495.1297889060252.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <1514676560.4456.1297888807941.JavaMail.root@zimbra-1.ncsa.uiuc.edu> <32788825.4495.1297889060252.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <20110216214125.GC49060@icir.org> Is this with current master? I fixed some defintions for the int64-related typedefs a while ago in there. (If it's really exactly the same platform, that shouldn't make a difference between NMI and your laptop, but who knows). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From appleman at ncsa.illinois.edu Wed Feb 16 14:34:05 2011 From: appleman at ncsa.illinois.edu (Don Appleman) Date: Wed, 16 Feb 2011 16:34:05 -0600 (CST) Subject: [Bro-Dev] Compile errors In-Reply-To: <20110216214125.GC49060@icir.org> Message-ID: <984120237.5457.1297895645089.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Thanks for the helpful suggestions. I first compared the two versions of build/config.h and found that the defined sizes of the various types match. However, I also noticed that the version numbers were out of sync. The NMI build always does a "git pull" prior to the build, and was completely up to date; the source on my laptop was out of date. Now that I've updated my laptop to the latest master (in a new directory I ran "git clone --recursive git://git.icir.org/bro"), I get the same compile errors on my laptop. Any further guidance in addressing these compile errors is much appreciated. The remaining differences between the two builds are that the NMI version does not yet include libMagic or libGeoIP. Thanks again, Don ----- Original Message ----- From: "Robin Sommer" To: "Don Appleman" Cc: bro-dev at bro-ids.org Sent: Wednesday, February 16, 2011 3:41:25 PM Subject: Re: [Bro-Dev] Compile errors Is this with current master? I fixed some defintions for the int64-related typedefs a while ago in there. (If it's really exactly the same platform, that shouldn't make a difference between NMI and your laptop, but who knows). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- Don Appleman National Center for Supercomputing Applications 2006B NCSA, 1205 W. Clark St. Urbana, IL 61801 217/333-6340 appleman at ncsa.illinois.edu From robin at icir.org Wed Feb 16 15:55:13 2011 From: robin at icir.org (Robin Sommer) Date: Wed, 16 Feb 2011 15:55:13 -0800 Subject: [Bro-Dev] Compile errors In-Reply-To: <984120237.5457.1297895645089.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <20110216214125.GC49060@icir.org> <984120237.5457.1297895645089.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <20110216235513.GF49060@icir.org> On Wed, Feb 16, 2011 at 16:34 -0600, you wrote: > The NMI build always does a "git pull" prior to the build, and was > completely up to date; the source on my laptop was out of date. Interesting, seems I may have broken something then while I was fixing the problem I had. I tried it on 32-bit and 64-bit FreeBSD, and 32-bit Linux, but I think not on 64-bit Linux ... Well, I guess that's what NMI build testing is for, right? :) So back to the error messages: > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:130: error: 'Val::Val(int64, TypeTag)' cannot be overloaded > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:100: error: with 'Val::Val(long int, TypeTag)' > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:140: error: 'Val::Val(uint64, TypeTag)' cannot be overloaded > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:120: error: with 'Val::Val(long unsigned int, TypeTag)' So this seems like there are "long unsigned int" and "long int" versions of that method missing. If you can't figure it out, I'll try it on comparable box but probably not today anymore. Oh, which gcc version is this? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From appleman at ncsa.illinois.edu Wed Feb 16 16:31:50 2011 From: appleman at ncsa.illinois.edu (Don Appleman) Date: Wed, 16 Feb 2011 18:31:50 -0600 (CST) Subject: [Bro-Dev] Compile errors In-Reply-To: <20110216235513.GF49060@icir.org> Message-ID: <530790717.5799.1297902710925.JavaMail.root@zimbra-1.ncsa.uiuc.edu> This was on gcc 4.3.3. I'll have a longer look at it shortly. Thanks, Robin, Don ----- Original Message ----- From: "Robin Sommer" To: "Don Appleman" Cc: bro-dev at bro-ids.org Sent: Wednesday, February 16, 2011 5:55:13 PM Subject: Re: [Bro-Dev] Compile errors On Wed, Feb 16, 2011 at 16:34 -0600, you wrote: > The NMI build always does a "git pull" prior to the build, and was > completely up to date; the source on my laptop was out of date. Interesting, seems I may have broken something then while I was fixing the problem I had. I tried it on 32-bit and 64-bit FreeBSD, and 32-bit Linux, but I think not on 64-bit Linux ... Well, I guess that's what NMI build testing is for, right? :) So back to the error messages: > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:130: error: 'Val::Val(int64, TypeTag)' cannot be overloaded > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:100: error: with 'Val::Val(long int, TypeTag)' > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:140: error: 'Val::Val(uint64, TypeTag)' cannot be overloaded > /home/condor/execute/dir_4281/userdir/bro/src/Val.h:120: error: with 'Val::Val(long unsigned int, TypeTag)' So this seems like there are "long unsigned int" and "long int" versions of that method missing. If you can't figure it out, I'll try it on comparable box but probably not today anymore. Oh, which gcc version is this? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- Don Appleman National Center for Supercomputing Applications 2006B NCSA, 1205 W. Clark St. Urbana, IL 61801 217/333-6340 appleman at ncsa.illinois.edu From gregor at icir.org Wed Feb 16 17:38:28 2011 From: gregor at icir.org (Gregor Maier) Date: Wed, 16 Feb 2011 17:38:28 -0800 Subject: [Bro-Dev] Compile errors In-Reply-To: <32788825.4495.1297889060252.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <32788825.4495.1297889060252.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <4D5C7C14.7060901@icir.org> this is an issue on 64bit machines. My pending merge-request in #391 (topic/gregor/fix-val-64bit) fixes the problem. cu gregor On 2/16/11 12:44 , Don Appleman wrote: > I'm currently working to get automated builds going on the NMI build/test lab. > > I have all the necessary prerequisites to build bro on the NMI x86_64_ubuntu_10.04 platform, which is the same platform as my laptop. I can build without error on my laptop, but I get compile errors when building on the NMI build target. > > Can someone give me an idea of how to resolve the following errors? > >> In file included from /home/condor/execute/dir_4281/userdir/bro/src/Conn.h:11, >> from /home/condor/execute/dir_4281/userdir/bro/src/Analyzer.h:11, >> from /home/condor/execute/dir_4281/userdir/bro/src/binpac_bro.h:11, >> from /home/condor/execute/dir_4281/userdir/bro/build/src/bittorrent_pac.h:11, >> from /home/condor/execute/dir_4281/userdir/bro/build/src/bittorrent_pac.cc:3: >> /home/condor/execute/dir_4281/userdir/bro/src/Val.h:130: error: 'Val::Val(int64, TypeTag)' cannot be overloaded >> /home/condor/execute/dir_4281/userdir/bro/src/Val.h:100: error: with 'Val::Val(long int, TypeTag)' >> /home/condor/execute/dir_4281/userdir/bro/src/Val.h:140: error: 'Val::Val(uint64, TypeTag)' cannot be overloaded >> /home/condor/execute/dir_4281/userdir/bro/src/Val.h:120: error: with 'Val::Val(long unsigned int, TypeTag)' > > Thanks much, > Don > > -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From robin at icir.org Thu Feb 17 09:41:19 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 17 Feb 2011 09:41:19 -0800 Subject: [Bro-Dev] Compile errors In-Reply-To: <4D5C7C14.7060901@icir.org> References: <32788825.4495.1297889060252.JavaMail.root@zimbra-1.ncsa.uiuc.edu> <4D5C7C14.7060901@icir.org> Message-ID: <20110217174119.GF29871@icir.org> On Wed, Feb 16, 2011 at 17:38 -0800, you wrote: > My pending merge-request in #391 (topic/gregor/fix-val-64bit) fixes the > problem. Perfect. I'll aim to merge that in soon. Don, in the meantime, you can just merge this into devel for testing. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From gregor at icir.org Thu Feb 17 09:51:43 2011 From: gregor at icir.org (Gregor Maier) Date: Thu, 17 Feb 2011 09:51:43 -0800 Subject: [Bro-Dev] Bif tuning / overhaul In-Reply-To: <4D5B0CE8.4020203@icir.org> References: <4D5B0CE8.4020203@icir.org> Message-ID: <4D5D602F.5050204@icir.org> Some more thoughts in this regard: * Modules and export: functions, events, and enum that are defined in a bif in a namespace also need to be encapsulated in an "export". This is not super nice, but I don't know a better alternative. * For consts, types defined in bro.init (and possibly then declared in a bif for inclusion in C/C++) you also need exports. I.e., const FOO::foobar; # Doesn't work export { const FOO::foobar; } # Works Don't know whether there's a better way to solve that. * Using namespace for global config variables and types, will also mean that we need multiple "module" statements in bro.init.... * "export" can be nested (although it doesn't make sense to do so). However as soon as the innermost export section ends, the "export" mode is switched off. I'd like to change that so that it will switch off when the outermost export section ends. (I need exports to support namespaces and modules for BiF, so depending on how users *bif.bro files, there might be nested export that will then not work as expected). This change is minor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From gregor at icir.org Thu Feb 17 11:56:58 2011 From: gregor at icir.org (Gregor Maier) Date: Thu, 17 Feb 2011 11:56:58 -0800 Subject: [Bro-Dev] Bro policy script: vector Message-ID: <4D5D7D8A.9020607@icir.org> Hi, I was wondering how I can use vectors in Bro policy script. * How can I add/delete elements? * Where can I add/delete elements (at the beginning? at the end? both) (i.e., can it be used as stack and/or FIFO) * How can I iterate over the vector? * Can I insert elements at arbitrary positions? Delete at arbitrary positions? (there don't seem be too many places in the default scripts were vectors are used and it seems that most are used as consts). I think I've also seen places where "table[count] of XYZ" is used instead of a vector. cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From robin at icir.org Thu Feb 17 20:47:50 2011 From: robin at icir.org (Robin Sommer) Date: Thu, 17 Feb 2011 20:47:50 -0800 Subject: [Bro-Dev] Bro policy script: vector In-Reply-To: <4D5D7D8A.9020607@icir.org> References: <4D5D7D8A.9020607@icir.org> Message-ID: <20110218044750.GH38669@icir.org> Gregor and I already talked about this earlier, with the conclusion that there isn't much support for working with vectors right now. On Thu, Feb 17, 2011 at 11:56 -0800, you wrote: > I think I've also seen places where "table[count] of XYZ" is used > instead of a vector. Most of these are probably from before when the vectors were added. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From appleman at ncsa.illinois.edu Fri Feb 18 12:34:34 2011 From: appleman at ncsa.illinois.edu (Don Appleman) Date: Fri, 18 Feb 2011 14:34:34 -0600 (CST) Subject: [Bro-Dev] Compile errors In-Reply-To: <20110217174119.GF29871@icir.org> Message-ID: <1887565375.2581.1298061274477.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Thanks, Gregor -- your fix solves the compile errors I was getting. I guess you have this working on some 64-bit platform? I've encountered new compile errors further along in the build process ... > Linking CXX shared module _SubnetTree.so > /usr/bin/ld: /prereq/Python-2.6.2/lib/libpython2.6.a(abstract.o): relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC > /prereq/Python-2.6.2/lib/libpython2.6.a: could not read symbols: Bad value > collect2: ld returned 1 exit status > make[2]: *** [aux/broctl/aux/pysubnettree/_SubnetTree.so] Error 1 > make[1]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/all] Error 2 > make: *** [all] Error 2 ... which I suspect may also be a 64-bit platform problem. Do you have any guidance to offer on this new error? The Python-2.6.2 that I am using is the only version of python I have available on this particular build target. Thanks again, Don ----- Original Message ----- From: "Robin Sommer" To: "Gregor Maier" Cc: "Don Appleman" , bro-dev at bro-ids.org Sent: Thursday, February 17, 2011 11:41:19 AM Subject: Re: [Bro-Dev] Compile errors On Wed, Feb 16, 2011 at 17:38 -0800, you wrote: > My pending merge-request in #391 (topic/gregor/fix-val-64bit) fixes the > problem. Perfect. I'll aim to merge that in soon. Don, in the meantime, you can just merge this into devel for testing. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org -- Don Appleman National Center for Supercomputing Applications 2006B NCSA, 1205 W. Clark St. Urbana, IL 61801 217/333-6340 appleman at ncsa.illinois.edu From gregor at icir.org Fri Feb 18 12:45:17 2011 From: gregor at icir.org (Gregor Maier) Date: Fri, 18 Feb 2011 12:45:17 -0800 Subject: [Bro-Dev] Compile errors In-Reply-To: <1887565375.2581.1298061274477.JavaMail.root@zimbra-1.ncsa.uiuc.edu> References: <1887565375.2581.1298061274477.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <4D5EDA5D.1080309@icir.org> On 2/18/11 12:34 , Don Appleman wrote: > Thanks, Gregor -- your fix solves the compile errors I was getting. I guess you have this working on some 64-bit platform? I've encountered new compile errors further along in the build process ... I do. It' some Fedora. > >> Linking CXX shared module _SubnetTree.so >> /usr/bin/ld: /prereq/Python-2.6.2/lib/libpython2.6.a(abstract.o): relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a shared object; recompile with -fPIC >> /prereq/Python-2.6.2/lib/libpython2.6.a: could not read symbols: Bad value >> collect2: ld returned 1 exit status >> make[2]: *** [aux/broctl/aux/pysubnettree/_SubnetTree.so] Error 1 >> make[1]: *** [aux/broctl/aux/pysubnettree/CMakeFiles/_SubnetTree.dir/all] Error 2 >> make: *** [all] Error 2 > > ... which I suspect may also be a 64-bit platform problem. Do you have any guidance to offer on this new error? The Python-2.6.2 that I am using is the only version of python I have available on this particular build target. I sometime have weird problems compiling some of the python modules but I haven't really debugged it. What seems to work for me is: * remove build directory and do another ./configure * do a git submodule update --recursive * do a fresh recursive clone of the bro repository hth Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From jsiwek at ncsa.illinois.edu Fri Feb 18 13:05:33 2011 From: jsiwek at ncsa.illinois.edu (Jonathan Siwek) Date: Fri, 18 Feb 2011 15:05:33 -0600 (CST) Subject: [Bro-Dev] Compile errors In-Reply-To: <1887565375.2581.1298061274477.JavaMail.root@zimbra-1.ncsa.uiuc.edu> Message-ID: <18261519.68.1298063133125.JavaMail.jsiwek@tangent.ncsa.illinois.edu> > > Linking CXX shared module _SubnetTree.so > > /usr/bin/ld: /prereq/Python-2.6.2/lib/libpython2.6.a(abstract.o): > > relocation R_X86_64_32 against `.rodata.str1.8' can not be used when > > making a shared object; recompile with -fPIC There's a few different cases where you can get an error like this, but I think the situation you're in is that you're building a shared library on an AMD64 architecture which are required to be PIC-enabled, but you're linking to a static archive which was not built with the -fPIC flag. > The Python-2.6.2 that I am using is the only version of python I have available on this particular build target. Here's what I would probably do: 1) Search around a bit to make sure there really isn't a libpython2.6.so (shared library version) that you can link against 2) Inquire with NMI support about whether libpython2.6.a is indeed built wrong (without the -fPIC flag) and ask if they can fix it if it is 3) Do your own build of Python and compile Bro against that - Jon From bro at tracker.icir.org Fri Feb 18 21:04:25 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 19 Feb 2011 05:04:25 -0000 Subject: [Bro-Dev] #400: file descriptor leak in bro remote serializer Message-ID: <048.6f23657e67dd387fa1e4c7ea0a1dfdf1@tracker.icir.org> #400: file descriptor leak in bro remote serializer -----------------------+--------------------- Reporter: scampbell | Type: Problem Status: new | Priority: High Milestone: | Component: Bro Version: 1.5.2 | Keywords: -----------------------+--------------------- In child proxy process these seems to be a file descriptor leak - noticed we were getting a kern.maxfiles exceeded error. Looking at lsof output identified the leaking process and truss shows: {{{ socket(PF_INET,SOCK_STREAM,0) = 69 (0x45) setsockopt(0x45,0xffff,0x4,0xbfbfe5a8,0x4,0x0) = 0 (0x0) bind(69,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' gettimeofday({1298082809.001388},0x0) = 0 (0x0) write(27,"\0\0\0\b\^E\M^P\M-,\t\0\0\0\0\0"...,65) = 65 (0x41) select(28,{27},0x0,0x0,{0.000000}) = 0 (0x0) }}} for every call to socket(), returned file descriptor is incremeted: {{{ bind(69,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' bind(70,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' bind(71,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' bind(72,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' bind(73,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' bind(74,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' bind(75,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' bind(76,{ AF_INET 0.0.0.0:47761 },16) ERR#48 'Address already in use' }}} in RemoteSearializer.cc @ 3587 in SocketComm::Listen {{{ if ( bind(*listen_fd, (sockaddr*) &server, sizeof(server)) < 0 ) { Error(fmt("can't bind to port %d, %s", port, strerror(errno))); *listen_fd = -1; if ( errno == EADDRINUSE ) { listen_if = ip; listen_port = port; listen_ssl = expect_ssl; // FIXME: Make this timeout configurable. listen_next_try = time(0) + 30; } return false; } }}} in the error loop, listen_fd needs to be closed since there is nothing done to it. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Sat Feb 19 07:28:25 2011 From: gregor at icir.org (Gregor Maier) Date: Sat, 19 Feb 2011 07:28:25 -0800 Subject: [Bro-Dev] Comparing records Message-ID: <4D5FE199.2030700@icir.org> Hi, it seems that I can't compare records for equality in Bro. Right? Is there any way to do this (other than comparing each element individually or writing a bif-function for it) cu gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From vern at icir.org Sat Feb 19 09:51:44 2011 From: vern at icir.org (Vern Paxson) Date: Sat, 19 Feb 2011 09:51:44 -0800 Subject: [Bro-Dev] Comparing records In-Reply-To: <4D5FE199.2030700@icir.org> (Sat, 19 Feb 2011 07:28:25 PST). Message-ID: <20110219175144.A2A0536A42B@taffy.ICSI.Berkeley.EDU> > it seems that I can't compare records for equality in Bro. Right? Correct. > Is there any way to do this (other than comparing each element individually > or writing a bif-function for it) No existing support for it. In what context do you want to do this? Note that given the open-ended nature of records (e.g., they can include tables, and/or require evalution of default entries), such comparison is complex to support in a fully general fashion. Vern From gregor at icir.org Sat Feb 19 11:16:05 2011 From: gregor at icir.org (Gregor Maier) Date: Sat, 19 Feb 2011 11:16:05 -0800 Subject: [Bro-Dev] Comparing records In-Reply-To: <20110219175144.A2A0536A42B@taffy.ICSI.Berkeley.EDU> References: <20110219175144.A2A0536A42B@taffy.ICSI.Berkeley.EDU> Message-ID: <4D6016F5.5010708@icir.org> On 2/19/11 9:51 , Vern Paxson wrote: >> Is there any way to do this (other than comparing each element individually >> or writing a bif-function for it) > > No existing support for it. In what context do you want to do this? > Note that given the open-ended nature of records (e.g., they can include > tables, and/or require evalution of default entries), such comparison > is complex to support in a fully general fashion. For my NFS analyzer to check whether two attribute sets are equal (the record only contains basic types). As a quick workaround I've added the two record I want to compare to a set and then check how many elements are in the set. BTW, how does hashing of records for sets and tables work if there are other records or tables in it? Will it do a "deep-hashing"? cu gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From bro at tracker.icir.org Sun Feb 20 17:28:36 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 21 Feb 2011 01:28:36 -0000 Subject: [Bro-Dev] #401: broctl crash reports should display size of core dump Message-ID: <043.9bfa890ec9956919f0f88348b617384d@tracker.icir.org> #401: broctl crash reports should display size of core dump ------------------------+-------------------- Reporter: seth | Owner: robin Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: BroControl | Version: Keywords: | ------------------------+-------------------- This would help with remote debugging since it would become easier in some cases to determine the result of a crash if the crash is due to memory exhaustion. One case in particular that it would be really helpful for is someone running 32-bit Bro on a 64-bit platform since the crash (i think) will always happen right at 4GB. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 21 09:34:17 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 21 Feb 2011 17:34:17 -0000 Subject: [Bro-Dev] #400: file descriptor leak in bro remote serializer In-Reply-To: <048.6f23657e67dd387fa1e4c7ea0a1dfdf1@tracker.icir.org> References: <048.6f23657e67dd387fa1e4c7ea0a1dfdf1@tracker.icir.org> Message-ID: <063.fb30c059536d652e1e9323d4f7c8dfe9@tracker.icir.org> #400: file descriptor leak in bro remote serializer ------------------------+---------------------- Reporter: scampbell | Owner: robin Type: Problem | Status: assigned Priority: High | Milestone: Component: Bro | Version: 1.5.3 Resolution: | Keywords: ------------------------+---------------------- Changes (by robin): * owner: => robin * status: new => assigned * version: 1.5.2 => 1.5.3 Comment: I'll look into it for the 1.5.3 maintainance release (which will probably come soon) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 21 16:08:26 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 22 Feb 2011 00:08:26 -0000 Subject: [Bro-Dev] #402: [PATCH] -fPIC is needed for FreeBSD/amd64 Message-ID: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> #402: [PATCH] -fPIC is needed for FreeBSD/amd64 ----------------------+----------------------- Reporter: leres | Owner: kreibich Type: Problem | Status: new Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Keywords: | ----------------------+----------------------- I'm working on: {{{ FreeBSD fun.ee.lbl.gov 7.2-RELEASE FreeBSD 7.2-RELEASE #9 r99: Sat Dec 4 23:25:23 PST 2010 leres at fun.ee.lbl.gov:/home/fun/u2/src/7.2-RELEASE/sys/amd64/compile/LBLSMPIPV6 amd64 }}} When I try to build broccoli I see: {{{ Linking C shared module _broccoli_intern.so /usr/bin/ld: ../../src/libbroccoli.a(bro.c.o): relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC ../../src/libbroccoli.a: could not read symbols: Bad value }}} A quick google turned up this: http://www.cmake.org/pipermail/cmake/2006-September/011316.html A patch based on this that allows the build to complete without error is attached. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 21 16:36:15 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 22 Feb 2011 00:36:15 -0000 Subject: [Bro-Dev] #402: [PATCH] -fPIC is needed for FreeBSD/amd64 In-Reply-To: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> References: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> Message-ID: <059.01dd7934c39fb2baf3e6ef92bf4b8bb9@tracker.icir.org> #402: [PATCH] -fPIC is needed for FreeBSD/amd64 -----------------------+----------------------- Reporter: leres | Owner: kreibich Type: Problem | Status: new Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Resolution: | Keywords: -----------------------+----------------------- Comment (by leres): Actually, the patch doesn't help; the error only occurs when you build the static library. And interestingly, the shared library is '''always''' seems to always be built, even though ./configure --help seems to say it shouldn't when --enable-static is used. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Mon Feb 21 20:26:51 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 22 Feb 2011 04:26:51 -0000 Subject: [Bro-Dev] #402: [PATCH] -fPIC is needed for FreeBSD/amd64 In-Reply-To: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> References: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> Message-ID: <059.acc2b52296333e8029463ce3934627aa@tracker.icir.org> #402: [PATCH] -fPIC is needed for FreeBSD/amd64 -----------------------+----------------------- Reporter: leres | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Resolution: | Keywords: -----------------------+----------------------- Changes (by jsiwek): * owner: kreibich => jsiwek * status: new => assigned Comment: The way the ./configure --help options are explained is definitely misleading. --enable-static/shared only really apply to the libbroccoli library. I'll change the wording. The _broccoli_intern.so you see being linked in your error is for the python bindings and that's done by SWIG. It will always be represented in CMake terms as a MODULE. From http://www.cmake.org/cmake/help/cmake-2-8-docs.html#command:add_library: > MODULE libraries are plugins that are not linked into other targets but may be loaded dynamically at runtime using dlopen-like functionality So I think you're taking the right approach in trying to get libbroccoli.a compiled with -fPIC, but I'm not sure right now why your patch didn't work. Feel free to race me to a solution. Though, generally speaking, I want to say that if you are creating the python bindings module, then it may be better (i.e. more flexibly) to link it against a shared libbroccoli.so (and then this issue with -fPIC shouldn't be an issue because all shared libs on x86_64 should require PIC-enabling). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 11:57:50 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 22 Feb 2011 19:57:50 -0000 Subject: [Bro-Dev] #402: [PATCH] -fPIC is needed for FreeBSD/amd64 In-Reply-To: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> References: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> Message-ID: <059.0f76c35f56c9828a8f2485f38e9b8cbd@tracker.icir.org> #402: [PATCH] -fPIC is needed for FreeBSD/amd64 -----------------------+----------------------- Reporter: leres | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Resolution: | Keywords: -----------------------+----------------------- Comment (by slagell): Is there a reason for not using shared libraries? If not, mixing shared and static versions seem to be causing unnecessary pain, and I would suggest simply removing that option. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 12:34:44 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 22 Feb 2011 20:34:44 -0000 Subject: [Bro-Dev] #402: [PATCH] -fPIC is needed for FreeBSD/amd64 In-Reply-To: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> References: <044.b362feee6fb80f2733ffbc095b60d620@tracker.icir.org> Message-ID: <059.f0ffadd41abbbc44898a0b490605060c@tracker.icir.org> #402: [PATCH] -fPIC is needed for FreeBSD/amd64 -----------------------+----------------------- Reporter: leres | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Component: Broccoli | Version: git/devel Resolution: | Keywords: -----------------------+----------------------- Comment (by seth): There is another separate ticket that was filed a while ago: #256 I'll go ahead and close it since this ticket has gone much more in depth, but it'll remain available for reference in it's closed state. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 12:35:32 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Tue, 22 Feb 2011 20:35:32 -0000 Subject: [Bro-Dev] #256: Broccoli python bindings build failure on amd64 FreeBSD 8.1RC1 In-Reply-To: <043.ec5b7df9255cdebdc3647d02134f206e@tracker.icir.org> References: <043.ec5b7df9255cdebdc3647d02134f206e@tracker.icir.org> Message-ID: <058.9e1ce06b71f20b3eb19d38fc91188584@tracker.icir.org> #256: Broccoli python bindings build failure on amd64 FreeBSD 8.1RC1 ------------------------+---------------------- Reporter: seth | Owner: kreibich Type: defect | Status: closed Priority: Normal | Milestone: Component: Broccoli | Version: 1.5.1 Resolution: Duplicate | Keywords: ------------------------+---------------------- Changes (by seth): * status: new => closed * resolution: => Duplicate Comment: Closed due to more extensive documentation in refiled ticket #402. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Tue Feb 22 13:01:49 2011 From: gregor at icir.org (Gregor Maier) Date: Tue, 22 Feb 2011 13:01:49 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/robin/logging-internals: Enable passing events into bifs. (c0cd62a) In-Reply-To: <201102220230.p1M2UUpG006430@envoy.icir.org> References: <201102220230.p1M2UUpG006430@envoy.icir.org> Message-ID: <4D64243D.1040103@icir.org> Just wondering whether this might affect the way the C++ layer checks whether there's a handler for a particular event by testing its boolean value.... On 2/21/11 18:30 , Robin Sommer wrote: > Repository : ssh://bro at envoy.icir.org/bro > > On branch : topic/robin/logging-internals > >> --------------------------------------------------------------- > > commit c0cd62a5a5e7270db901d56a1d651df7bd87338f > Author: Robin Sommer > Date: Mon Feb 21 13:45:44 2011 -0800 > > Enable passing events into bifs. > > When an event was globally decleared, previously it did not get > assigned a value initially until the first implementation body was > added. That then triggered an "not used" error when passing such an > event as argument into a bif. Now we always assign a function value > immediately, just without any body inititally. > > When globally declaring an event, i > > >> --------------------------------------------------------------- > > src/Func.cc | 12 ++++++++---- > src/Var.cc | 10 ++++++++++ > 2 files changed, 18 insertions(+), 4 deletions(-) > > diff --git a/src/Func.cc b/src/Func.cc > index 5d71be2..f398425 100644 > --- a/src/Func.cc > +++ b/src/Func.cc > @@ -239,11 +239,15 @@ BroFunc::BroFunc(ID* arg_id, Stmt* arg_body, id_list* aggr_inits, > : Func(BRO_FUNC) > { > id = arg_id; > - Body b; > - b.stmts = AddInits(arg_body, aggr_inits); > - b.priority = 0; > - bodies.push_back(b); > frame_size = arg_frame_size; > + > + if ( arg_body ) > + { > + Body b; > + b.stmts = AddInits(arg_body, aggr_inits); > + b.priority = 0; > + bodies.push_back(b); > + } > } > > BroFunc::~BroFunc() > diff --git a/src/Var.cc b/src/Var.cc > index b107156..c9e497d 100644 > --- a/src/Var.cc > +++ b/src/Var.cc > @@ -170,6 +170,16 @@ static void make_var(ID* id, BroType* t, init_class c, Expr* init, > } > > id->UpdateValAttrs(); > + > + if ( t && t->Tag() == TYPE_FUNC && t->AsFuncType()->IsEvent() ) > + { > + // For events, add a function value (without any body) here so that > + // we can later access the ID even if no implementations have been > + // defined. > + Func* f = new BroFunc(id, 0, 0, 0); > + id->SetVal(new Val(f)); > + id->SetConst(); > + } > } > > > > _______________________________________________ > bro-commits mailing list > bro-commits at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits > -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From robin at icir.org Tue Feb 22 13:10:50 2011 From: robin at icir.org (Robin Sommer) Date: Tue, 22 Feb 2011 13:10:50 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/robin/logging-internals: Enable passing events into bifs. (c0cd62a) In-Reply-To: <4D64243D.1040103@icir.org> References: <201102220230.p1M2UUpG006430@envoy.icir.org> <4D64243D.1040103@icir.org> Message-ID: <20110222211049.GA64742@icir.org> On Tue, Feb 22, 2011 at 13:01 -0800, you wrote: > Just wondering whether this might affect the way the C++ layer checks > whether there's a handler for a particular event by testing its boolean > value.... Yes, that's actually on my radar; guess I should have mentioned in the commit message that this might need further work one way or the other. But I first need to remind myself what's actually happening internally. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.icir.org Tue Feb 22 16:37:43 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 23 Feb 2011 00:37:43 -0000 Subject: [Bro-Dev] #403: topic/gregor/bif-tuning -- add namespaces and type declaration to BiFs Message-ID: <045.95bfb1afb7c82b9870bf576fc236880d@tracker.icir.org> #403: topic/gregor/bif-tuning -- add namespaces and type declaration to BiFs ---------------------------+------------------------ Reporter: gregor | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ {{{ #!rst CHANGES entry: * BiFs: Adding support for namespace (policy layer module names) to BiFs, adding type declarations to BiFs (to access them from C++), extending const declarations in BiFs. ---------- Text from my mail: I've revamped the Bro bif language a bit. Mainly to add support for namespaces and features that would be handy for my RPC/NFS analyzers. I've also documented what one can do with bifs. Find it at: http://bro.icir.org/devel/bif-doc/ an overview of all of it: http://bro.icir.org/devel/bif-doc/example.html The main changes (from current master version): * support for policy-layer namespaces. Either using fully qualified names (MODULE::foobar) or using the "module XYZ;" statement. * C/C++ variables, and functions have their own namespaces: + *BifConst* for consts + *BifType* for type declartions (RecordType*, EnumType*) + *BifEnum* for C-enums derived from BiFs + *BifFunc* for bif functions + *BifEvent* for (some parts) of events. I haven't moved all of the event related C++ variables into this namespace, because this would substantial refactoring of existing code * const: + can now use any type for consts (previously: only bools) + can now only declare but not define consts. You must define the const in bro.init. The bif only creates the netvar glue code. This will help streamline automatically generated documentation and it was necessary for supporting types other than bool * forward type delcaration: can you declare but not define Bro types (records, sets, etc.) in BiF to make them available to C++. The bif only generates the netvar glue. The types must be defined in bro.init }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 16:40:38 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 23 Feb 2011 00:40:38 -0000 Subject: [Bro-Dev] #403: topic/gregor/bif-tuning -- add namespaces and type declaration to BiFs In-Reply-To: <045.95bfb1afb7c82b9870bf576fc236880d@tracker.icir.org> References: <045.95bfb1afb7c82b9870bf576fc236880d@tracker.icir.org> Message-ID: <060.b38b0ff1ee9e8de88ef0c9224d953ce8@tracker.icir.org> #403: topic/gregor/bif-tuning -- add namespaces and type declaration to BiFs ----------------------------+------------------------ Reporter: gregor | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by gregor): Note: this includes the pending integer-fix merge request. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 16:51:25 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 23 Feb 2011 00:51:25 -0000 Subject: [Bro-Dev] #326: HTTP Analyzer overflow on content-lengths > 2GB In-Reply-To: <045.82bf4b86731e1736daaef4caa8c63d05@tracker.icir.org> References: <045.82bf4b86731e1736daaef4caa8c63d05@tracker.icir.org> Message-ID: <060.82eb741aae422266730c4966a70b97a8@tracker.icir.org> #326: HTTP Analyzer overflow on content-lengths > 2GB ---------------------+----------------------------- Reporter: gregor | Owner: robin Type: Patch | Status: accepted Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: inttypes,sprint ---------------------+----------------------------- Comment (by gregor): Robin, are you going to commit this to git or should I just go ahead and commit it to fastpath or create a topic branch + merge request for it? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 17:00:32 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 23 Feb 2011 01:00:32 -0000 Subject: [Bro-Dev] #326: HTTP Analyzer overflow on content-lengths > 2GB In-Reply-To: <045.82bf4b86731e1736daaef4caa8c63d05@tracker.icir.org> References: <045.82bf4b86731e1736daaef4caa8c63d05@tracker.icir.org> Message-ID: <060.0e9543dbe8812ca27753cb7760153656@tracker.icir.org> #326: HTTP Analyzer overflow on content-lengths > 2GB ---------------------+----------------------------- Reporter: gregor | Owner: robin Type: Patch | Status: accepted Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: inttypes,sprint ---------------------+----------------------------- Comment (by robin): On Wed, Feb 23, 2011 at 00:51 -0000, you wrote: > Robin, are you going to commit this to git or should I just go ahead and > commit it to fastpath or create a topic branch + merge request for it? It's on my list so if there are no further changes, you can just leave it as it is and I'll merge it. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 17:05:20 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 23 Feb 2011 01:05:20 -0000 Subject: [Bro-Dev] #404: topic/gregor/reassmbler-hotfix -- Reassembler integer overflow issues. Data not delivered after 2GB Message-ID: <045.ef386c9fd46d422b147e000b105f2c95@tracker.icir.org> #404: topic/gregor/reassmbler-hotfix -- Reassembler integer overflow issues. Data not delivered after 2GB ---------------------------+------------------------ Reporter: gregor | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ {{{ #!rst Hotfix for #348. A more thorough fix is needed in the long run, but this patch works without breaking anything. A full fix will require significant changes to the TCP analyzer, reassembler and possibly other parts. The TCP Reassembler does not deliver any data after 2GB. This happens silently, i.e., without content_gap events or Undelivered calls. The problem is the use of 32bit (signed) integers for relative sequence numbers. As a hotfix that seems to work I disabled the seq_to_skip features. It wasn't used by any analyzer or policy script (Note, that seq_to_skip is different from skip_deliveries). CHANGES entry: * TCP Reassembler hotfix: deliver data after 2GB by disabling the unused ``seq_to_skip`` feature. ------- Note: there is an unfortunate type in the branch name, but I don't know how to safely rename the branch locally and remotely:: topic/gregor/reassmbler-hotfix ^^ 'e' is missing }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Tue Feb 22 17:06:42 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Wed, 23 Feb 2011 01:06:42 -0000 Subject: [Bro-Dev] #348: Reassembler integer overflow issues. Data not delivered after 2GB In-Reply-To: <045.50782a98afd446d5533512f10b0a2995@tracker.icir.org> References: <045.50782a98afd446d5533512f10b0a2995@tracker.icir.org> Message-ID: <060.57e36cbe89418b13021470aec167acde@tracker.icir.org> #348: Reassembler integer overflow issues. Data not delivered after 2GB ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: | Keywords: inttypes ----------------------+------------------------ Comment (by gregor): Filed a merge request for the hotfix (#404). This ticket should remain open though, since it flags that more work is needed to really fix the problem (instead of avoiding it as my hotfix does). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 24 09:08:42 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 24 Feb 2011 17:08:42 -0000 Subject: [Bro-Dev] #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf Message-ID: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Broccoli | Version: git/master Keywords: | ----------------------+------------------------ Craig Leres reported: >Something else I keep running into is it would appear that "make >install" clobbers config files in many cases. For example: > > % pwd > /usr/src/local/sbin/broccoli > % make distclean > % ./configure --enable-debug --prefix=/usr/local > % make > % make install > >overwrites the /usr/local/etc/broccoli.conf that I configure before the >install. The way I would expect this to work is to always update one of: > > /usr/local/etc/broccoli.conf-sample > /usr/local/share/examples/broccoli/broccoli.conf > >and create /usr/local/etc/broccoli.conf only if it doesn't already exist. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 24 09:21:53 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 24 Feb 2011 17:21:53 -0000 Subject: [Bro-Dev] #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf In-Reply-To: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> References: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> Message-ID: <060.c91f7623fe4ef11b62fb4e00f7a518d1@tracker.icir.org> #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf -----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Broccoli | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by jsiwek): The pitfalls I ran into before was with how to check whether to install /usr/local/etc/broccoli.conf if it doesn't exist. I could either: 1) check at `make install` time whether it doesn't exist and then copy it in place. This was kind of a hack because it "goes behind CMake's back". For one thing, the file doesn't get recorded in the install_manifest. I think there was another issue, but I can't remember it right now. 2) check at `configure` time whether it doesn't exist and then schedule it to be installed by `make install` This seems like it would do as Craig expects. But one potential issue I can see is that one might be confused about why a `/usr/local/etc/broccoli.conf` doesn't get installed after they do something like: {{{ $ ./configure --prefix=/usr/local $ make $ make install $ make distclean $ ./configure --prefix=/usr/local $ rm /usr/local/etc/broccoli.conf $ make $ make install }}} I think failure in this case to install that file (but still installing a sample file) is more reasonable than clobbering an existing one so I'm going to do the following: * Have Broccoli's configure logic check for an existing `$PREFIX/etc/broccoli.conf` at configure time and don't schedule it for installation if it does * Always schedule a `$PREFIX/etc/broccoli.conf-sample` for installation * Modify the RPM and Mac packaging scripts to make sure to remove the whole `/opt/bro/` (the default prefix) directory so we don't accidentally create packages with a missing `$PREFIX/etc/broccoli.conf` (the way the packages get installed themselves should take care of not clobbering `$PREFIX/etc/broccoli.conf`) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 24 09:33:40 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 24 Feb 2011 17:33:40 -0000 Subject: [Bro-Dev] #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf In-Reply-To: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> References: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> Message-ID: <060.8c66f8ea6b8ccce93f79026f06774ff3@tracker.icir.org> #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf -----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Broccoli | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by leres): I don't like the strategy of only checking at configure time. There are a lot of scenarios this is a lose but in the simplest case I configure, build and install, customize broccoli.bro and then later make a small change to a module. When make install again, broccoli.bro gets clobbered. I think it's fine to go "behind cmake's back" because we don't want cmake to ever clobber this file. And so it actually seems like an advantage to me if broccoli.conf isn't in the install_manifest. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 24 10:15:55 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Thu, 24 Feb 2011 18:15:55 -0000 Subject: [Bro-Dev] #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf In-Reply-To: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> References: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> Message-ID: <060.6486f6f20e0cbd1c40af30e96000de0c@tracker.icir.org> #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf -----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Broccoli | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by jsiwek): Just an observation: I think the `--with-configfile` option is currently one way to prevent the clobbering. But I'll also see if the "check for existing `$PREFIX/etc/broccoli.conf` at `make install` time" solution really did have other issues (like I said I couldn't remember above). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 24 20:03:13 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 25 Feb 2011 04:03:13 -0000 Subject: [Bro-Dev] #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf In-Reply-To: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> References: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> Message-ID: <060.6a7f484d24f49f3c3cb559ce1c135184@tracker.icir.org> #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf -----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Broccoli | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by jsiwek): In [df6b313720923848daa0cc5b047b49b5405799fe/broccoli]: {{{ #!CommitTicketReference repository="broccoli" revision="df6b313720923848daa0cc5b047b49b5405799fe" Changes to the way user-modifiable config files are installed. - Duplicates of the distribution's configuration files are now always installed with a .example suffix - Added --binary-package configure option to toggle configure logic specific to the creation of binary packages. - When not in binary packaging mode, `make install` never overwrites existing configure files in case they've been modified. The previous behavior (CMake's default) would only avoid overwriting modified files if one consistently uses the same build directory and doesn't reconfigure. - Fixed an issue with Mac package's pre-install script not preserving ACLs addresses #405 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Thu Feb 24 20:20:38 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 25 Feb 2011 04:20:38 -0000 Subject: [Bro-Dev] #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf In-Reply-To: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> References: <045.4bf2ca2c1472064fe96ebac9cd928d79@tracker.icir.org> Message-ID: <060.9f93dca959527cef0c6428c8e1d9179c@tracker.icir.org> #405: Broccoli's `make install` may clobber existing user-modified broccoli.conf -----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: new Priority: Normal | Milestone: Bro1.6 Component: Broccoli | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by jsiwek): > But I'll also see if the "check for existing $PREFIX/etc/broccoli.conf at make install time" solution really did have other issues (like I said I couldn't remember above). The other issue with this was that it is incompatible with packaging via CPack. In order for CPack to create binary packages correctly, the files to be installed need to be specified inside a typical CMake install() macro, but that's not scriptable at `make install` time. The fix is to require a configure time flag, `--binary-package`, to know when to use extra "scripted" install versus use the plain install(). `topic/jsiwek/config-file-clobber-fixes` branches now exist in the broccoli, broctl, and bro repositories with the changes listed in the previous comment. Craig, if you try out at least the broccoli one, let me know if it looks good and I'll send a request to merge them to master. -- Ticket URL: Bro Tracker Bro Issue Tracker From gregor at icir.org Fri Feb 25 08:51:38 2011 From: gregor at icir.org (Gregor Maier) Date: Fri, 25 Feb 2011 08:51:38 -0800 Subject: [Bro-Dev] Bro byte and packet counting in devel Message-ID: <4D67DE1A.90409@icir.org> Hi, the analyzer to count bytes and packets as seen on the wire per connection (endpoint) is now in devel. If enabled the counters are part of the connection record (actually the endpoint records) and can thus be access by any event that gets a connection as argument. To enable: redef use_conn_size_analyzer = T; To enable logging the sizes to conn.log: # Whether to add 4 more columns to conn.log with # orig_packet orig_ip_bytes resp_packets resp_ip_bytes # Requires use_conn_size_analyzer=T # Columns are added after history but before addl redef report_conn_size_analyzer = T; You might want to consider enables those if you run devel.... cu Gregor -- Gregor Maier Int. Computer Science Institute (ICSI) 1947 Center St., Ste. 600 Berkeley, CA 94704, USA http://www.icir.org/gregor/ From bro at tracker.icir.org Fri Feb 25 10:06:01 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 25 Feb 2011 18:06:01 -0000 Subject: [Bro-Dev] #348: Reassembler integer overflow issues. Data not delivered after 2GB In-Reply-To: <045.50782a98afd446d5533512f10b0a2995@tracker.icir.org> References: <045.50782a98afd446d5533512f10b0a2995@tracker.icir.org> Message-ID: <060.b5ebbd7a50a22389ed0b6f3c6bf61127@tracker.icir.org> #348: Reassembler integer overflow issues. Data not delivered after 2GB ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: git/master Resolution: | Keywords: inttypes ----------------------+------------------------ Changes (by robin): * milestone: Bro1.6 => Bro1.7 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 10:33:34 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 25 Feb 2011 18:33:34 -0000 Subject: [Bro-Dev] #348: Reassembler integer overflow issues. Data not delivered after 2GB In-Reply-To: <045.50782a98afd446d5533512f10b0a2995@tracker.icir.org> References: <045.50782a98afd446d5533512f10b0a2995@tracker.icir.org> Message-ID: <060.339af0acc9cee8eb39c775f4d3f2a708@tracker.icir.org> #348: Reassembler integer overflow issues. Data not delivered after 2GB ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro1.7 Component: Bro | Version: git/master Resolution: | Keywords: inttypes ----------------------+------------------------ Comment (by robin): Moving some notes out of the source and in here: {{{ // The Reassembler uses 32 bit ints for keeping track of sequence // numbers. This means that the seq numbers will become negative once we // exceed 2 GB of data. The Reassembler seems to mostly work despite negative // sequence numbers, since seq_delta() will handle them gracefully. However, // there are a couple of issues. E.g., seq_to_skip doesn't work (which is now // disabled with an ifdef, since it wasn't used) Also, a check in // Undelivered() had a problem with negative sequence numbers. // // There are numerous counters (e.g., number of total bytes, etc.) that are // incorrect due to overflow too. However, these seem to be for informative // purposes only, so we currently ignore them. // // There might be other problems hidden somewhere, that I haven't discovered // yet...... // // Reassem.{cc|h} and other "Reassemblers" that inherit from it (e.g., Frag) // need to be updated too. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 15:49:46 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 25 Feb 2011 23:49:46 -0000 Subject: [Bro-Dev] #404: topic/gregor/reassmbler-hotfix -- Reassembler integer overflow issues. Data not delivered after 2GB In-Reply-To: <045.ef386c9fd46d422b147e000b105f2c95@tracker.icir.org> References: <045.ef386c9fd46d422b147e000b105f2c95@tracker.icir.org> Message-ID: <060.0dd66d6b9a0fca22b1e73bbcba02ab9f@tracker.icir.org> #404: topic/gregor/reassmbler-hotfix -- Reassembler integer overflow issues. Data not delivered after 2GB ----------------------------+------------------------ Reporter: gregor | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [a3e1dd52615be0791703c146d8ca2c7021d5adc7/bro]: {{{ #!CommitTicketReference repository="bro" revision="a3e1dd52615be0791703c146d8ca2c7021d5adc7" Merge remote branch 'origin/topic/gregor/reassmbler-hotfix' Closes #404. * origin/topic/gregor/reassmbler-hotfix: TCP Reassembler hotfix for conns > 2GB. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 15:49:46 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Fri, 25 Feb 2011 23:49:46 -0000 Subject: [Bro-Dev] #403: topic/gregor/bif-tuning -- add namespaces and type declaration to BiFs In-Reply-To: <045.95bfb1afb7c82b9870bf576fc236880d@tracker.icir.org> References: <045.95bfb1afb7c82b9870bf576fc236880d@tracker.icir.org> Message-ID: <060.e064d787c94d3a7ccf42856ee317efa0@tracker.icir.org> #403: topic/gregor/bif-tuning -- add namespaces and type declaration to BiFs ----------------------------+------------------------ Reporter: gregor | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro1.6 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [12139e9fafc4ed46846a9829a676440babbe2d2d/bro]: {{{ #!CommitTicketReference repository="bro" revision="12139e9fafc4ed46846a9829a676440babbe2d2d" Merge remote branch 'origin/topic/gregor/bif-tuning' * origin/topic/gregor/bif-tuning: Refactor: BifTypePtr --> BifType Bif const: make sure const is indeed a constant. Support any type in bif const declaration. Tweak for bifcl Fix to bifcl wrt namespaces. Enable declaration of set, vector, and table types in bifs. Moving type declarations into its own bif file Support namespaces / modules in bif. Checkpoint. Support namespaces / modules in bif. Checkpoint. Remove leftovers from removing "declare enum" from bifcl Use namespaces for NetVar type pointers. Remove unused and unnecessary "declare enum" from bifcl Bif: add record type declaration. Minor tweaks for bif language. enum type: don't allow mixing of explicit value and auto-increment. Add support for enum with explicit enumerator values. Closes #403. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 17:05:01 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 26 Feb 2011 01:05:01 -0000 Subject: [Bro-Dev] #400: file descriptor leak in bro remote serializer In-Reply-To: <048.6f23657e67dd387fa1e4c7ea0a1dfdf1@tracker.icir.org> References: <048.6f23657e67dd387fa1e4c7ea0a1dfdf1@tracker.icir.org> Message-ID: <063.f600142db5682ffdeab2e16141c34168@tracker.icir.org> #400: file descriptor leak in bro remote serializer ------------------------+---------------------- Reporter: scampbell | Owner: robin Type: Problem | Status: assigned Priority: High | Milestone: Component: Bro | Version: 1.5.3 Resolution: | Keywords: ------------------------+---------------------- Comment (by robin): In [ff740f153ccec5242bb8fc7e7b8acd4493dd161b/bro]: {{{ #!CommitTicketReference repository="bro" revision="ff740f153ccec5242bb8fc7e7b8acd4493dd161b" Fixing file detector leak in remote communication module. This addresses #400. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 17:19:55 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 26 Feb 2011 01:19:55 -0000 Subject: [Bro-Dev] #400: file descriptor leak in bro remote serializer In-Reply-To: <048.6f23657e67dd387fa1e4c7ea0a1dfdf1@tracker.icir.org> References: <048.6f23657e67dd387fa1e4c7ea0a1dfdf1@tracker.icir.org> Message-ID: <063.b0ce815d004f219a6f4ebc9c8cc9c64e@tracker.icir.org> #400: file descriptor leak in bro remote serializer -----------------------------+-------------------- Reporter: scampbell | Owner: robin Type: Problem | Status: closed Priority: High | Milestone: Component: Bro | Version: 1.5.3 Resolution: Merged/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: assigned => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 17:20:42 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 26 Feb 2011 01:20:42 -0000 Subject: [Bro-Dev] #379: Delete cluster-adds.hot.bro In-Reply-To: <044.d95341f101c38e5c3b8d1ed5197aa9b4@tracker.icir.org> References: <044.d95341f101c38e5c3b8d1ed5197aa9b4@tracker.icir.org> Message-ID: <059.ae91ff64dd0fec525d932aee83cda980@tracker.icir.org> #379: Delete cluster-adds.hot.bro -----------------------------+-------------------- Reporter: robin | Owner: Type: Patch | Status: closed Priority: Normal | Milestone: Component: Bro | Version: 1.5.3 Resolution: Merged/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 17:33:16 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 26 Feb 2011 01:33:16 -0000 Subject: [Bro-Dev] #385: Add the new code for setting the socket buffer size In-Reply-To: <044.b2b74839782e7c780d60b3c5d25feb8f@tracker.icir.org> References: <044.b2b74839782e7c780d60b3c5d25feb8f@tracker.icir.org> Message-ID: <059.ffe77b1b330b09bf756d6bc61e075985@tracker.icir.org> #385: Add the new code for setting the socket buffer size -----------------------------+-------------------- Reporter: robin | Owner: Type: Patch | Status: closed Priority: Normal | Milestone: Component: Bro | Version: 1.5.3 Resolution: Merged/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 17:33:26 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 26 Feb 2011 01:33:26 -0000 Subject: [Bro-Dev] #380: Fix links to log files in standalone mode. In-Reply-To: <044.11c5b35dc6798467f278f2eb0c70e788@tracker.icir.org> References: <044.11c5b35dc6798467f278f2eb0c70e788@tracker.icir.org> Message-ID: <059.12f3219f087de863bf6e56fbbf4b88fd@tracker.icir.org> #380: Fix links to log files in standalone mode. -----------------------------+-------------------- Reporter: robin | Owner: robin Type: Patch | Status: closed Priority: Normal | Milestone: Component: BroControl | Version: 1.5.3 Resolution: Merged/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.icir.org Fri Feb 25 17:33:38 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 26 Feb 2011 01:33:38 -0000 Subject: [Bro-Dev] #386: Fix trace-summaries sampling In-Reply-To: <044.b70363d6050aa2f29b860931df653bf3@tracker.icir.org> References: <044.b70363d6050aa2f29b860931df653bf3@tracker.icir.org> Message-ID: <059.49d9815279db53de06529b14e2357289@tracker.icir.org> #386: Fix trace-summaries sampling -----------------------------+-------------------- Reporter: robin | Owner: robin Type: Patch | Status: closed Priority: Normal | Milestone: Component: BroControl | Version: 1.5.3 Resolution: Merged/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Fri Feb 25 17:36:49 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 25 Feb 2011 17:36:49 -0800 Subject: [Bro-Dev] 1.5.3? Message-ID: <20110226013649.GG4360@icir.org> I'm thinking we should do a 1.5.3 release with these: http://tracker.icir.org/bro/query?version=1.5.3 All of them are in SVN trunk now, of which #379 is the most critical. Does that make sense? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Fri Feb 25 17:41:26 2011 From: seth at icir.org (Seth Hall) Date: Fri, 25 Feb 2011 20:41:26 -0500 Subject: [Bro-Dev] 1.5.3? In-Reply-To: <20110226013649.GG4360@icir.org> References: <20110226013649.GG4360@icir.org> Message-ID: <11AF5B18-3093-4CE9-A062-1361A516CF24@icir.org> On Feb 25, 2011, at 8:36 PM, Robin Sommer wrote: > All of them are in SVN trunk now, of which #379 is the most critical. > > Does that make sense? Makes sense to me, if nothing else than to fix #379. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From leres at ee.lbl.gov Fri Feb 25 17:42:51 2011 From: leres at ee.lbl.gov (Craig Leres) Date: Fri, 25 Feb 2011 17:42:51 -0800 Subject: [Bro-Dev] 1.5.3? In-Reply-To: <20110226013649.GG4360@icir.org> References: <20110226013649.GG4360@icir.org> Message-ID: <4D685A9B.606@ee.lbl.gov> On 02/25/11 17:36, Robin Sommer wrote: > I'm thinking we should do a 1.5.3 release with these: > > http://tracker.icir.org/bro/query?version=1.5.3 > > All of them are in SVN trunk now, of which #379 is the most critical. I'd like to see this one included: http://tracker.icir.org/bro/ticket/391 topic/gregor/fix-val-64bit -- Integer type fixes Craig From robin at icir.org Fri Feb 25 17:49:52 2011 From: robin at icir.org (Robin Sommer) Date: Fri, 25 Feb 2011 17:49:52 -0800 Subject: [Bro-Dev] 1.5.3? In-Reply-To: <4D685A9B.606@ee.lbl.gov> References: <20110226013649.GG4360@icir.org> <4D685A9B.606@ee.lbl.gov> Message-ID: <20110226014952.GH4360@icir.org> On Fri, Feb 25, 2011 at 17:42 -0800, you wrote: > topic/gregor/fix-val-64bit -- Integer type fixes This patch depends on other thigns that went into git earlier, and doesn't dirctly apply to 1.5. I'm quiet reluctant to change anything regarding integer types in 1.5 as that can easily break something somewhere. Did you run into any of those problems with 1.5? The 64-bit changes should only matter if you compile wiht --enable-in64. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From leres at ee.lbl.gov Fri Feb 25 18:04:50 2011 From: leres at ee.lbl.gov (Craig Leres) Date: Fri, 25 Feb 2011 18:04:50 -0800 Subject: [Bro-Dev] 1.5.3? In-Reply-To: <20110226014952.GH4360@icir.org> References: <20110226013649.GG4360@icir.org> <4D685A9B.606@ee.lbl.gov> <20110226014952.GH4360@icir.org> Message-ID: <4D685FC2.2010701@ee.lbl.gov> On 02/25/11 17:49, Robin Sommer wrote: > > On Fri, Feb 25, 2011 at 17:42 -0800, you wrote: > >> topic/gregor/fix-val-64bit -- Integer type fixes > > This patch depends on other thigns that went into git earlier, and > doesn't dirctly apply to 1.5. I'm quiet reluctant to change anything > regarding integer types in 1.5 as that can easily break something > somewhere. > > Did you run into any of those problems with 1.5? The 64-bit changes > should only matter if you compile wiht --enable-in64. Sorry, I was confused; it's the devel/git version that won't build on a 64-bit os, e.g. FreeBSD 7.2-RELEASE, amd64. Craig From vern at icir.org Sat Feb 26 09:47:29 2011 From: vern at icir.org (Vern Paxson) Date: Sat, 26 Feb 2011 09:47:29 -0800 Subject: [Bro-Dev] 1.5.3? In-Reply-To: <20110226013649.GG4360@icir.org> (Fri, 25 Feb 2011 17:36:49 PST). Message-ID: <20110226174729.D8EB936A416@taffy.ICSI.Berkeley.EDU> > I'm thinking we should do a 1.5.3 release with these: In general, fine with me. However, what's up with #385? I can't tell from the ticket what problem it's addressing, or how. (And if left out, then the others are all thematically about cluster management, which if made explicit would help folks who don't run clusters realize they don't partiuclarly need to upgrade right now.) Vern From bro at tracker.icir.org Sat Feb 26 09:55:36 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Sat, 26 Feb 2011 17:55:36 -0000 Subject: [Bro-Dev] #385: Add the new code for setting the socket buffer size In-Reply-To: <044.b2b74839782e7c780d60b3c5d25feb8f@tracker.icir.org> References: <044.b2b74839782e7c780d60b3c5d25feb8f@tracker.icir.org> Message-ID: <059.13617998905c8ea4229a71e67531f5fd@tracker.icir.org> #385: Add the new code for setting the socket buffer size -----------------------------+-------------------- Reporter: robin | Owner: Type: Patch | Status: closed Priority: Normal | Milestone: Component: Bro | Version: 1.5.3 Resolution: Merged/Applied | Keywords: -----------------------------+-------------------- Comment (by leres): Here's a link back to the ticket that has the patch: http://tracker.icir.org/bro/ticket/383 -- Ticket URL: Bro Tracker Bro Issue Tracker From leres at ee.lbl.gov Sat Feb 26 09:55:53 2011 From: leres at ee.lbl.gov (Craig Leres) Date: Sat, 26 Feb 2011 09:55:53 -0800 Subject: [Bro-Dev] 1.5.3? In-Reply-To: <20110226174729.D8EB936A416@taffy.ICSI.Berkeley.EDU> References: <20110226174729.D8EB936A416@taffy.ICSI.Berkeley.EDU> Message-ID: <4D693EA9.9020007@ee.lbl.gov> On 02/26/11 09:47, Vern Paxson wrote: >> I'm thinking we should do a 1.5.3 release with these: > > In general, fine with me. However, what's up with #385? I can't tell > from the ticket what problem it's addressing, or how. That ticket resulted from this one: http://tracker.icir.org/bro/ticket/383 I added a comment to 385 that points back. Craig From robin at icir.org Sun Feb 27 22:07:40 2011 From: robin at icir.org (Robin Sommer) Date: Sun, 27 Feb 2011 22:07:40 -0800 Subject: [Bro-Dev] 1.5.3? In-Reply-To: <20110226174729.D8EB936A416@taffy.ICSI.Berkeley.EDU> References: <20110226013649.GG4360@icir.org> <20110226174729.D8EB936A416@taffy.ICSI.Berkeley.EDU> Message-ID: <20110228060740.GA10801@icir.org> On Sat, Feb 26, 2011 at 09:47 -0800, you wrote: > > I'm thinking we should do a 1.5.3 release with these: > > In general, fine with me. However, what's up with #385? Per Craig's note, that generally affects communication. Also, #380 and #386 are fixes for broctl in standalone mode. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Feb 28 13:57:57 2011 From: robin at icir.org (Robin Sommer) Date: Mon, 28 Feb 2011 13:57:57 -0800 Subject: [Bro-Dev] Removing some of the bro-aux tools? Message-ID: <20110228215757.GB41883@icir.org> Craig noted that some of tools currently in bro-aux are actually maintained independently (and we're shipping old versions right now). It seems to make sense to remove these from bro-aux. We could instead just list them with URLs in the README and/or on the web site. Specifically, this would mean removing: cf (distribution at ftp://ee.lbl.gov/cf.tar.gz) hf (distribution at ftp://ee.lbl.gov/hf.tar.gz) Plus, Craig just created a replacement for the SSL scripts in bro-aux/scripts/ca-*, with the new one availabe at ftp://ee.lbl.gov/create-cert.tar.gz All these also have (or will have soon) their own FreeBSD ports. Any objections to removing? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.icir.org Mon Feb 28 15:57:02 2011 From: bro at tracker.icir.org (Bro Tracker) Date: Mon, 28 Feb 2011 23:57:02 -0000 Subject: [Bro-Dev] #391: topic/gregor/fix-val-64bit -- Integer type fixes In-Reply-To: <045.a5c7b255430f1848f40bdcf113c88ce1@tracker.icir.org> References: <045.a5c7b255430f1848f40bdcf113c88ce1@tracker.icir.org> Message-ID: <060.d898c79b0d3efa0ec9c335f4c1b95982@tracker.icir.org> #391: topic/gregor/fix-val-64bit -- Integer type fixes -----------------------------+-------------------- Reporter: gregor | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Component: Bro | Version: Resolution: Merged/Applied | Keywords: -----------------------------+-------------------- Changes (by robin): * status: new => closed * resolution: => Merged/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker