From bro at tracker.bro-ids.org Wed Aug 1 08:29:23 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 01 Aug 2012 15:29:23 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo In-Reply-To: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> References: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> Message-ID: <071.7ef16c3d1a34ab328721da10c625b425@tracker.bro-ids.org> #814: Fix MailAlarmsTo -----------------------------+-------------------------- Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Resolution: | Keywords: MailAlarmsTo -----------------------------+-------------------------- Comment (by dnthayer): Not sure what the expected behavior should be: currently, notices with action ACTION_EMAIL are emailed and notices with action ACTION_ALARM are not (but you can apply both actions to a single notice if you want). During each log rotation, two summary emails are sent: one that lists all notices with action ACTION_ALARM that occurred since the last log rotation, and the other is the connection summary report. So, the "MailAlarmsTo" would specify the email address for the alarm summary email, and the "MailTo" would specify the email address for notices with action ACTION_EMAIL (and for the connection summary report that is sent each time log rotation occurs), right? -- Ticket URL: Bro Tracker Bro Issue Tracker From hlin33 at illinois.edu Wed Aug 1 08:50:38 2012 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Wed, 1 Aug 2012 10:50:38 -0500 Subject: [Bro-Dev] Hui Lin_Merging DNP3 analyzer In-Reply-To: <0b8a30b5a5cd4609bdad1907d3296ebe@CITESHT1.ad.uillinois.edu> References: <0b8a30b5a5cd4609bdad1907d3296ebe@CITESHT1.ad.uillinois.edu> Message-ID: Hi, Robin, Another two questions: 1. I have some customization codes in DNP3.cc. I simply printf the error message in this file (such as memory allocation failed). For those error messages, do I have to include them in log files ? 2. where should I put several sample policy files? Best, Hui On Mon, Jul 30, 2012 at 11:51 PM, Robin Sommer wrote: > > On Mon, Jul 30, 2012 at 11:46 -0500, you wrote: > > > I think the DNP3 analyzer is ready to be merged. The only concern now is > > that I still left very little Debug codes. Do u want me to remove them > all? > > Yes, generally, that should probably be removed. Take a look at the > DBG_LOG macro though (if you aren't already using it), it it's a good > way to keep some debugging information in. > > > I don't have a tracker account. Can you create a ticket for me and give > me > > a basic idea how to do the merging? > > I'll do the merging; once you're ready just create a ticket and set it > to merge request. I'll create you an account on the tracker tomorrow. > > However, as this is something for Bro 2.2, it'll take a bit until I'll > do the merge; we're in feature freeze mode right now. :) > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- Hui Lin PhD Candidate, Research Assistant Electrical and Computer Engineering Department University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120801/b6dc7de9/attachment-0001.html From robin at icir.org Wed Aug 1 09:31:04 2012 From: robin at icir.org (Robin Sommer) Date: Wed, 1 Aug 2012 09:31:04 -0700 Subject: [Bro-Dev] [Bro] Version: 2.0-907 -- Bro manager memory exhaustion In-Reply-To: References: <5702_1343754005_q6VH040q008906_CC3D8551.58F7%vladg@andrew.cmu.edu> Message-ID: <20120801163104.GJ45936@icir.org> On Wed, Aug 01, 2012 at 01:26 +0000, you wrote: > This seems to me to just be an issue of my ElasticSearch server not > keeping up with the load. Good (for Bro, not for the ES server :-). Thanks for the update. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Wed Aug 1 10:04:53 2012 From: seth at icir.org (Seth Hall) Date: Wed, 1 Aug 2012 13:04:53 -0400 Subject: [Bro-Dev] [Bro] Version: 2.0-907 -- Bro manager memory exhaustion In-Reply-To: <20120801163104.GJ45936@icir.org> References: <5702_1343754005_q6VH040q008906_CC3D8551.58F7%vladg@andrew.cmu.edu> <20120801163104.GJ45936@icir.org> Message-ID: On Aug 1, 2012, at 12:31 PM, Robin Sommer wrote: > > On Wed, Aug 01, 2012 at 01:26 +0000, you wrote: > >> This seems to me to just be an issue of my ElasticSearch server not >> keeping up with the load. > > Good (for Bro, not for the ES server :-). Thanks for the update. Unfortunately this is a situation we'll have to deal with eventually and also one of the probably many reasons it's listed as testing for now. :) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Wed Aug 1 15:49:52 2012 From: robin at icir.org (Robin Sommer) Date: Wed, 1 Aug 2012 15:49:52 -0700 Subject: [Bro-Dev] Hui Lin_Merging DNP3 analyzer In-Reply-To: References: <0b8a30b5a5cd4609bdad1907d3296ebe@CITESHT1.ad.uillinois.edu> Message-ID: <20120801224952.GD65552@icir.org> Hui, what's the branch your most recent code is in? On Wed, Aug 01, 2012 at 10:50 -0500, you wrote: > 1. I have some customization codes in DNP3.cc. I simply printf the error > message in this file (such as memory allocation failed). For those error > messages, do I have to include them in log files ? Yes, you should use the reporter for errors. For memory in particular, you don't need to check if you use "new" (because a handler for that is installed), and there's safe_malloc etc. for the C-style functions (see util.h) > 2. where should I put several sample policy files? Put them under scripts/policy/protocols/ for now, we can later see if that's something we want to ship. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From hlin33 at illinois.edu Wed Aug 1 17:21:08 2012 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Wed, 1 Aug 2012 19:21:08 -0500 Subject: [Bro-Dev] Hui Lin_Merging DNP3 analyzer In-Reply-To: References: <0b8a30b5a5cd4609bdad1907d3296ebe@CITESHT1.ad.uillinois.edu> Message-ID: On Wed, Aug 1, 2012 at 5:49 PM, Robin Sommer wrote: > Hui, what's the branch your most recent code is in? > I am working on the branch topic/hui/powergrid3 But I have not pushed my recent modifications. > On Wed, Aug 01, 2012 at 10:50 -0500, you wrote: > > > 1. I have some customization codes in DNP3.cc. I simply printf the error > > message in this file (such as memory allocation failed). For those error > > messages, do I have to include them in log files ? > > Yes, you should use the reporter for errors. For memory in particular, > you don't need to check if you use "new" (because a handler for that > is installed), and there's safe_malloc etc. for the C-style functions > (see util.h) > Do we have any macro for reporting errors? There are some other errors in addition to memory allocation. I may need some time to replace that old malloc functiions with the safe ones. > > > 2. where should I put several sample policy files? > > Put them under scripts/policy/protocols/ for now, we can later see if > that's something we want to ship. > OK. I also plan to add little explanations on those policies. > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- Hui Lin PhD Candidate, Research Assistant Electrical and Computer Engineering Department University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120801/abdaca7c/attachment.html From tritium.cat at gmail.com Thu Aug 2 01:13:23 2012 From: tritium.cat at gmail.com (Tritium Cat) Date: Thu, 2 Aug 2012 08:13:23 +0000 Subject: [Bro-Dev] Ticket #447 and default snaplen Message-ID: I noticed #447 but found a default of 8192 still being used from "share/bro/base/init-bare.bro", line 2793. Using a value of "0" results in an error for libpcap ==== stderr.log fatal error: /usr/local/3rd-party/bro/bin/bro: problem with interface eth5 - pcap_compile(): snaplen of 0 rejects all packets 65535 is accepted: ==== stderr.log listening on eth5, capture length 65535 bytes -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120802/466ddbd7/attachment.html From bro at tracker.bro-ids.org Thu Aug 2 06:29:58 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 02 Aug 2012 13:29:58 -0000 Subject: [Bro-Dev] #447: Bro snaplen In-Reply-To: <046.4db53ae499264619cad7da2294ca2be3@tracker.bro-ids.org> References: <046.4db53ae499264619cad7da2294ca2be3@tracker.bro-ids.org> Message-ID: <061.59a4dfaf4559b9c7a8cbeadce6c85eaa@tracker.bro-ids.org> #447: Bro snaplen -----------------------------+-------------------- Reporter: vern | Owner: Type: Merge Request | Status: closed Priority: High | Milestone: Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Comment (by seth): Final comment to answer a question from the dev mailing list, we ended up bumping this back down to 8192 due to performance issues with 65535. There are a couple of things to keep in mind when considering your snap length. 1. The best solution is going to be to set it to exactly what your MTU is and 8192 just happens to be a good middle point between working on almost all networks and not too large to cause performance problems. 2. The other thing is to make sure that NIC features are disabled which could group multiple packets together and deliver a single enlarged packet above the MTU for your network. A good reference for these various features can be found in a blog post by Doug Burks: http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not- full.html -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Thu Aug 2 06:33:29 2012 From: seth at icir.org (Seth Hall) Date: Thu, 2 Aug 2012 09:33:29 -0400 Subject: [Bro-Dev] Ticket #447 and default snaplen In-Reply-To: References: Message-ID: <777639F0-6963-4A62-B76D-9190DEC4FC3F@icir.org> On Aug 2, 2012, at 4:13 AM, Tritium Cat wrote: > I noticed #447 but found a default of 8192 still being used from "share/bro/base/init-bare.bro", line 2793. We discovered that it was causing some pretty severe performance problems and changed back to 8192 by default. Ultimately the best choice will be to set the snaplen to the MTU for the link you are monitoring and to make sure and turn off all NIC features. Doug Burks has a good reference for these features here: http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html I left a comment on the ticket so that people won't get caught by that quick change around in the future too. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Thu Aug 2 08:47:12 2012 From: robin at icir.org (Robin Sommer) Date: Thu, 2 Aug 2012 08:47:12 -0700 Subject: [Bro-Dev] Hui Lin_Merging DNP3 analyzer In-Reply-To: References: <0b8a30b5a5cd4609bdad1907d3296ebe@CITESHT1.ad.uillinois.edu> Message-ID: <20120802154712.GC89373@icir.org> On Wed, Aug 01, 2012 at 19:21 -0500, you wrote: > Do we have any macro for reporting errors? You can use the reporter, see reporter.h; in particular its Weird methods if it's protocol weirdness. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From hlin33 at illinois.edu Thu Aug 2 08:49:34 2012 From: hlin33 at illinois.edu (Hui Lin (Hugo) ) Date: Thu, 2 Aug 2012 10:49:34 -0500 Subject: [Bro-Dev] Hui Lin_Merging DNP3 analyzer In-Reply-To: <7fca151080f04491bb05113a7b75abce@CITESHT3.ad.uillinois.edu> References: <0b8a30b5a5cd4609bdad1907d3296ebe@CITESHT1.ad.uillinois.edu> <7fca151080f04491bb05113a7b75abce@CITESHT3.ad.uillinois.edu> Message-ID: Just found out by taking look at FTP analyzer. :) I am using reporter->Warnings though. On Thu, Aug 2, 2012 at 10:47 AM, Robin Sommer wrote: > > On Wed, Aug 01, 2012 at 19:21 -0500, you wrote: > > > Do we have any macro for reporting errors? > > You can use the reporter, see reporter.h; in particular its Weird > methods if it's protocol weirdness. > > Robin > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > -- Hui Lin PhD Candidate, Research Assistant Electrical and Computer Engineering Department University of Illinois at Urbana-Champaign -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120802/7334d277/attachment.html From seth at icir.org Thu Aug 2 09:05:40 2012 From: seth at icir.org (Seth Hall) Date: Thu, 2 Aug 2012 12:05:40 -0400 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/hui/powergrid3: ready to be merged (63c4639) In-Reply-To: <201208021558.q72Fwxjo026266@bro-ids.icir.org> References: <201208021558.q72Fwxjo026266@bro-ids.icir.org> Message-ID: <431C07E8-99D6-4433-9510-99A03DA3E82E@icir.org> On Aug 2, 2012, at 11:58 AM, Hui Lin wrote: > On branch : topic/hui/powergrid3 > ready to be merged Please file a merge request ticket and assign it to the 2.2 release so we can begin discussing this there. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Thu Aug 2 09:36:27 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 02 Aug 2012 16:36:27 -0000 Subject: [Bro-Dev] #861: Merging DNP3 Analyzer Message-ID: <045.d25b5df6a13b96f4b3e3618bd9398e58@tracker.bro-ids.org> #861: Merging DNP3 Analyzer ------------------------+--------------------------- Reporter: hui | Type: Merge Request Status: new | Priority: Normal Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: dnp3 ------------------------+--------------------------- Merging the branch topic/hui/powergrid3 into Master The DNP3 analyzer codes in src/ DNP3.cc DNP3.h dnp3.pac dnp3-protocol.pac dnp3-analyzer.pac dnp3-objects.pac Policy scripts in policy in scripts/policy/protocols/dnp3 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Aug 2 13:19:19 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 02 Aug 2012 20:19:19 -0000 Subject: [Bro-Dev] #862: btest path length limitations Message-ID: <048.9f323ae668fcf7c82a3565e789fec695@tracker.bro-ids.org> #862: btest path length limitations ---------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: BTest | Version: git/master Keywords: | ---------------------+------------------------ btest looks like it fails to create a unix socket when running in paths that are particularly long: {{{ jenkins at ubuntu12-04:btest$ pwd /home/jenkins/workspace/BuildAll/label/Ubuntu_12.04_x86_64/bro/testing/btest jenkins at ubuntu12-04:btest$ ../../aux/btest/btest core/ Process TestManager-1: Traceback (most recent call last): File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap self.run() File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run self._target(*self._args, **self._kwargs) File "/usr/lib/python2.7/multiprocessing/managers.py", line 550, in _run_server server = cls._Server(registry, address, authkey, serializer) File "/usr/lib/python2.7/multiprocessing/managers.py", line 162, in __init__ self.listener = Listener(address=address, backlog=16) File "/usr/lib/python2.7/multiprocessing/connection.py", line 132, in __init__ self._listener = SocketListener(address, family, backlog) File "/usr/lib/python2.7/multiprocessing/connection.py", line 254, in __init__ self._socket.bind(address) File "/usr/lib/python2.7/socket.py", line 224, in meth return getattr(self._sock,name)(*args) error: AF_UNIX path too long Traceback (most recent call last): File "../../aux/btest/btest", line 1162, in (succeeded, failed, skipped) = TestManager().run(copy.deepcopy(tests), output_handler) File "../../aux/btest/btest", line 136, in run self.start() File "/usr/lib/python2.7/multiprocessing/managers.py", line 528, in start self._address = reader.recv() EOFError }}} Doing this change fixes it: {{{ iff --git a/btest b/btest index fedaa63..dee3247 100755 --- a/btest +++ b/btest @@ -129,8 +129,8 @@ ConfigParser.ConfigParser._interpolate = cpExpandBackticks # Main class distributing the work across threads. class TestManager(multiprocessing.managers.SyncManager): - def __init__(self): - super(TestManager, self).__init__() + def __init__(self, *args, **kwargs): + super(TestManager, self).__init__(*args, **kwargs) def run(self, tests, output_handler): self.start() @@ -1158,7 +1158,7 @@ mkdir(BaselineDir) mkdir(TmpDir) try: - (succeeded, failed, skipped) = TestManager().run(copy.deepcopy(tests), output_handler) + (succeeded, failed, skipped) = TestManager(address="/tmp/blah").run(copy.deepcopy(tests), output_handler) total = succeeded + failed + skipped except KeyboardInterrupt: print >>sys.stderr, "Aborted." }}} But obviously the path of the socket should be determined more dynamically. I didn't know if it always makes sense to try to use something short in /tmp or should it only be changed through a command line switch? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Aug 2 14:02:06 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 02 Aug 2012 21:02:06 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo In-Reply-To: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> References: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> Message-ID: <071.c448993ed29da0e7cedd7fbb9b5bd60c@tracker.bro-ids.org> #814: Fix MailAlarmsTo -----------------------------+-------------------------- Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Resolution: | Keywords: MailAlarmsTo -----------------------------+-------------------------- Comment (by dnthayer): In [a30cbd3affad8ab561b1ed49bf58b8368152bb82/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="a30cbd3affad8ab561b1ed49bf58b8368152bb82" Fix MailAlarmsTo broctl config option This change writes the value of the broctl config option MailAlarmsTo to the appropriate bro script variable, so that alarm summary emails are sent to the address specified with this config option (previously, this config option was not used anywhere). As before, if the user does not specify a value for this option, then the value of the MailTo config option is used by default. Addresses #814. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Aug 2 14:05:27 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 02 Aug 2012 21:05:27 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo In-Reply-To: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> References: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> Message-ID: <071.6304dec309dd65aecb0162dfb91c1f43@tracker.bro-ids.org> #814: Fix MailAlarmsTo -----------------------------+-------------------------- Reporter: Tyler.Schoenke | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Resolution: | Keywords: MailAlarmsTo -----------------------------+-------------------------- Changes (by dnthayer): * type: Problem => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Aug 2 14:49:26 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 02 Aug 2012 21:49:26 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo In-Reply-To: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> References: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> Message-ID: <071.ccc71ecec177fd97ba0bb0f074c5d6ac@tracker.bro-ids.org> #814: Fix MailAlarmsTo -----------------------------+-------------------------- Reporter: Tyler.Schoenke | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Resolution: | Keywords: MailAlarmsTo -----------------------------+-------------------------- Comment (by Tyler.Schoenke): Replying to [comment:3 dnthayer]: > So, the "MailAlarmsTo" would specify the email address for the alarm summary email, and > the "MailTo" would specify the email address for notices with action ACTION_EMAIL (and for > the connection summary report that is sent each time log rotation occurs), right? Yes, I wanted to send Alarm Summary to MailAlarmsTo, and have ACTION_ALARM emails go to the MailTo. We have email alerts going into a tracking system to quarantine infected systems. We don't need the Alarm Summary emails being sent into our tracker. Thanks for making the change! -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Fri Aug 3 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 3 Aug 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208030700.q73702SF029733@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 814 [1] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo [1] #814: http://tracker.bro-ids.org/bro/ticket/814 From noreply at bro-ids.org Sat Aug 4 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 4 Aug 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208040700.q74702LZ022528@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 814 [1] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo [1] #814: http://tracker.bro-ids.org/bro/ticket/814 From noreply at bro-ids.org Sun Aug 5 00:00:04 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 5 Aug 2012 00:00:04 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208050700.q757049K024412@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 814 [1] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | a2b5028 | Bernhard Amann | 2012-08-04 | fix little sneaky bug in input framework with an edge case. [2] bro | 18550ab | Bernhard Amann | 2012-08-04 | small bug in test script. Still worked, because the internal type checking let this through... [3] [1] #814: http://tracker.bro-ids.org/bro/ticket/814 [2] fastpath: http://tracker.bro-ids.org/bro/changeset/a2b5028b58dee3dfd2759235a65a7c829ca40555/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/18550ab009852059ecacc98b8035fc370a5e8fee/bro From noreply at bro-ids.org Mon Aug 6 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 6 Aug 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208060700.q76702QE031029@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 814 [1] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | a2b5028 | Bernhard Amann | 2012-08-04 | fix little sneaky bug in input framework with an edge case. [2] bro | 18550ab | Bernhard Amann | 2012-08-04 | small bug in test script. Still worked, because the internal type checking let this through... [3] [1] #814: http://tracker.bro-ids.org/bro/ticket/814 [2] fastpath: http://tracker.bro-ids.org/bro/changeset/a2b5028b58dee3dfd2759235a65a7c829ca40555/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/18550ab009852059ecacc98b8035fc370a5e8fee/bro From noreply at bro-ids.org Tue Aug 7 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 7 Aug 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208070700.q77702XA009933@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 814 [1] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | a2b5028 | Bernhard Amann | 2012-08-04 | fix little sneaky bug in input framework with an edge case. [2] bro | 18550ab | Bernhard Amann | 2012-08-04 | small bug in test script. Still worked, because the internal type checking let this through... [3] [1] #814: http://tracker.bro-ids.org/bro/ticket/814 [2] fastpath: http://tracker.bro-ids.org/bro/changeset/a2b5028b58dee3dfd2759235a65a7c829ca40555/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/18550ab009852059ecacc98b8035fc370a5e8fee/bro From noreply at bro-ids.org Wed Aug 8 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 8 Aug 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208080700.q78702cM031759@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 814 [1] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | a2b5028 | Bernhard Amann | 2012-08-04 | fix little sneaky bug in input framework with an edge case. [2] bro | 18550ab | Bernhard Amann | 2012-08-04 | small bug in test script. Still worked, because the internal type checking let this through... [3] [1] #814: http://tracker.bro-ids.org/bro/ticket/814 [2] fastpath: http://tracker.bro-ids.org/bro/changeset/a2b5028b58dee3dfd2759235a65a7c829ca40555/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/18550ab009852059ecacc98b8035fc370a5e8fee/bro From bro at tracker.bro-ids.org Wed Aug 8 13:01:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 08 Aug 2012 20:01:16 -0000 Subject: [Bro-Dev] #863: topic/dnthayer/more-bif-tests Message-ID: <050.ba3aa1e2557b85b57bc44528611c0ebb@tracker.bro-ids.org> #863: topic/dnthayer/more-bif-tests ---------------------------+------------------------ Reporter: dnthayer | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This branch adds tests for more BIFs that were previously untested. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Aug 9 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 9 Aug 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208090700.q79703Ze009097@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 863 [1] | dnthayer | | Normal | topic/dnthayer/more-bif-tests [2] BroControl | 814 [3] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | a2b5028 | Bernhard Amann | 2012-08-04 | fix little sneaky bug in input framework with an edge case. [4] bro | 18550ab | Bernhard Amann | 2012-08-04 | small bug in test script. Still worked, because the internal type checking let this through... [5] [1] #863: http://tracker.bro-ids.org/bro/ticket/863 [2] more-bif-tests: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/dnthayer/more-bif-tests [3] #814: http://tracker.bro-ids.org/bro/ticket/814 [4] fastpath: http://tracker.bro-ids.org/bro/changeset/a2b5028b58dee3dfd2759235a65a7c829ca40555/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/18550ab009852059ecacc98b8035fc370a5e8fee/bro From bro at tracker.bro-ids.org Thu Aug 9 20:10:29 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 10 Aug 2012 03:10:29 -0000 Subject: [Bro-Dev] #836: Make reporter.log errors go to stderr when run from command-line In-Reply-To: <048.f55ab9255b4a29b56b8218bba951e661@tracker.bro-ids.org> References: <048.f55ab9255b4a29b56b8218bba951e661@tracker.bro-ids.org> Message-ID: <063.ade15e6b7913555f3cd3b5ce56d0faa5@tracker.bro-ids.org> #836: Make reporter.log errors go to stderr when run from command-line ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by seth): * owner: seth => robin * type: Feature Request => Merge Request Comment: Ready for merging in topic/seth/reporter-to-stderr. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Fri Aug 10 00:00:04 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 10 Aug 2012 00:00:04 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208100700.q7A704JZ007175@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 836 [1] | amannb | robin | Normal | Make reporter.log errors go to stderr when run from command-line Bro | 863 [2] | dnthayer | | Normal | topic/dnthayer/more-bif-tests [3] BroControl | 814 [4] | Tyler.Schoenke | | Normal | Fix MailAlarmsTo > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | a2b5028 | Bernhard Amann | 2012-08-04 | fix little sneaky bug in input framework with an edge case. [5] bro | 18550ab | Bernhard Amann | 2012-08-04 | small bug in test script. Still worked, because the internal type checking let this through... [6] [1] #836: http://tracker.bro-ids.org/bro/ticket/836 [2] #863: http://tracker.bro-ids.org/bro/ticket/863 [3] more-bif-tests: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/dnthayer/more-bif-tests [4] #814: http://tracker.bro-ids.org/bro/ticket/814 [5] fastpath: http://tracker.bro-ids.org/bro/changeset/a2b5028b58dee3dfd2759235a65a7c829ca40555/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/18550ab009852059ecacc98b8035fc370a5e8fee/bro From bro at tracker.bro-ids.org Fri Aug 10 13:32:49 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 10 Aug 2012 20:32:49 -0000 Subject: [Bro-Dev] #863: topic/dnthayer/more-bif-tests In-Reply-To: <050.ba3aa1e2557b85b57bc44528611c0ebb@tracker.bro-ids.org> References: <050.ba3aa1e2557b85b57bc44528611c0ebb@tracker.bro-ids.org> Message-ID: <065.3ba4f10e8ea96502892a82dfcd074c21@tracker.bro-ids.org> #863: topic/dnthayer/more-bif-tests ----------------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [2e936c7570c61c77b982e4a406aa0c78d58cce94/bro]: {{{ #!CommitTicketReference repository="bro" revision="2e936c7570c61c77b982e4a406aa0c78d58cce94" Merge remote-tracking branch 'origin/topic/dnthayer/more-bif-tests' * origin/topic/dnthayer/more-bif-tests: Add more BIF tests Add tests for untested BIFs Closes #863, }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Aug 10 13:32:49 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 10 Aug 2012 20:32:49 -0000 Subject: [Bro-Dev] #836: Make reporter.log errors go to stderr when run from command-line In-Reply-To: <048.f55ab9255b4a29b56b8218bba951e661@tracker.bro-ids.org> References: <048.f55ab9255b4a29b56b8218bba951e661@tracker.bro-ids.org> Message-ID: <063.45b2f0e36f26512a7ae44966c7ec85ca@tracker.bro-ids.org> #836: Make reporter.log errors go to stderr when run from command-line ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [9cea1d3b27799c5e68aed07b618a2593b58581c7/bro]: {{{ #!CommitTicketReference repository="bro" revision="9cea1d3b27799c5e68aed07b618a2593b58581c7" Merge remote-tracking branch 'origin/topic/seth/reporter-to-stderr' * origin/topic/seth/reporter-to-stderr: A couple of tests for printing reporter messages to STDERR. Small improvements for printing reporter messages to STDERR. Reporter warnings and error now print to stderr by default. Closes #836. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Aug 10 13:33:09 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 10 Aug 2012 20:33:09 -0000 Subject: [Bro-Dev] #814: Fix MailAlarmsTo In-Reply-To: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> References: <056.ad48e96857834b2e13a1d5fcdd547a93@tracker.bro-ids.org> Message-ID: <071.618d776f71e3ab9b1da9ab61a5705cbf@tracker.bro-ids.org> #814: Fix MailAlarmsTo -----------------------------+-------------------------- Reporter: Tyler.Schoenke | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: git/master Resolution: fixed | Keywords: MailAlarmsTo -----------------------------+-------------------------- Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [7b22d9bb4beede95dde77873ceba2a49c6d19917/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="7b22d9bb4beede95dde77873ceba2a49c6d19917" Merge remote-tracking branch 'origin/topic/dnthayer/bug814' * origin/topic/dnthayer/bug814: Fix MailAlarmsTo broctl config option Closes #814. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sun Aug 12 11:30:59 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 12 Aug 2012 18:30:59 -0000 Subject: [Bro-Dev] #864: tweaks/updates for http://www.bro-ids.org/research/index.html Message-ID: <046.ea5729a6a6d7eb0773191228ef641df5@tracker.bro-ids.org> #864: tweaks/updates for http://www.bro-ids.org/research/index.html ---------------------+------------------------ Reporter: vern | Owner: Type: Problem | Status: new Priority: Low | Milestone: Component: Website | Version: git/master Keywords: | ---------------------+------------------------ The Chimera paper is now accessible via https://www.usenix.org/conference/usenixsecurity12/chimera-declarative- language-streaming-network-traffic-analysis . There's also a glitch in that most of the papers listed have "Proc. Proc." in the proceedings names. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Aug 14 14:36:05 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 14 Aug 2012 21:36:05 -0000 Subject: [Bro-Dev] #865: http://www.bro-ids.org/development/projects/ is inaccessible Message-ID: <046.298887693aa25b8a7f787ba34e6dba6f@tracker.bro-ids.org> #865: http://www.bro-ids.org/development/projects/ is inaccessible ---------------------+------------------------ Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Website | Version: git/master Keywords: | ---------------------+------------------------ This part of the web site, even though it's linked to by other pages (such as the upper right of http://www.bro- ids.org/development/projects/cban.html ), returns a 403 Forbidden when visited. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Aug 14 14:51:34 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 14 Aug 2012 21:51:34 -0000 Subject: [Bro-Dev] #865: http://www.bro-ids.org/development/projects/ is inaccessible In-Reply-To: <046.298887693aa25b8a7f787ba34e6dba6f@tracker.bro-ids.org> References: <046.298887693aa25b8a7f787ba34e6dba6f@tracker.bro-ids.org> Message-ID: <061.34e4a24d76bc7c6644db1ce01a32514f@tracker.bro-ids.org> #865: http://www.bro-ids.org/development/projects/ is inaccessible ----------------------+------------------------ Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Website | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): On Tue, Aug 14, 2012 at 21:36 -0000, you wrote: > This part of the web site, even though it's linked to by other pages (such > as the upper right of http://www.bro- > ids.org/development/projects/cban.html ), returns a 403 Forbidden when > visited. That directory doesn't have an index.html. The reason you see the link in the upper right corner is that that's automatically generated from the current path, without checking whether it actually works. Do you a see link to development/projects/ somewhere else than that? Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Aug 14 14:55:01 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 14 Aug 2012 21:55:01 -0000 Subject: [Bro-Dev] #865: http://www.bro-ids.org/development/projects/ is inaccessible In-Reply-To: <046.298887693aa25b8a7f787ba34e6dba6f@tracker.bro-ids.org> References: <046.298887693aa25b8a7f787ba34e6dba6f@tracker.bro-ids.org> Message-ID: <061.353339aea72c4ee8ef3d4ba172a93024@tracker.bro-ids.org> #865: http://www.bro-ids.org/development/projects/ is inaccessible ----------------------+------------------------ Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Website | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by vern): I didn't see another link, but I think it's natural for someone who sees something in development/projects/XXX.html to wonder what other projects are around. Why doesn't projects/ have an index.html that just says the various projects going on? - Vern -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Aug 14 15:19:07 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 14 Aug 2012 22:19:07 -0000 Subject: [Bro-Dev] #865: http://www.bro-ids.org/development/projects/ is inaccessible In-Reply-To: <046.298887693aa25b8a7f787ba34e6dba6f@tracker.bro-ids.org> References: <046.298887693aa25b8a7f787ba34e6dba6f@tracker.bro-ids.org> Message-ID: <061.78f498055145f5e9c954050066b221a4@tracker.bro-ids.org> #865: http://www.bro-ids.org/development/projects/ is inaccessible ----------------------+------------------------ Reporter: vern | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Website | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): On Tue, Aug 14, 2012 at 21:55 -0000, you wrote: > I didn't see another link, but I think it's natural for someone who sees > something in development/projects/XXX.html to wonder what other projects > are around. Why doesn't projects/ have an index.html that just says the > various projects going on? No particular reason, that's just how it evolved. It certainly makes sense to add one. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Aug 14 19:15:35 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 15 Aug 2012 02:15:35 -0000 Subject: [Bro-Dev] #866: Problem with set initializers Message-ID: <046.979bb585920072a482373f58f7afe6e9@tracker.bro-ids.org> #866: Problem with set initializers ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: language | ----------------------+------------------------ This code doesn't work: {{{ const blah: set[string] = set("test1") &redef; redef blah += { "test2", "test3", }; }}} But this does: {{{ const blah: set[string] = { "test1" } &redef; redef blah += { "test2", "test3", }; }}} There is definitely still some trouble with the two different set initializers. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Wed Aug 15 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 15 Aug 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208150700.q7F703xq007100@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 205ad78 | Seth Hall | 2012-08-14 | Fix some problems in logs-to-elasticsearch.bro [1] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/205ad78369701a5e67260b421411a52b28c45440/bro From seth at icir.org Wed Aug 15 13:55:20 2012 From: seth at icir.org (Seth Hall) Date: Wed, 15 Aug 2012 16:55:20 -0400 Subject: [Bro-Dev] the optimizer? Message-ID: Does the optimizer in Bro work at all? I'm just wondering because I realized that it could slightly impact how I create tunable options for Bro scripts. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Wed Aug 15 14:08:51 2012 From: robin at icir.org (Robin Sommer) Date: Wed, 15 Aug 2012 14:08:51 -0700 Subject: [Bro-Dev] the optimizer? In-Reply-To: References: Message-ID: <20120815210850.GL27665@icir.org> On Wed, Aug 15, 2012 at 16:55 -0400, you wrote: > Does the optimizer in Bro work at all? I'm just wondering because I realized that it could slightly impact how I create tunable options for Bro scripts. I have no idea ... Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From vern at icir.org Wed Aug 15 17:04:20 2012 From: vern at icir.org (Vern Paxson) Date: Wed, 15 Aug 2012 17:04:20 -0700 Subject: [Bro-Dev] the optimizer? In-Reply-To: (Wed, 15 Aug 2012 16:55:20 EDT). Message-ID: <20120816000420.5194B2C4002@rock.ICSI.Berkeley.EDU> > Does the optimizer in Bro work at all? I'm just wondering because I > realized that it could slightly impact how I create tunable options for > Bro scripts. AFAIK, it hasn't been touched since I first added it an eon ago. If I recall right, it does some minor optimization (like constant folding), and that's about it; not sure whether anyone has ever measured if it actually makes a noticeable difference. Vern From noreply at bro-ids.org Thu Aug 16 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 16 Aug 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208160700.q7G703ZK021578@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 205ad78 | Seth Hall | 2012-08-14 | Fix some problems in logs-to-elasticsearch.bro [1] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/205ad78369701a5e67260b421411a52b28c45440/bro From bro at tracker.bro-ids.org Thu Aug 16 10:33:59 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 16 Aug 2012 17:33:59 -0000 Subject: [Bro-Dev] #867: GRE support Message-ID: <047.f0422edb4dada63b9f4ab954e0b2fe75@tracker.bro-ids.org> #867: GRE support -----------------------------+------------------------ Reporter: robin | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | -----------------------------+------------------------ Should be rather easy to add support for GRE tunnels now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Aug 16 11:23:38 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 16 Aug 2012 18:23:38 -0000 Subject: [Bro-Dev] #864: tweaks/updates for http://www.bro-ids.org/research/index.html In-Reply-To: <046.ea5729a6a6d7eb0773191228ef641df5@tracker.bro-ids.org> References: <046.ea5729a6a6d7eb0773191228ef641df5@tracker.bro-ids.org> Message-ID: <061.7715c31d3995cacb519fafa380c283dd@tracker.bro-ids.org> #864: tweaks/updates for http://www.bro-ids.org/research/index.html ----------------------+------------------------ Reporter: vern | Owner: Type: Problem | Status: closed Priority: Low | Milestone: Component: Website | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by robin): * status: new => closed Comment: On Sun, Aug 12, 2012 at 18:30 -0000, you wrote: > The Chimera paper is now accessible via > https://www.usenix.org/conference/usenixsecurity12/chimera-declarative- > language-streaming-network-traffic-analysis . Link added. > There's also a glitch in that most of the papers listed have "Proc. Proc." > in the proceedings names. Fixed. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Fri Aug 17 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 17 Aug 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208170700.q7H703MK020997@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 508ac1c | Jon Siwek | 2012-08-16 | Unit test tweaks/fixes. [1] bro | a6f7fd9 | Jon Siwek | 2012-08-16 | Fix memory leak of serialized IDs when compiled with --enable-debug. [2] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/508ac1c7ba1b9fbddc128a109b51bd6376ba4bd9/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/a6f7fd9c874ffdab31c3c79c9956857617b723d5/bro From noreply at bro-ids.org Sat Aug 18 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 18 Aug 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208180700.q7I702Fq015915@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | f201a9f | Jon Siwek | 2012-08-17 | Fix portability of printing to files returned by open("/dev/stderr"). [1] bro | 907c92e | Jon Siwek | 2012-08-17 | Fix mime type diff canonifier to also skip mime_desc columns [2] bro | 508ac1c | Jon Siwek | 2012-08-16 | Unit test tweaks/fixes. [3] bro | a6f7fd9 | Jon Siwek | 2012-08-16 | Fix memory leak of serialized IDs when compiled with --enable-debug. [4] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/f201a9f1a7f52329f1c8db35ab46dbfa50f0bda4/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/907c92e1ccd692023ea305fa9e1acba5f4819aa9/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/508ac1c7ba1b9fbddc128a109b51bd6376ba4bd9/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/a6f7fd9c874ffdab31c3c79c9956857617b723d5/bro From noreply at bro-ids.org Sun Aug 19 00:00:07 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 19 Aug 2012 00:00:07 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208190700.q7J707fJ010043@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | f201a9f | Jon Siwek | 2012-08-17 | Fix portability of printing to files returned by open("/dev/stderr"). [1] bro | 907c92e | Jon Siwek | 2012-08-17 | Fix mime type diff canonifier to also skip mime_desc columns [2] bro | 508ac1c | Jon Siwek | 2012-08-16 | Unit test tweaks/fixes. [3] bro | a6f7fd9 | Jon Siwek | 2012-08-16 | Fix memory leak of serialized IDs when compiled with --enable-debug. [4] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/f201a9f1a7f52329f1c8db35ab46dbfa50f0bda4/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/907c92e1ccd692023ea305fa9e1acba5f4819aa9/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/508ac1c7ba1b9fbddc128a109b51bd6376ba4bd9/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/a6f7fd9c874ffdab31c3c79c9956857617b723d5/bro From noreply at bro-ids.org Mon Aug 20 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 20 Aug 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208200700.q7K705fM017819@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | f201a9f | Jon Siwek | 2012-08-17 | Fix portability of printing to files returned by open("/dev/stderr"). [1] bro | 907c92e | Jon Siwek | 2012-08-17 | Fix mime type diff canonifier to also skip mime_desc columns [2] bro | 508ac1c | Jon Siwek | 2012-08-16 | Unit test tweaks/fixes. [3] bro | a6f7fd9 | Jon Siwek | 2012-08-16 | Fix memory leak of serialized IDs when compiled with --enable-debug. [4] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/f201a9f1a7f52329f1c8db35ab46dbfa50f0bda4/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/907c92e1ccd692023ea305fa9e1acba5f4819aa9/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/508ac1c7ba1b9fbddc128a109b51bd6376ba4bd9/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/a6f7fd9c874ffdab31c3c79c9956857617b723d5/bro From slagell at illinois.edu Mon Aug 20 10:06:37 2012 From: slagell at illinois.edu (Slagell, Adam J) Date: Mon, 20 Aug 2012 17:06:37 +0000 Subject: [Bro-Dev] A consistent order of precedence for broctl options Message-ID: <558D23D33781EF45A69229CDAC6BF151109C3EC6@CITESMBX6.ad.uillinois.edu> Ticket [837] came up in discussion today. It does not appear that this issue was ever resolved. However, I think it is just a specific instance of a more general problem. We don't have any well-defined order of precedence for broctl options, and that leads to ambiguity and frustration (If I am wrong, someone please clarify it in documentation and we can answer this ticket in a consistent way). I hope we can at least agree on two points. First, there should be a well-defined precedence that is documented and followed as uniformly as possible. If you're on board with that, do you agree with my second assertion that broctl should get the last word and override all others? Maybe as a first step we could list all the places and ways such settings could be made, and then work to order that list? :Adam Slagell [837] http://tracker.bro-ids.org/bro/ticket/837 ------ Adam J. Slagell, CISO, CISSP Chief Information Security Officer National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info 217.244.8965 "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." From dnthayer at illinois.edu Mon Aug 20 11:48:24 2012 From: dnthayer at illinois.edu (Daniel Thayer) Date: Mon, 20 Aug 2012 13:48:24 -0500 Subject: [Bro-Dev] A consistent order of precedence for broctl options In-Reply-To: <558D23D33781EF45A69229CDAC6BF151109C3EC6@CITESMBX6.ad.uillinois.edu> References: <558D23D33781EF45A69229CDAC6BF151109C3EC6@CITESMBX6.ad.uillinois.edu> Message-ID: <50328678.6020505@illinois.edu> On 08/20/2012 12:06 PM, Slagell, Adam J wrote: > Ticket [837] came up in discussion today. It does not appear that this issue was ever resolved. However, I think it is just a specific instance of a more general problem. We don't have any well-defined order of precedence for broctl options, and that leads to ambiguity and frustration (If I am wrong, someone please clarify it in documentation and we can answer this ticket in a consistent way). > > I hope we can at least agree on two points. First, there should be a well-defined precedence that is documented and followed as uniformly as possible. If you're on board with that, do you agree with my second assertion that broctl should get the last word and override all others? > > Maybe as a first step we could list all the places and ways such settings could be made, and then work to order that list? > > :Adam Slagell > > [837] http://tracker.bro-ids.org/bro/ticket/837 > ------ Out of the 60+ broctl options that currently exist, there are 8 or so of them that could clash with values defined in a bro script (confusingly, the bro script variable name is usually different than the name of the corresponding broctl option). Currently, in such a case the broctl option value will be used instead of the corresponding bro script variable. The only exception is if the "aux_scripts" option is defined in etc/node.cfg, and then only if such an aux. script contains a variable that overrides a broctl option. I have already improved the broctl README document (although this is not currently visible on the bro web site due to an issue with updates not appearing) to better explain the load order (in the "Site-specific Customization" section), but it might also be useful to add a note in the "Option Reference" section for each broctl option that can be set via a bro script variable (for example, "this option overrides the bro script variable 'default_rotation_interval'"). We may also want to switch the load order so that broctl options will override the aux_scripts (if any). From seth at icir.org Mon Aug 20 12:07:25 2012 From: seth at icir.org (Seth Hall) Date: Mon, 20 Aug 2012 15:07:25 -0400 Subject: [Bro-Dev] ReLog Message-ID: I just pushed out a quick script that can use Bro to reimport existing Bro logs back into Bro and then log them to an alternate log writer. The primary use is for taking ASCII logs and writing them to the ElasticSearch writer. The script is actually setup to do this by default (take from ASCII and write to ElasticSearch) It's definitely not a script you will want to run in production. It's only intended when running Bro manually at a command line. If you try to run it when reading traffic it will actually complain and terminate Bro. I included some documentation on how to configure it in the README. https://github.com/sethhall/relog .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From seth at icir.org Mon Aug 20 12:22:19 2012 From: seth at icir.org (Seth Hall) Date: Mon, 20 Aug 2012 15:22:19 -0400 Subject: [Bro-Dev] ReLog In-Reply-To: References: Message-ID: <0F21801A-1742-4562-912D-701B4D6AF308@icir.org> On Aug 20, 2012, at 3:07 PM, Seth Hall wrote: > I just pushed out a quick script that can use Bro to reimport existing Bro logs back into Bro and then log them to an alternate log writer. I forgot to mention too that this script requires a small change I just committed into fastpath today. It will work on master and 2.1 once that patch is merged into master. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From robin at icir.org Mon Aug 20 20:14:27 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Aug 2012 20:14:27 -0700 Subject: [Bro-Dev] Beta state? Message-ID: <20120821031427.GE71598@icir.org> Do we have any remaining issues pending for the 2.1 release? I'm thinking to push the release out early next week. Sounds good? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Aug 20 20:15:22 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 20 Aug 2012 20:15:22 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro-testing] master: Adding a test with an IPv6 trace. (74de534) In-Reply-To: <201208162005.q7GK5e7Z024286@bro-ids.icir.org> References: <201208162005.q7GK5e7Z024286@bro-ids.icir.org> Message-ID: <20120821031522.GF71598@icir.org> On Thu, Aug 16, 2012 at 13:05 -0700, I wrote: > Adding a test with an IPv6 trace. > > Output isn't further verified yet. If anybody were up for spot-checking the new IPv6 baseline, that would be very much appreciated ... Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Mon Aug 20 20:43:36 2012 From: seth at icir.org (Seth Hall) Date: Mon, 20 Aug 2012 23:43:36 -0400 Subject: [Bro-Dev] Beta state? In-Reply-To: <20120821031427.GE71598@icir.org> References: <20120821031427.GE71598@icir.org> Message-ID: <51E4D018-C90E-486B-9242-B19221443A8C@icir.org> On Aug 20, 2012, at 11:14 PM, Robin Sommer wrote: > Do we have any remaining issues pending for the 2.1 release? I'm > thinking to push the release out early next week. Sounds good? Yep, I wanted to add one more elasticsearch thing, but it can wait. There will be more major changes in the next release anyway. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From jsiwek at illinois.edu Tue Aug 21 07:57:25 2012 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Tue, 21 Aug 2012 14:57:25 +0000 Subject: [Bro-Dev] Beta state? In-Reply-To: <20120821031427.GE71598@icir.org> References: <20120821031427.GE71598@icir.org> Message-ID: > Do we have any remaining issues pending for the 2.1 release? I'm > thinking to push the release out early next week. Sounds good? I'm seeing the core/leaks/dataseries-rotate.bro unit test fail on RHEL 6.3 x86_64 (dataseries/lintel git master or their last stable release in May, and libxml2 2.8.0). Looking at it yesterday, it didn't look like the Bro code was leaking, but either dataseries' use of libxml2 or the xml parser itself. Maybe good to figure out if anything can be done about it. Jon From robin at icir.org Tue Aug 21 08:15:35 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 21 Aug 2012 08:15:35 -0700 Subject: [Bro-Dev] Beta state? In-Reply-To: References: <20120821031427.GE71598@icir.org> Message-ID: <20120821151535.GB88032@icir.org> On Tue, Aug 21, 2012 at 14:57 +0000, you wrote: > I'm seeing the core/leaks/dataseries-rotate.bro unit test fail on RHEL > 6.3 x86_64 (dataseries/lintel git master or their last stable release > in May, and libxml2 2.8.0). Looking at it yesterday, it didn't look > like the Bro code was leaking, but either dataseries' use of libxml2 > or the xml parser itself. Maybe good to figure out if anything can be > done about it. If it's really the XML code, ignoring the leaks should be fine; as far as I understand that part only specifies the schema but isn't something that gets exercised regularly at runtime. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Aug 21 08:23:28 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 21 Aug 2012 08:23:28 -0700 Subject: [Bro-Dev] A consistent order of precedence for broctl options In-Reply-To: <558D23D33781EF45A69229CDAC6BF151109C3EC6@CITESMBX6.ad.uillinois.edu> References: <558D23D33781EF45A69229CDAC6BF151109C3EC6@CITESMBX6.ad.uillinois.edu> <50328678.6020505@illinois.edu> <558D23D33781EF45A69229CDAC6BF151109C3EC6@CITESMBX6.ad.uillinois.edu> Message-ID: <20120821152328.GC88032@icir.org> On Mon, Aug 20, 2012 at 17:06 +0000, Adam wrote: > I hope we can at least agree on two points. First, there should be a > well-defined precedence that is documented and followed as uniformly > as possible. Agreed. > If you're on board with that, do you agree with my second assertion > that broctl should get the last word and override all others? Yeah, agreed as well, though somewhat reluctantly. :) What I wrote in http://tracker.bro-ids.org/bro/ticket/837#comment:7 would work as well I think[1], but it doesn't really look worth the effort. [1] Could be done by printing out the values and compare with what BroControl would expect. On Mon, Aug 20, 2012 at 13:48 -0500, Daniel wrote: > "Site-specific Customization" section), but it might also be > useful to add a note in the "Option Reference" section for each > broctl option that can be set via a bro script variable (for example, > "this option overrides the bro script variable > 'default_rotation_interval'"). We should then also do that the other way: add a note to the script doc saying that if using BroControl, it will override the value with its option. And yeah, renaming the options to be consistent would be good too then. So, I'm on board. :) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Wed Aug 22 07:53:35 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 22 Aug 2012 14:53:35 -0000 Subject: [Bro-Dev] #868: Merge request for topic/bernhard/input-allow_invalid_types Message-ID: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> #868: Merge request for topic/bernhard/input-allow_invalid_types ---------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ topic/bernhard/input-allow_invalid_types contains a change for the input framework, which allows to use records which contain optional file or function elements. By default the input framework still behaves exactly as before - it fails when a user wants to read to a record containing a file/function. When setting Input::accept_unsupported_types to true, it changes to accept these types - but only if they are optional, used for the values of a table or for events that are not unrolled. When these cases are encountered, a warning is logged and the fields are set to uninitialized. This allows reading all kinds of logfiles that have previously been written to disk - e.g. to re-write them using some other logging output format. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Aug 22 08:14:04 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 22 Aug 2012 15:14:04 -0000 Subject: [Bro-Dev] #868: Merge request for topic/bernhard/input-allow_invalid_types In-Reply-To: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> References: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> Message-ID: <063.338fb399d9280120bf7d4dda0d9fb27e@tracker.bro-ids.org> #868: Merge request for topic/bernhard/input-allow_invalid_types ----------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): On Wed, Aug 22, 2012 at 14:53 -0000, you wrote: > #868: Merge request for topic/bernhard/input-allow_invalid_types Is this a pressing issue? I'd prefer to not further touch 2.1 beyond obvious bugfixes at this point. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Aug 22 08:25:11 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 22 Aug 2012 15:25:11 -0000 Subject: [Bro-Dev] #868: Merge request for topic/bernhard/input-allow_invalid_types In-Reply-To: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> References: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> Message-ID: <063.af5f20f108950f9c0920ae9ffa2358ae@tracker.bro-ids.org> #868: Merge request for topic/bernhard/input-allow_invalid_types ----------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by amannb): Probably not that pressing. Seth requested it to be able to read old logfiles - which is not possible at the moment for files containing the file type (which apparently are quite a lot). So - more nice-to-have. On the other hand it is not really a huge change. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Aug 22 09:18:55 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 22 Aug 2012 16:18:55 -0000 Subject: [Bro-Dev] #868: Merge request for topic/bernhard/input-allow_invalid_types In-Reply-To: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> References: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> Message-ID: <063.5582f4da7ad72df3451631f6a5b58af5@tracker.bro-ids.org> #868: Merge request for topic/bernhard/input-allow_invalid_types ----------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by seth): > Probably not that pressing. Seth requested it to be able to read old > logfiles - which is not possible at the moment for files containing the > file type (which apparently are quite a lot). It would be very nice! Bernhard was even kind enough to make it all contained in an option which is left at the current behavior by default. :) As things stand now this is a limiter to one of the main points of the input framework to be able to reread it's own logs. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Aug 22 16:44:24 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 22 Aug 2012 23:44:24 -0000 Subject: [Bro-Dev] #868: Merge request for topic/bernhard/input-allow_invalid_types In-Reply-To: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> References: <048.aa663f004177363157e5f23772e56ff6@tracker.bro-ids.org> Message-ID: <063.1d13369b8d0c9c167ae40ba64b4fd70d@tracker.bro-ids.org> #868: Merge request for topic/bernhard/input-allow_invalid_types -----------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu Aug 23 12:32:02 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 23 Aug 2012 19:32:02 -0000 Subject: [Bro-Dev] #869: Mechanism for discovering current script name Message-ID: <046.6f152fe29c743915c6533821812d8ff5@tracker.bro-ids.org> #869: Mechanism for discovering current script name -----------------------------+------------------------ Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: language | -----------------------------+------------------------ It would help to make scripts more modular if we could discover the current directory for the script on disk. This came from when I was trying to package a script into a module directory and I wanted to have a shell script along with it but I couldn't find the shell script reliably because I didn't know where the script was sitting on disk. The only major problem I can see with it is if it's possible to make the data available within events or if it should only be something for code outside of events. Either way would work fine and in my opinion the simpler option should win. The current hack around this is to use the bro_script_loaded event to find some "unique" file name and discover the path from there. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat Aug 25 00:00:06 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 25 Aug 2012 00:00:06 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208250700.q7P7062C014596@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 725f802 | Daniel Thayer | 2012-08-24 | Update broctl documentation [1] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/725f802df1c616a44befe97d298e8546dc7ef069/broctl From noreply at bro-ids.org Sun Aug 26 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 26 Aug 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208260700.q7Q7038a006645@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | 725f802 | Daniel Thayer | 2012-08-24 | Update broctl documentation [1] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/725f802df1c616a44befe97d298e8546dc7ef069/broctl From noreply at bro-ids.org Mon Aug 27 00:00:07 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 27 Aug 2012 00:00:07 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208270700.q7R707Ud014172@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 7e46936 | Bernhard Amann | 2012-08-26 | Ok, this one is not really necessary for 2.1 and more of a nice-to-have [1] bro | fbe464f | Bernhard Amann | 2012-08-26 | another small bug found while searching for something else... [2] bro | a9e6d9a | Bernhard Amann | 2012-08-26 | Fix two little bugs: [3] bro | 6bf733c | Bernhard Amann | 2012-08-26 | sorry. the patch for the set_separator. [4] bro | 977c1d7 | Bernhard Amann | 2012-08-26 | make set_separators different from , work for input framework. [5] bro | 124c985 | Bernhard Amann | 2012-08-26 | Bug found bei Keith & Seth: input framework was not handling counts and ints out of 32-bit-range correctly. [6] broctl | 725f802 | Daniel Thayer | 2012-08-24 | Update broctl documentation [7] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/7e46936728f08b1214a6610e194793eb145a1f37/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/fbe464ffa348c59b980584ad321e206d9a794ac2/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/a9e6d9ae8154eecb415f86ca9f786f21886fff94/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/6bf733ce513a39804ba73b1e281adba5322f2de6/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/977c1d7c5adbf1b3bb2be55a99c4bd018e78a524/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/124c985d7af91a98eb8a7aff8f66b0300849e854/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/725f802df1c616a44befe97d298e8546dc7ef069/broctl From robin at icir.org Mon Aug 27 09:25:36 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 27 Aug 2012 09:25:36 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: sorry. the patch for the set_separator. (6bf733c) In-Reply-To: <201208270053.q7R0rlwp031303@bro-ids.icir.org> References: <201208270053.q7R0rlwp031303@bro-ids.icir.org> Message-ID: <20120827162536.GN88672@icir.org> On Sun, Aug 26, 2012 at 17:53 -0700, Bernhard Amann wrote: > + if ( s[i] == set_separator[0] ) length++; Looks like it doesn't support multiple-character set separators. Does the code check if the user specifies one with length > 0? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Aug 27 09:26:18 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 27 Aug 2012 09:26:18 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Fix two little bugs: (a9e6d9a) In-Reply-To: <201208270326.q7R3QsBQ009559@bro-ids.icir.org> References: <201208270326.q7R3QsBQ009559@bro-ids.icir.org> Message-ID: <20120827162618.GO88672@icir.org> On Sun, Aug 26, 2012 at 20:26 -0700, Bernhard Amann wrote: > + if ( *s.rbegin() == set_separator[0] ) Could s be empty here? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Aug 27 09:28:33 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 27 Aug 2012 09:28:33 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/input-warn-on-invalid-numbers: ok, this one might really be a bit too big for 2.1 (f133e88) In-Reply-To: <201208270501.q7R51bpb017958@bro-ids.icir.org> References: <201208270501.q7R51bpb017958@bro-ids.icir.org> Message-ID: <20120827162833.GP88672@icir.org> On Sun, Aug 26, 2012 at 22:01 -0700, Bernhard Amann wrote: > ok, this one might really be a bit too big for 2.1 > > Give all kinds of errors when encountering invalid numbers (like > out-of-range-warnings, etc). So what does the code do without this patch when facing invalid numbers? Is it just skipping the warnings but overwise proceeds without further trouble? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bernhard at ICSI.Berkeley.EDU Mon Aug 27 09:36:42 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Mon, 27 Aug 2012 09:36:42 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/input-warn-on-invalid-numbers: ok, this one might really be a bit too big for 2.1 (f133e88) In-Reply-To: <20120827162833.GP88672@icir.org> References: <201208270501.q7R51bpb017958@bro-ids.icir.org> <20120827162833.GP88672@icir.org> Message-ID: On Aug 27, 2012, at 9:28 AM, Robin Sommer wrote: > > On Sun, Aug 26, 2012 at 22:01 -0700, Bernhard Amann wrote: > >> ok, this one might really be a bit too big for 2.1 >> >> Give all kinds of errors when encountering invalid numbers (like >> out-of-range-warnings, etc). > > So what does the code do without this patch when facing invalid > numbers? Is it just skipping the warnings but overwise proceeds > without further trouble? Yes. Bernhard From bernhard at ICSI.Berkeley.EDU Mon Aug 27 09:40:50 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Mon, 27 Aug 2012 09:40:50 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: sorry. the patch for the set_separator. (6bf733c) In-Reply-To: <20120827162536.GN88672@icir.org> References: <201208270053.q7R0rlwp031303@bro-ids.icir.org> <20120827162536.GN88672@icir.org> Message-ID: On Aug 27, 2012, at 9:25 AM, Robin Sommer wrote: > > On Sun, Aug 26, 2012 at 17:53 -0700, Bernhard Amann wrote: > >> + if ( s[i] == set_separator[0] ) length++; > > Looks like it doesn't support multiple-character set separators. Does > the code check if the user specifies one with length > 0? Not really? if is mentioned in the documentation / in input/readers/ascii.bro for each of the separators. Bernhard From robin at icir.org Mon Aug 27 09:41:24 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 27 Aug 2012 09:41:24 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/input-warn-on-invalid-numbers: ok, this one might really be a bit too big for 2.1 (f133e88) In-Reply-To: <20120827162833.GP88672@icir.org> References: <201208270501.q7R51bpb017958@bro-ids.icir.org> <20120827162833.GP88672@icir.org> Message-ID: <20120827164124.GA8302@icir.org> On Mon, Aug 27, 2012 at 09:28 -0700, I wrote: > So what does the code do without this patch when facing invalid > numbers? I'm merging this in, seems it can't break too much ... Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Mon Aug 27 09:53:37 2012 From: robin at icir.org (Robin Sommer) Date: Mon, 27 Aug 2012 09:53:37 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: sorry. the patch for the set_separator. (6bf733c) In-Reply-To: References: <201208270053.q7R0rlwp031303@bro-ids.icir.org> <20120827162536.GN88672@icir.org> Message-ID: <20120827165337.GA7941@icir.org> On Mon, Aug 27, 2012 at 09:40 -0700, you wrote: > Not really? if is mentioned in the documentation / in input/readers/ascii.bro > for each of the separators. Can you add that check? Seems like an easy mistake to make, and it sounds like it's silently doing the wrong thing in that case at the moment. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bernhard at ICSI.Berkeley.EDU Mon Aug 27 10:47:39 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Mon, 27 Aug 2012 10:47:39 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: sorry. the patch for the set_separator. (6bf733c) In-Reply-To: <20120827165337.GA7941@icir.org> References: <201208270053.q7R0rlwp031303@bro-ids.icir.org> <20120827162536.GN88672@icir.org> <20120827165337.GA7941@icir.org> Message-ID: <679867EF-B8AC-4382-9A66-D4B9A78E115F@ICSI.Berkeley.EDU> On Aug 27, 2012, at 9:53 AM, Robin Sommer wrote: > > On Mon, Aug 27, 2012 at 09:40 -0700, you wrote: > >> Not really? if is mentioned in the documentation / in input/readers/ascii.bro >> for each of the separators. > > Can you add that check? Seems like an easy mistake to make, and it > sounds like it's silently doing the wrong thing in that case at the > moment. Actually I was mistaken. It does check and it is throwing an Error. I really should not trust my memory - I keep forgetting which features I already support... Bernhard From bro at tracker.bro-ids.org Mon Aug 27 20:54:36 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 28 Aug 2012 03:54:36 -0000 Subject: [Bro-Dev] #861: Merging DNP3 Analyzer In-Reply-To: <045.d25b5df6a13b96f4b3e3618bd9398e58@tracker.bro-ids.org> References: <045.d25b5df6a13b96f4b3e3618bd9398e58@tracker.bro-ids.org> Message-ID: <060.69d49e8bba551d60d7e8ca80e9cd9782@tracker.bro-ids.org> #861: Merging DNP3 Analyzer ----------------------------+------------------------ Reporter: hui | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: dnp3 ----------------------------+------------------------ Comment (by robin): There are also these files: {{{ A DNP3-debug.cc A DNP3-debug.h A DNP3-debug2.cc A DNP3-debug2.h A dnp3-analyzer-debug.pac A dnp3-objects-debug.pac A dnp3-protocol-debug.pac }}} Can I ignore them? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon Aug 27 20:56:34 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 28 Aug 2012 03:56:34 -0000 Subject: [Bro-Dev] #870: Merge Modbus analyzer Message-ID: <047.8a1df8bdf67712135b5746491e183bd3@tracker.bro-ids.org> #870: Merge Modbus analyzer ---------------------------+------------------------ Reporter: robin | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ In Dina's branch {{{topic/dina/modbus}}}. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Tue Aug 28 13:26:11 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 28 Aug 2012 13:26:11 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: on 32-bit machines only unsigned long longs are 64-bits long. Not just unsigned longs... (26f5aee) In-Reply-To: <201208280750.q7S7okPp011827@bro-ids.icir.org> References: <201208280750.q7S7okPp011827@bro-ids.icir.org> Message-ID: <20120828202611.GB47135@icir.org> On Tue, Aug 28, 2012 at 00:50 -0700, Bernhard Amann wrote: > on 32-bit machines only unsigned long longs are 64-bits long. Not just unsigned longs... > - unsigned long uvalue = (value < 0) ? -value : value; > + unsigned long long uvalue = (value < 0) ? -value : value; Should this use uint64_t instead of ull? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue Aug 28 13:30:44 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 28 Aug 2012 13:30:44 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: parse 64-bit consts correctly. (03f5795) In-Reply-To: <201208281433.q7SEXYg5025991@bro-ids.icir.org> References: <201208281433.q7SEXYg5025991@bro-ids.icir.org> Message-ID: <20120828203044.GC47135@icir.org> I lost track; is this all we need, or are there more cases to fix? Robin On Tue, Aug 28, 2012 at 07:33 -0700, Bernhard Amann wrote: > parse 64-bit consts correctly. > --- a/src/scan.l > +++ b/src/scan.l > @@ -439,7 +439,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) > {D} { > // TODO: check if we can use strtoull instead of atol, > // and similarly for {HEX}. > - RET_CONST(new Val(static_cast(atol(yytext)), > + RET_CONST(new Val(static_cast(strtoll(yytext, (char**) NULL, 10)), > TYPE_COUNT)) > } > {FLOAT} RET_CONST(new Val(atof(yytext), TYPE_DOUBLE)) > @@ -483,7 +483,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) > > ({D}"."){3}{D} RET_CONST(new AddrVal(yytext)) > > -"0x"{HEX}+ RET_CONST(new Val(static_cast(strtol(yytext, 0, 16)), TYPE_COUNT)) > +"0x"{HEX}+ RET_CONST(new Val(static_cast(strtoull(yytext, 0, 16)), TYPE_COUNT)) > > {H}("."{H})+ RET_CONST(dns_mgr->LookupHost(yytext)) -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bernhard at ICSI.Berkeley.EDU Tue Aug 28 13:34:57 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Tue, 28 Aug 2012 13:34:57 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: on 32-bit machines only unsigned long longs are 64-bits long. Not just unsigned longs... (26f5aee) In-Reply-To: <20120828202611.GB47135@icir.org> References: <201208280750.q7S7okPp011827@bro-ids.icir.org> <20120828202611.GB47135@icir.org> Message-ID: <7C95EEBD-4E15-4821-9CB7-6624055087C4@icsi.berkeley.edu> On Aug 28, 2012, at 1:26 PM, Robin Sommer wrote: > > On Tue, Aug 28, 2012 at 00:50 -0700, Bernhard Amann wrote: > >> on 32-bit machines only unsigned long longs are 64-bits long. Not just unsigned longs... > >> - unsigned long uvalue = (value < 0) ? -value : value; >> + unsigned long long uvalue = (value < 0) ? -value : value; > > Should this use uint64_t instead of ill? >From my understanding, it does not really matter; at least at the moment that is equivalent. But it probably also should not hurt defining it as a uint64_t? and makes it better understandable. Bernhard From bernhard at ICSI.Berkeley.EDU Tue Aug 28 13:35:22 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Tue, 28 Aug 2012 13:35:22 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: parse 64-bit consts correctly. (03f5795) In-Reply-To: <20120828203044.GC47135@icir.org> References: <201208281433.q7SEXYg5025991@bro-ids.icir.org> <20120828203044.GC47135@icir.org> Message-ID: Should be all. Bernhard On Aug 28, 2012, at 1:30 PM, Robin Sommer wrote: > I lost track; is this all we need, or are there more cases to fix? > > Robin > > On Tue, Aug 28, 2012 at 07:33 -0700, Bernhard Amann wrote: > >> parse 64-bit consts correctly. > >> --- a/src/scan.l >> +++ b/src/scan.l >> @@ -439,7 +439,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) >> {D} { >> // TODO: check if we can use strtoull instead of atol, >> // and similarly for {HEX}. >> - RET_CONST(new Val(static_cast(atol(yytext)), >> + RET_CONST(new Val(static_cast(strtoll(yytext, (char**) NULL, 10)), >> TYPE_COUNT)) >> } >> {FLOAT} RET_CONST(new Val(atof(yytext), TYPE_DOUBLE)) >> @@ -483,7 +483,7 @@ F RET_CONST(new Val(false, TYPE_BOOL)) >> >> ({D}"."){3}{D} RET_CONST(new AddrVal(yytext)) >> >> -"0x"{HEX}+ RET_CONST(new Val(static_cast(strtol(yytext, 0, 16)), TYPE_COUNT)) >> +"0x"{HEX}+ RET_CONST(new Val(static_cast(strtoull(yytext, 0, 16)), TYPE_COUNT)) >> >> {H}("."{H})+ RET_CONST(dns_mgr->LookupHost(yytext)) > > > -- > Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org > ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org > _______________________________________________ > bro-commits mailing list > bro-commits at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits From seth at icir.org Tue Aug 28 18:19:55 2012 From: seth at icir.org (Seth Hall) Date: Tue, 28 Aug 2012 21:19:55 -0400 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: parse 64-bit consts correctly. (03f5795) In-Reply-To: <201208281433.q7SEXYg5025991@bro-ids.icir.org> References: <201208281433.q7SEXYg5025991@bro-ids.icir.org> Message-ID: <342DE8EB-4901-4FFF-8F26-93BC2A93437F@icir.org> On Aug 28, 2012, at 10:33 AM, Bernhard Amann wrote: > // TODO: check if we can use strtoull instead of atol, > // and similarly for {HEX}. > - RET_CONST(new Val(static_cast(atol(yytext)), > + RET_CONST(new Val(static_cast(strtoll(yytext, (char**) NULL, 10)), > TYPE_COUNT)) I still don't think this is right since we can't type in a full 64bit uint with this, right? Also, we should probably remove that comment now that it won't apply anymore. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bernhard at ICSI.Berkeley.EDU Tue Aug 28 20:28:03 2012 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Tue, 28 Aug 2012 20:28:03 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: parse 64-bit consts correctly. (03f5795) In-Reply-To: <342DE8EB-4901-4FFF-8F26-93BC2A93437F@icir.org> References: <201208281433.q7SEXYg5025991@bro-ids.icir.org> <342DE8EB-4901-4FFF-8F26-93BC2A93437F@icir.org> Message-ID: <901781DF-F0F5-4107-A7E9-C52CA66B5E2D@icsi.berkeley.edu> Argh. Yes, I am stupid, it was supposed to be stroull, not strtoll??. bad me. On Aug 28, 2012, at 6:19 PM, Seth Hall wrote: > > On Aug 28, 2012, at 10:33 AM, Bernhard Amann wrote: > >> // TODO: check if we can use strtoull instead of atol, >> // and similarly for {HEX}. >> - RET_CONST(new Val(static_cast(atol(yytext)), >> + RET_CONST(new Val(static_cast(strtoll(yytext, (char**) NULL, 10)), >> TYPE_COUNT)) > > I still don't think this is right since we can't type in a full 64bit uint with this, right? > > Also, we should probably remove that comment now that it won't apply anymore. > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From robin at icir.org Tue Aug 28 20:31:23 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 28 Aug 2012 20:31:23 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: parse 64-bit consts correctly. (03f5795) In-Reply-To: <901781DF-F0F5-4107-A7E9-C52CA66B5E2D@icsi.berkeley.edu> References: <201208281433.q7SEXYg5025991@bro-ids.icir.org> <342DE8EB-4901-4FFF-8F26-93BC2A93437F@icir.org> <901781DF-F0F5-4107-A7E9-C52CA66B5E2D@icsi.berkeley.edu> Message-ID: <20120829033123.GB4324@icir.org> On Tue, Aug 28, 2012 at 20:28 -0700, you wrote: > Argh. Yes, I am stupid, it was supposed to be stroull, not strtoll??. bad me. ... and I didn't look closely enough. :( I'll make that change change tomorrow. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Wed Aug 29 10:12:55 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 29 Aug 2012 17:12:55 -0000 Subject: [Bro-Dev] #871: Email is silently suppressed when reading tracefiles Message-ID: <046.ca512015d68d9d15ad49dafbe1871501@tracker.bro-ids.org> #871: Email is silently suppressed when reading tracefiles ---------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ If someone tries to send an email with the notice framework and they are reading tracefiles, the notice will be silently suppressed (beginning of Notice::email_notice_to function). We should output a reporter warning to at least let them know that sending email while reading tracefiles is unsupported. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Wed Aug 29 16:26:11 2012 From: robin at icir.org (Robin Sommer) Date: Wed, 29 Aug 2012 16:26:11 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/dnthayer/language-tests: Update language tests (44c6ed5) In-Reply-To: <201208292256.q7TMueO7022435@bro-ids.icir.org> References: <201208292256.q7TMueO7022435@bro-ids.icir.org> Message-ID: <20120829232611.GB31398@icir.org> Hah, Daniel, your tests would have caught it! :-) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Wed Aug 29 17:44:39 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 30 Aug 2012 00:44:39 -0000 Subject: [Bro-Dev] #861: Merging DNP3 Analyzer In-Reply-To: <045.d25b5df6a13b96f4b3e3618bd9398e58@tracker.bro-ids.org> References: <045.d25b5df6a13b96f4b3e3618bd9398e58@tracker.bro-ids.org> Message-ID: <060.49bf988b65ef50eab1a6e333cb0462dc@tracker.bro-ids.org> #861: Merging DNP3 Analyzer ----------------------------+------------------------ Reporter: hui | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: dnp3 ----------------------------+------------------------ Comment (by robin): In [d71f48b1bc92ecbd612f079da2412571ba6c1c2e/bro]: {{{ #!CommitTicketReference repository="bro" revision="d71f48b1bc92ecbd612f079da2412571ba6c1c2e" Merge remote-tracking branch 'origin/topic/hui/powergrid3' * origin/topic/hui/powergrid3: merge master into my branch ready to be merged correct several memory leak threating codes; adding few codes for corner cases Little changes back original DNP3.cc and DNP3.h and remove debug code backup original binpac codes; remove debug in binpac codes; resolve a conflict in src/CMakelist.txt; ready to remove debug code on my DNP3 analyzer little changes on DNP3.cc new branch due to libbroccoli issue I did a cleanup pass over the code, and inserted a number of TODO-Huis. Please take a look. Will add more notes/tasks to the tracker ticket. I also merged the DNP3 traces from the ics repo into testing/btest/Traces/dnp3.trace, and added a test script that simply prints out all events raised with their arguments. The trace currently triggers 11 of the 51 DNP3 events. Addresses #861. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Aug 29 17:48:40 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 30 Aug 2012 00:48:40 -0000 Subject: [Bro-Dev] #861: Merging DNP3 Analyzer In-Reply-To: <045.d25b5df6a13b96f4b3e3618bd9398e58@tracker.bro-ids.org> References: <045.d25b5df6a13b96f4b3e3618bd9398e58@tracker.bro-ids.org> Message-ID: <060.082494fc9258657438c8d72fc328cf9b@tracker.bro-ids.org> #861: Merging DNP3 Analyzer ----------------------------+------------------------ Reporter: hui | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: dnp3 ----------------------------+------------------------ Comment (by robin): I've merged this with master into the temporary branch {{topic/topic/robin/dnp3-merge}}. Hui, a number of points/questions: - I've added a set of {{{TODO-Hui}}} throughout the new code. Please take a look and address (just grep for it). - I moved the global variables in {{{DNP3.cc}{} into the analyzer class. I'm actually surprised that this has ever worked: it looks like you kept state across flows with a single variable; am I missing something? - Please take a look at the new test {{{scripts.base.protocols.dnp3.events}}} and check the output if it matches with what you would expect. - Which of the many events did you have data for to test with? I've added the DNP3 traces from Dina, they trigger 11 of the 51 events. Do we have more we can add to the test suite? - Please document the events in {{{src/events.bif}}}, similar to how other events are documented. - Does DNP3 have cases similar to Modbus where it would make sense to pass arrays of integers (or other elements)? If so, that would be good to do (but I don't know the protocol enough to say more). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Aug 29 18:03:18 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 30 Aug 2012 01:03:18 -0000 Subject: [Bro-Dev] #870: Merge Modbus analyzer In-Reply-To: <047.8a1df8bdf67712135b5746491e183bd3@tracker.bro-ids.org> References: <047.8a1df8bdf67712135b5746491e183bd3@tracker.bro-ids.org> Message-ID: <062.0fed121dc1583c999a0811c67e96b73e@tracker.bro-ids.org> #870: Merge Modbus analyzer ----------------------------+------------------------ Reporter: robin | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): I've merged this with master into the temporary branch {{{topic/robin /modbus-merge}}}. Dina: - Please take a look at the new test {{{scripts.base.protocols.modbus.events}}} and check the output if it matches with what you would expect. - Please document the events in {{{src/events.bif}}}, similar to how other events are documented. - I've added the Modbus traces from the ics repo, they trigger 20 of the 34 events. Are there more events you were able to test with other traces you have? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Aug 29 18:03:35 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 30 Aug 2012 01:03:35 -0000 Subject: [Bro-Dev] #870: Merge Modbus analyzer In-Reply-To: <047.8a1df8bdf67712135b5746491e183bd3@tracker.bro-ids.org> References: <047.8a1df8bdf67712135b5746491e183bd3@tracker.bro-ids.org> Message-ID: <062.174a436a98ff81d269c5be179f054929@tracker.bro-ids.org> #870: Merge Modbus analyzer ----------------------------+------------------------ Reporter: robin | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): In [cbb31cedc374fcf741344f021ff8349d4ec11238/bro]: {{{ #!CommitTicketReference repository="bro" revision="cbb31cedc374fcf741344f021ff8349d4ec11238" Merge remote-tracking branch 'origin/topic/dina/modbus' into topic/robin /modbus-merge * origin/topic/dina/modbus: put some make-up on Modbus analyser Modbus analyser, added support: FC=20,21 Modbus analyzer,added support: FC=1,2,15,24 Modbus analyzer, current support: FC=3,4,5,6,7,16,22,23 I cleaned up the code a bit, mainly layout style. I did not include the *.bro scripts for now, but a test script ../testing/btest/scripts/base/protocols/modbus/events.bro that prints out the value for each event. Merged the Modbus traces from the ics repository into a single trace as input for the test. They currently trigger 20 of the 34 events. Addresses #870. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From vladg at cmu.edu Wed Aug 29 18:30:32 2012 From: vladg at cmu.edu (Vlad Grigorescu) Date: Thu, 30 Aug 2012 01:30:32 +0000 Subject: [Bro-Dev] DNS TXT Queries and the Cache File Message-ID: <1202BE242E080642B0CD0AD0A03E855234C4F1@PGH-MSGMB-03.andrew.ad.cmu.edu> Hello, I'm working on wrapping up some code for adding DNS TXT query support to Bro. I have code that works, I'm just doing a final review to make sure the support has been added in everywhere it needs to be. The other DNS query types (host and address) support saving the cached queries/responses to and from a DNS cache file. While I would like to see this added for completeness, it would mean making larger-scale changes, as a couple classes would need to be tweaked as well. Is this something that people think is necessary? Should I throw up the code I have for now, and hopefully it'll get added down the road - either by myself, or the next poor soul to dive into the DNS code :-). Thanks, --Vlad From noreply at bro-ids.org Thu Aug 30 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 30 Aug 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208300700.q7U705pC002183@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 861 [1] | hui | | Normal | Merging DNP3 Analyzer Bro | 870 [2] | robin | | Normal | Merge Modbus analyzer [1] #861: http://tracker.bro-ids.org/bro/ticket/861 [2] #870: http://tracker.bro-ids.org/bro/ticket/870 From jsiwek at illinois.edu Thu Aug 30 03:04:34 2012 From: jsiwek at illinois.edu (Siwek, Jon) Date: Thu, 30 Aug 2012 05:04:34 -0500 Subject: [Bro-Dev] DNS TXT Queries and the Cache File In-Reply-To: <1202BE242E080642B0CD0AD0A03E855234C4F1@PGH-MSGMB-03.andrew.ad.cmu.edu> References: <1202BE242E080642B0CD0AD0A03E855234C4F1@PGH-MSGMB-03.andrew.ad.cmu.edu> Message-ID: <503F3AB2.4040900@illinois.edu> On 8/29/2012 8:30 PM, Vlad Grigorescu wrote: > Is this something that people think is necessary? Should I throw up the code I have for now, and hopefully it'll get added down the road - either by myself, or the next poor soul to dive into the DNS code :-). As the previous poor soul to touch that code, I wouldn't mind looking at what you've got so far and then attempting to add the caching support. Jon From robin at icir.org Thu Aug 30 08:38:51 2012 From: robin at icir.org (Robin Sommer) Date: Thu, 30 Aug 2012 08:38:51 -0700 Subject: [Bro-Dev] DNS TXT Queries and the Cache File In-Reply-To: <503F3AB2.4040900@illinois.edu> References: <1202BE242E080642B0CD0AD0A03E855234C4F1@PGH-MSGMB-03.andrew.ad.cmu.edu> <503F3AB2.4040900@illinois.edu> Message-ID: <20120830153851.GA89651@icir.org> Cool, thanks for working on this, Vlad. On Thu, Aug 30, 2012 at 05:04 -0500, you wrote: > As the previous poor soul to touch that code, I wouldn't mind looking at > what you've got so far and then attempting to add the caching support. If the caching is trikcy to get in (or makes the code even worse ...), we can indeed skip it. The main reason for having the caching at all is DNS names embedded in scripts (e.g., code of the form "set[addr] = { foo.bar }"). Bro looks these up once at startup and that can potentially take a while if there are a lot or responses are coming in slowly. So what one can do is "prime" the cache first, so that the next time Bro starts up, it doesn't need to do the lookups. That was more important in the Old Days though when people restarted Bro once a day to flush state and that had to be fast. This is all not relevant to TXT records. And, in fact, I've already been wondering if we can get rid of the cache altogether to simplify the DNS code. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Fri Aug 31 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 31 Aug 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201208310700.q7V7055Z014117@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 861 [1] | hui | | Normal | Merging DNP3 Analyzer Bro | 870 [2] | robin | | Normal | Merge Modbus analyzer [1] #861: http://tracker.bro-ids.org/bro/ticket/861 [2] #870: http://tracker.bro-ids.org/bro/ticket/870