From noreply at bro-ids.org Tue May 1 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 1 May 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205010700.q41703Sh026167@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bff3cba | Bernhard Amann | 2012-04-27 | Add two more TLS extension values that we see in live traffic. [1] bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [2] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [3] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [4] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [5] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [6] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/bff3cba129720f208a8931d59861b9e2ba841e83/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From slagell at illinois.edu Tue May 1 12:31:17 2012 From: slagell at illinois.edu (Slagell, Adam J) Date: Tue, 1 May 2012 19:31:17 +0000 Subject: [Bro-Dev] Decapsulating "payload" tunnels In-Reply-To: <0328875F-A062-472F-8688-A7F26798223C@icir.org> References: <0328875F-A062-472F-8688-A7F26798223C@icir.org> Message-ID: <91CC5240-7D48-47C9-9820-0BB2F5F86D03@illinois.edu> I can't say that I like this idea of conflating tunneling and proxies, which IMO are two very different things. Sometimes abstracting and refactoring makes sense, especially when it can get us two things for less work. I don't think that is the case here, though. It seems to confuse things further and force us to make uncomfortable hacks. Also, I'm not seeing how this would work in the default case of someone tapping at their border, between the proxy and the target http server. I don't think there is enough information there without access to the internal state of the proxy server. If you were tapping both internal and WAN traffic in different spots as we do, you would have the information maybe. However, I would rather do something in scriptland on the cluster that would correlate connections between internal hosts and the proxy and connections from the proxy to external web servers. If tunnels and proxies were more semantically similar, I think I would be more onboard. But right now I think we should separate them and just work on handling AYIYA, 6to4 and Torredo tunnels well. In any case, I don't want to make 2.1 depend on solving these problems for proxies. They are a lower priority in my mind, and I think we want to avoid rushing on how we handle proxies. :Adam On Apr 25, 2012, at 8:54 AM, Seth Hall wrote: > Jon and I have been working on the 2.1 tunnel decapsulation recently and we encountered some major architectural questions. We seem to have the groundwork laid for doing IP encapsulation tunnels (AYIYA, Teredo, 6to4), but I want to support tunnels like SOCKS and HTTP CONNECT which are essentially session payload tunnels since they are tunneling reassembled TCP streams. > > This brings up a problem if we want to create logs that are useful forensically because right now any connection to a SOCKS proxy looks like the client is sending all the traffic to the proxy. The HTTP logs will show the client doing HTTP requests to the proxy even though the proxy is really sending them onward to other hosts. In environments with pervasive proxying, this makes the logs much less useful. > > Robin, Jon, and I discussed this for a while yesterday and we came up with a proposal where we would extract the payload from the proxy connection and mock up IP headers for the Sessions::DoNextPacket method which looks like the client connecting to the host it's requesting to actually talk to. We would need to extend the DoNextPacket method to provide a short circuit for skipping the TCP reassembly and analysis since it would be reassembled payload bytes immediately after the fake IP header. This would result in two connections showing up in conn.log when there was *really* > > There is one other niggle in this. It seems that most proxy protocols (SOCKS and HTTP at least) support requesting a proxy connection by name instead of IP address. I fully expect to be beat up over this, but I think it would be great to be able to support doing a lookup to create the fake ip header. > > I'm sure we'll end up sticking configuration options all over the place to turn things off and we'll definitely figure out a good set of things to turn on by default. > > Does anyone have reservations with this design? It definitely seems nasty on some levels and Robin pointed out yesterday that it would probably be much better to pass data around with abstracted metadata instead of packets, but packets are what we deal with internally for now so that's what we would have to fake without doing a major redesign. > > Robin, Jon: please follow up if there are any points that I didn't make clear enough. :) > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro-ids.org/ > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro-ids.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > ------ Adam J. Slagell, CISO, CISSP Chief Information Security Officer National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info 217.244.8965 "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." From bro at tracker.bro-ids.org Tue May 1 13:36:00 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 01 May 2012 20:36:00 -0000 Subject: [Bro-Dev] #813: Problem with libmagic in file analyzer In-Reply-To: <046.9db067578007089bb913064fae522ddc@tracker.bro-ids.org> References: <046.9db067578007089bb913064fae522ddc@tracker.bro-ids.org> Message-ID: <061.5f55e7d7bdf1798be20b24648fb2d5dc@tracker.bro-ids.org> #813: Problem with libmagic in file analyzer -----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Rejected | Keywords: -----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Rejected Comment: This was a problem with google perftools on mac os x . -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 13:42:50 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 01 May 2012 20:42:50 -0000 Subject: [Bro-Dev] #741: Remove HTTP verbs from HTTP analyzer In-Reply-To: <046.33191738c5e4da46b75e4c33d1e6e42a@tracker.bro-ids.org> References: <046.33191738c5e4da46b75e4c33d1e6e42a@tracker.bro-ids.org> Message-ID: <061.ecd65295b886bea28d95181c2e4befb0@tracker.bro-ids.org> #741: Remove HTTP verbs from HTTP analyzer ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: ----------------------+-------------------- Changes (by seth): * priority: Normal => High -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:07:45 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:07:45 -0000 Subject: [Bro-Dev] #310: Higher time resolution? In-Reply-To: <047.6919428e8f72f2b70e570f46050fe61f@tracker.bro-ids.org> References: <047.6919428e8f72f2b70e570f46050fe61f@tracker.bro-ids.org> Message-ID: <062.069dfd80ef1a7442982b3df0b19ae86e@tracker.bro-ids.org> #310: Higher time resolution? ------------------------------+------------------------ Reporter: robin | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Changes (by seth): * version: => git/master * milestone: Bro2.1 => Bro2.2 Comment: Skip it for 2.1 and bump it again. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:11:37 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:11:37 -0000 Subject: [Bro-Dev] #364: login.bro should raise Notices when being confused In-Reply-To: <047.ea749bad321e14efd7466bee5fc315ad@tracker.bro-ids.org> References: <047.ea749bad321e14efd7466bee5fc315ad@tracker.bro-ids.org> Message-ID: <062.6b1d19045508edb2cf61c22c56265382@tracker.bro-ids.org> #364: login.bro should raise Notices when being confused -----------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Rejected | Keywords: -----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Rejected Comment: I'm going to close this ticket. It's not terribly relevant anymore since we will likely have to handle this differently with the authentication framework later. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:12:49 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:12:49 -0000 Subject: [Bro-Dev] #334: Portmapper.bro documentation and script interaction In-Reply-To: <048.dbd999fcc379921b003073dcd16b3781@tracker.bro-ids.org> References: <048.dbd999fcc379921b003073dcd16b3781@tracker.bro-ids.org> Message-ID: <063.bf45fe73aaa4566ac0f1245bab4873cf@tracker.bro-ids.org> #334: Portmapper.bro documentation and script interaction ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: Portmapper/nfs/rpc is coming back yet. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:16:23 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:16:23 -0000 Subject: [Bro-Dev] #327: Binding attributes to values/variables In-Reply-To: <047.09785405b05ea472690e9a544c78a166@tracker.bro-ids.org> References: <047.09785405b05ea472690e9a544c78a166@tracker.bro-ids.org> Message-ID: <062.cb6c7630f749534688b17397be5a40cb@tracker.bro-ids.org> #327: Binding attributes to values/variables ----------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: Eventually we'll have to try and figure out where we were going with this conversation. Bumping it for now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:20:05 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:20:05 -0000 Subject: [Bro-Dev] #348: Reassembler integer overflow issues. Data not delivered after 2GB In-Reply-To: <048.e61375ac2d702203a810377b29931bd9@tracker.bro-ids.org> References: <048.e61375ac2d702203a810377b29931bd9@tracker.bro-ids.org> Message-ID: <063.7a9544dd0d60ba7d40b9181060215107@tracker.bro-ids.org> #348: Reassembler integer overflow issues. Data not delivered after 2GB ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: inttypes ----------------------+------------------------ Comment (by seth): Is this something that we should address for 2.1? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:29:40 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:29:40 -0000 Subject: [Bro-Dev] #351: Incorrect bounds checking with truncated TCP options In-Reply-To: <048.13f9524c095200c055a4d9dc5ef882b7@tracker.bro-ids.org> References: <048.13f9524c095200c055a4d9dc5ef882b7@tracker.bro-ids.org> Message-ID: <063.8db7cef0ca55bb641449c2f6c6087c41@tracker.bro-ids.org> #351: Incorrect bounds checking with truncated TCP options ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: I think this ticket may bring up much larger issues than it initially seems to. If we focus on analyzing tcp with truncated headers, we should probably put a lot more focus on handling connections with only one flow or handling content gaps in the analyzers. Pushing it back for now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:31:15 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:31:15 -0000 Subject: [Bro-Dev] #422: Array-style index accessor for strings In-Reply-To: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> References: <046.c7d0943c73a69d7fafd3a3bfa1945d22@tracker.bro-ids.org> Message-ID: <061.5ae3179dbe093e684ce7e180e26ce53c@tracker.bro-ids.org> #422: Array-style index accessor for strings ------------------------------+---------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: | Keywords: language ------------------------------+---------------------- Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: Meh, not that important. Bump it! -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 18:32:57 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 01:32:57 -0000 Subject: [Bro-Dev] #524: Bro fuzz testing In-Reply-To: <048.a8b2fd1e8661b692c679d3046e408dc7@tracker.bro-ids.org> References: <048.a8b2fd1e8661b692c679d3046e408dc7@tracker.bro-ids.org> Message-ID: <063.02db3d06e911ce653a3c8fbfc57a89c2@tracker.bro-ids.org> #524: Bro fuzz testing ---------------------+------------------------ Reporter: gregor | Owner: Type: Task | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: ---------------------+------------------------ Changes (by seth): * milestone: Bro2.1 => Comment: I'm going to remove this ticket from all milestones. It's too amorphous right now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 19:12:41 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 02:12:41 -0000 Subject: [Bro-Dev] #542: SHA-1 and SHA-256 In-Reply-To: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> References: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> Message-ID: <061.c5a163a5336ecd34b01bf96aeadee758@tracker.bro-ids.org> #542: SHA-1 and SHA-256 ------------------------------+---------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: language ------------------------------+---------------------- Changes (by seth): * priority: Normal => High Comment: All that needs to happen for this is a SHA implementation and BiFs that use it by copying the functionality of the existing MD5 BiFs. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 19:13:37 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 02:13:37 -0000 Subject: [Bro-Dev] #553: Script variable to set pcap's buffer size In-Reply-To: <048.fdc2e81d1331136042f212703cab1b0c@tracker.bro-ids.org> References: <048.fdc2e81d1331136042f212703cab1b0c@tracker.bro-ids.org> Message-ID: <063.32fcb5f25b999f1e9b1006bd91e2adff@tracker.bro-ids.org> #553: Script variable to set pcap's buffer size ------------------------------+------------------------ Reporter: gregor | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: Pushing this back since it seems like it might be part of a larger reorganization later. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 19:14:26 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 02:14:26 -0000 Subject: [Bro-Dev] #578: Add ICMPv6 support to Bro In-Reply-To: <048.1e6e618d9d8a166299c6c8582e9c8511@tracker.bro-ids.org> References: <048.1e6e618d9d8a166299c6c8582e9c8511@tracker.bro-ids.org> Message-ID: <063.106cad8534100e9129f9adda971c8d48@tracker.bro-ids.org> #578: Add ICMPv6 support to Bro ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: IPv6 ----------------------+------------------------ Comment (by seth): Is this done? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 19:20:05 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 02:20:05 -0000 Subject: [Bro-Dev] #640: BiFs to enable or disable events. In-Reply-To: <046.1f1e3ac9563bd29d452598383f9647bd@tracker.bro-ids.org> References: <046.1f1e3ac9563bd29d452598383f9647bd@tracker.bro-ids.org> Message-ID: <061.603a7a839dfbdb75460ee8a93f43f74f@tracker.bro-ids.org> #640: BiFs to enable or disable events. ------------------------------+---------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: language ------------------------------+---------------------- Changes (by seth): * priority: Normal => High Comment: Would this be more relevant if we just implemented simple BiFs for now to disable events? We could implement the larger framework on top of those I think. {{{ disable_events(/http_.*/); enable_events(/http_.*/); }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 19:20:57 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 02:20:57 -0000 Subject: [Bro-Dev] #746: Check the ssl/tls dpd signatures In-Reply-To: <046.eb25556d32a680febd26b39278dc9697@tracker.bro-ids.org> References: <046.eb25556d32a680febd26b39278dc9697@tracker.bro-ids.org> Message-ID: <061.145f83f31f7f91a23021ca6a98979a09@tracker.bro-ids.org> #746: Check the ssl/tls dpd signatures ---------------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Resolution: Works for Me | Keywords: ---------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Works for Me Comment: I think these work. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 20:26:50 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 03:26:50 -0000 Subject: [Bro-Dev] #542: SHA-1 and SHA-256 In-Reply-To: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> References: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> Message-ID: <061.e69a1be13a6b0970926b5330dec9af73@tracker.bro-ids.org> #542: SHA-1 and SHA-256 ------------------------------+---------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: language ------------------------------+---------------------- Comment (by robin): > All that needs to happen for this is a SHA implementation and BiFs that > use it by copying the functionality of the existing MD5 BiFs. Note that now that OpenSSL is a required dependency, we could just use that for implementing SHA-1 (and perhaps also MD5). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 1 20:49:45 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 03:49:45 -0000 Subject: [Bro-Dev] #578: Add ICMPv6 support to Bro In-Reply-To: <048.1e6e618d9d8a166299c6c8582e9c8511@tracker.bro-ids.org> References: <048.1e6e618d9d8a166299c6c8582e9c8511@tracker.bro-ids.org> Message-ID: <063.b9c7a509992e3b8596705f31172a684b@tracker.bro-ids.org> #578: Add ICMPv6 support to Bro ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: IPv6 ----------------------+------------------------ Comment (by dnthayer): Replying to [comment:2 seth]: > Is this done? Yes, the branch topic/icmp6 has been merged into master. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Wed May 2 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 2 May 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205020700.q42702Nt007311@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bff3cba | Bernhard Amann | 2012-04-27 | Add two more TLS extension values that we see in live traffic. [1] bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [2] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [3] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [4] broctl | dcaf8d7 | Daniel Thayer | 2012-05-01 | Fix minor build issue with broctl [5] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [6] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [7] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/bff3cba129720f208a8931d59861b9e2ba841e83/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/dcaf8d714b2e76805c48c711801dd5998b635f83/broctl [6] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [7] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From bro at tracker.bro-ids.org Wed May 2 07:25:32 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 14:25:32 -0000 Subject: [Bro-Dev] #578: Add ICMPv6 support to Bro In-Reply-To: <048.1e6e618d9d8a166299c6c8582e9c8511@tracker.bro-ids.org> References: <048.1e6e618d9d8a166299c6c8582e9c8511@tracker.bro-ids.org> Message-ID: <063.37757c4eee53eabd72772feb54e11166@tracker.bro-ids.org> #578: Add ICMPv6 support to Bro ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: IPv6 ----------------------+------------------------ Comment (by robin): But we don't have any script-level logic yet. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed May 2 10:08:44 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 17:08:44 -0000 Subject: [Bro-Dev] #815: IPv6 atomic fragment optimizations Message-ID: <048.7d1dd8cbb3f44d874a5682dab9bee42f@tracker.bro-ids.org> #815: IPv6 atomic fragment optimizations ---------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: ipv6 | ---------------------+------------------------ The draft at http://tools.ietf.org/html/draft-ietf-6man-ipv6-atomic- fragments-00 should be revisited if it gets published. According to section 3, atomic fragment headers can just be ignored and "reassembly" skipped. That also should improve the case where a packet has multiple atomic fragment headers (see attached pcap), because currently Bro doesn't recursively reassemble the inner atomic fragments, it just stops processing the packet and gives the "unknown_protocol_44" weird to indicate there was packet with multiple fragment headers. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed May 2 12:11:46 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 19:11:46 -0000 Subject: [Bro-Dev] #811: Redefing Notice::policy in local.bro not removing default notice action In-Reply-To: <046.697ad84ed40fde86da0e018602a995df@tracker.bro-ids.org> References: <046.697ad84ed40fde86da0e018602a995df@tracker.bro-ids.org> Message-ID: <061.61c0bfdc4ab68eed325e94c884ab63f9@tracker.bro-ids.org> #811: Redefing Notice::policy in local.bro not removing default notice action -------------------------+------------------------------------------------- Reporter: will | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: 2.0 Resolution: | Keywords: Notice, action, redef, | PacketFilter::Dropped_Packets -------------------------+------------------------------------------------- Comment (by seth): I'm still unable to reproduce this problem with ignore_notices. The behavior described in the ticket is how the notice framework works. I'm going to close this ticket soon unless I hear more reports of problems or a functional (non-functional?) example of the problem. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed May 2 12:12:51 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 19:12:51 -0000 Subject: [Bro-Dev] #748: Allow creation of blank patterns In-Reply-To: <046.78bb5da8aeba6aaac7ac81eb139c5da7@tracker.bro-ids.org> References: <046.78bb5da8aeba6aaac7ac81eb139c5da7@tracker.bro-ids.org> Message-ID: <061.82526c097ed717631391bc70c166daac@tracker.bro-ids.org> #748: Allow creation of blank patterns ------------------------------+-------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: | Keywords: ------------------------------+-------------------- Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: Doesn't matter for 2.1 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed May 2 12:13:29 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 19:13:29 -0000 Subject: [Bro-Dev] #754: Complete implementation of switch statement In-Reply-To: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> References: <046.7621c0239b949326b069b865a7c4ac91@tracker.bro-ids.org> Message-ID: <061.5028c8f2adf8ba210261738c05a75c2c@tracker.bro-ids.org> #754: Complete implementation of switch statement ---------------------+------------------------ Reporter: seth | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ---------------------+------------------------ Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: Bumping this back. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed May 2 12:15:18 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 02 May 2012 19:15:18 -0000 Subject: [Bro-Dev] #773: DCE_RPC IPv6 support In-Reply-To: <048.4dd4f1bdcaff64eb4d2323749ab5b206@tracker.bro-ids.org> References: <048.4dd4f1bdcaff64eb4d2323749ab5b206@tracker.bro-ids.org> Message-ID: <063.6d6dc739acec0baea1ee58eda78b5275@tracker.bro-ids.org> #773: DCE_RPC IPv6 support ----------------------+------------------------ Reporter: jsiwek | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Invalid | Keywords: ipv6 ----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Invalid Comment: I'm going to close this ticket. It's likely that the DCE_RPC analyzer will see heavier rewrites in the future and there is already a comment in the source pondering if the protocol supports IPv6. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed May 2 20:32:17 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 03:32:17 -0000 Subject: [Bro-Dev] #816: Reworked PacketFilter framework Message-ID: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> #816: Reworked PacketFilter framework ---------------------------+------------------------ Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This is in the topic/seth/scripts-for-2.1 branch, apologies for the poor naming. One test is failing for me (coverage.test-all-policy) but I'm not sure what to do to fix it. This branch reworks the packet filter framework to make it easier to accomplish common actions. - Removes the PacketFilter::all_packets variable and instead makes "ip or not ip" the default capture filter. - Adds some convenience methods for restricting the traffic that is monitored and shunting traffic away with BPF. - Adds the beginning of load balancing support that is necessary to tie in with some load balancing methods through broctl. - Change the queue manager to flush the event queue before initializing analyzers through DPD. - New protocols framework that adds some convenience support for defining the analyzer->DPD linkage. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu May 3 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 3 May 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205030700.q43703qu002509@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bff3cba | Bernhard Amann | 2012-04-27 | Add two more TLS extension values that we see in live traffic. [2] bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [3] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [4] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [5] broccoli | b51c2e1 | Daniel Thayer | 2012-05-02 | Fix typos and a few reST formatting problems [6] broctl | dcaf8d7 | Daniel Thayer | 2012-05-01 | Fix minor build issue with broctl [7] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [8] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [9] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] fastpath: http://tracker.bro-ids.org/bro/changeset/bff3cba129720f208a8931d59861b9e2ba841e83/bro [3] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/b51c2e1d2feb1f108e99c15800220f5968a36001/broccoli [7] fastpath: http://tracker.bro-ids.org/bro/changeset/dcaf8d714b2e76805c48c711801dd5998b635f83/broctl [8] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [9] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From bro at tracker.bro-ids.org Thu May 3 07:53:28 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 14:53:28 -0000 Subject: [Bro-Dev] #817: topic/seth/ssl-fixes Message-ID: <046.2ccd81d884f6564a1984efc759ddfb6b@tracker.bro-ids.org> #817: topic/seth/ssl-fixes ---------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ SSL analyzer fixes and touch ups. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 3 11:37:55 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 18:37:55 -0000 Subject: [Bro-Dev] #780: file extraction trunctation. In-Reply-To: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> References: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> Message-ID: <063.e2d533d9a1a1bc2c64bbcbc16ebf8a1f@tracker.bro-ids.org> #780: file extraction trunctation. ----------------------+--------------------------------------- Reporter: justin | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: file extraction truncated ----------------------+--------------------------------------- Comment (by jsiwek): In [bbac44a6a4b234405a5335dfe8c8ea2beef3f8d6/bro]: {{{ #!CommitTicketReference repository="bro" revision="bbac44a6a4b234405a5335dfe8c8ea2beef3f8d6" Changes to open-file caching limits and uncached file unserialization. - Unserializing files that were previously kicked out of the open-file cache would cause them to be fopen'd with the original access permissions which is usually 'w' and causes truncation. They are now opened in 'a' mode. (addresses #780) - Add 'max_files_in_cache' script option to manually set the maximum amount of opened files to keep cached. Mainly this just helped to create a simple test case for the above change. - Remove unused NO_HAVE_SETRLIMIT preprocessor switch. - On systems that don't enforce a limit on number of files opened for the process, raise default max size of open-file cache from 32 to 512. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 3 11:42:00 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 18:42:00 -0000 Subject: [Bro-Dev] #780: file extraction trunctation. In-Reply-To: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> References: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> Message-ID: <063.94c6b0b78a0bfef0f87fed9fb4b394cd@tracker.bro-ids.org> #780: file extraction trunctation. ----------------------------+--------------------------------------- Reporter: justin | Owner: Type: Merge Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: file extraction truncated ----------------------------+--------------------------------------- Changes (by jsiwek): * type: Problem => Merge Request Comment: Patch for this is in `topic/jsiwek/file-caching-serialization`. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 3 13:41:12 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 20:41:12 -0000 Subject: [Bro-Dev] #780: file extraction trunctation. In-Reply-To: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> References: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> Message-ID: <063.9493df701fa9e20f5cfa2ad556705741@tracker.bro-ids.org> #780: file extraction trunctation. ----------------------------+--------------------------------------- Reporter: justin | Owner: Type: Merge Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: file extraction truncated ----------------------------+--------------------------------------- Comment (by robin): Replying to [comment:3 jsiwek]: > - Unserializing files that were previously kicked out of the open-file > cache would cause them to be fopen'd with the original access > permissions which is usually 'w' and causes truncation. They > are now opened in 'a' mode. (addresses #780) Sounds like this changes the behavior for unserializing files that already exist before Bro start up; which matters with remote prints (i.e., they now append). I don't think it's very important now that we have the new logging and remote prints are hardly used anymore so I'm going to merge it. But for the record, we could remember which files we have already opened once (by their path), and only open them in append mode. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 3 13:42:52 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 20:42:52 -0000 Subject: [Bro-Dev] #780: file extraction trunctation. In-Reply-To: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> References: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> Message-ID: <063.539366495bbaa6142e52785bba894a57@tracker.bro-ids.org> #780: file extraction trunctation. ----------------------------+--------------------------------------- Reporter: justin | Owner: Type: Merge Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: file extraction truncated ----------------------------+--------------------------------------- Comment (by robin): Nice test file-caching-serialization! -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 3 13:51:04 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 20:51:04 -0000 Subject: [Bro-Dev] #816: Reworked PacketFilter framework In-Reply-To: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> References: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> Message-ID: <061.bbcbc1c994227e9cba81f72a489986b7@tracker.bro-ids.org> #816: Reworked PacketFilter framework ----------------------------+------------------------ Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): This sets ``const stats_collection_interval = 5min``. That sounds quite long an interval to report drops? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 3 14:10:52 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 03 May 2012 21:10:52 -0000 Subject: [Bro-Dev] #816: Reworked PacketFilter framework In-Reply-To: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> References: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> Message-ID: <061.fafcb048f2becba27ba0e319f334d4f6@tracker.bro-ids.org> #816: Reworked PacketFilter framework ----------------------------+------------------------ Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by seth): > This sets ``const stats_collection_interval = 5min``. That sounds quite > long an interval to report drops? It's completely normal on deployed clusters to have small amounts of packet loss, at least that has been my experience. Increasing the delay was to reduce the volume of these notices. Large clusters were creating multiple notices per worker per minute which just looks kind of sloppy when you search through notices. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Fri May 4 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 4 May 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205040700.q447028S030066@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 780 [1] | justin | | High | file extraction trunctation. Bro | 816 [2] | seth | | Normal | Reworked PacketFilter framework Bro | 817 [3] | seth | robin | Normal | topic/seth/ssl-fixes [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | bff3cba | Bernhard Amann | 2012-04-27 | Add two more TLS extension values that we see in live traffic. [5] bro | 8f91ece | Seth Hall | 2012-04-27 | Fixed IPv6 link local unicast CIDR and added IPv6 loopback to private address space. [6] bro | c561a44 | Seth Hall | 2012-04-26 | Fixed a problem where cluster workers were still processing notices in some cases. [7] bro | 8c14b5a | Seth Hall | 2012-04-25 | Added Carrier Grade NAT CIDR and link local IPv6 to "private_address_space" [8] broccoli | b51c2e1 | Daniel Thayer | 2012-05-02 | Fix typos and a few reST formatting problems [9] broctl | dcaf8d7 | Daniel Thayer | 2012-05-01 | Fix minor build issue with broctl [10] broctl | e8eb857 | Daniel Thayer | 2012-04-25 | Fix typos [11] trace-summary | dcf4b00 | Daniel Thayer | 2012-04-25 | Fix typos [12] [1] #780: http://tracker.bro-ids.org/bro/ticket/780 [2] #816: http://tracker.bro-ids.org/bro/ticket/816 [3] #817: http://tracker.bro-ids.org/bro/ticket/817 [4] ssl-fixes: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/ssl-fixes [5] fastpath: http://tracker.bro-ids.org/bro/changeset/bff3cba129720f208a8931d59861b9e2ba841e83/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/8f91ecee7197329ba7ddc0dbf4cf01831b86e17a/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/c561a44326f696826011f5212501ca09251856fc/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/8c14b5a911edff7b1ad8dfe1b33fd2c6766aec6d/bro [9] fastpath: http://tracker.bro-ids.org/bro/changeset/b51c2e1d2feb1f108e99c15800220f5968a36001/broccoli [1] fastpath: http://tracker.bro-ids.org/bro/changeset/dcaf8d714b2e76805c48c711801dd5998b635f83/broctl [1] fastpath: http://tracker.bro-ids.org/bro/changeset/e8eb8579f1065b5759264e3fe04b8110f8f63b3a/broctl [1] fastpath: http://tracker.bro-ids.org/bro/changeset/dcf4b005af85530bbb688e91e3dc383b57bb6bf0/trace-summary From bro at tracker.bro-ids.org Fri May 4 09:42:29 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 04 May 2012 16:42:29 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format Message-ID: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: ipv6 | ---------------------------+------------------------ This branch is in `bro` and `bro-testing` repos and updates the presentation format of IPv6 addresses/prefixes in output/logs to always be bracketed. This avoids the need to remember to add them when writing address:port combinations and also makes the format consistent with what is required for IPv6 user input in scripts. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 09:44:51 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 04 May 2012 16:44:51 -0000 Subject: [Bro-Dev] #713: IPv6 session extraction failure In-Reply-To: <046.cada0c993d930ef613daa5ace3fb9d8c@tracker.bro-ids.org> References: <046.cada0c993d930ef613daa5ace3fb9d8c@tracker.bro-ids.org> Message-ID: <061.ce4b25bdcad78dec67f3e069e78db483@tracker.bro-ids.org> #713: IPv6 session extraction failure -----------------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: Resolution: Solved/Applied | Keywords: ipv6 -----------------------------+-------------------- Changes (by jsiwek): * status: new => closed * resolution: => Solved/Applied Comment: There's a test case for IPv6 content extraction in #818, and it also changes the output presentation of IPv6 to be in square brackets. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 10:11:09 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 04 May 2012 17:11:09 -0000 Subject: [Bro-Dev] #575: PySubnetTree does not support IPv6 prefixes In-Reply-To: <048.85047f5d342118b53753a8939f6f2ee0@tracker.bro-ids.org> References: <048.85047f5d342118b53753a8939f6f2ee0@tracker.bro-ids.org> Message-ID: <063.6f0d876a1335f605ee85fe50d9bc70c0@tracker.bro-ids.org> #575: PySubnetTree does not support IPv6 prefixes ------------------------------+-------------------- Reporter: gregor | Owner: robin Type: Feature Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: pysubnettree | Version: Resolution: Duplicate | Keywords: ipv6 ------------------------------+-------------------- Changes (by jsiwek): * status: new => closed * resolution: => Duplicate Comment: Looks the same as #750, which is fixed now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 14:13:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 04 May 2012 21:13:16 -0000 Subject: [Bro-Dev] #542: SHA-1 and SHA-256 In-Reply-To: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> References: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> Message-ID: <061.42d9cce53d21ee0c26a1cafc792e2d68@tracker.bro-ids.org> #542: SHA-1 and SHA-256 ------------------------------+---------------------- Reporter: seth | Owner: Type: Feature Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: language ------------------------------+---------------------- Comment (by jsiwek): In [79afc834ce4218ac986c16dffa5f835fa3b7b6a2/bro]: {{{ #!CommitTicketReference repository="bro" revision="79afc834ce4218ac986c16dffa5f835fa3b7b6a2" Add SHA1 and SHA256 hashing BIFs. (addresses #542) Also refactor all internal MD5 stuff to use OpenSSL's. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 14:15:35 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 04 May 2012 21:15:35 -0000 Subject: [Bro-Dev] #542: SHA-1 and SHA-256 In-Reply-To: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> References: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> Message-ID: <061.c298eef5c4af0deb681190257112bb06@tracker.bro-ids.org> #542: SHA-1 and SHA-256 ----------------------------+---------------------- Reporter: seth | Owner: Type: Merge Request | Status: new Priority: High | Milestone: Bro2.1 Component: Bro | Version: Resolution: | Keywords: language ----------------------------+---------------------- Changes (by jsiwek): * type: Feature Request => Merge Request Comment: Added in `topic/jsiwek/digests` -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 20:58:11 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 05 May 2012 03:58:11 -0000 Subject: [Bro-Dev] #816: Reworked PacketFilter framework In-Reply-To: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> References: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> Message-ID: <061.cb3821725056cc1e907598b4daea6aba@tracker.bro-ids.org> #816: Reworked PacketFilter framework ----------------------------+------------------------ Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): This has problems, I see plenty differences with bro-testing-private and also one with bro-testing. It looks like the direction of connections isn't figured out correctly in some cases, I'm guessing because something's wrong with the well-known port heuristic after the DPD changes. As a test case look at connection s2CEbUBeqfi in 009-M57-day11-18.trace.gz. Direction changes after applying this. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 21:27:20 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 05 May 2012 04:27:20 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.078daa5bdff79cc7c631748bd81a84c8@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by robin): I'm reconsidering this one. I don't really like the bracketing in the *.log files, that seems hurts more (for inspection & postprocessing) than it helps. I tried to adapt just the ASCII writer to not bracket, but it then still prints addresses with brackets which the script-layer already converts to string (I believe); and now its getting inconsistent. Opinions? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 21:34:46 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 05 May 2012 04:34:46 -0000 Subject: [Bro-Dev] #780: file extraction trunctation. In-Reply-To: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> References: <048.841e7736f715e5a45f63422aac975ed4@tracker.bro-ids.org> Message-ID: <063.0750082d743a0baeced4ca6bd520b06d@tracker.bro-ids.org> #780: file extraction trunctation. ----------------------------+--------------------------------------- Reporter: justin | Owner: robin Type: Merge Request | Status: closed Priority: High | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: file extraction truncated ----------------------------+--------------------------------------- Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [87ac88cfd207423f7caefe1383a5c94c9ce5fb17/bro]: {{{ #!CommitTicketReference repository="bro" revision="87ac88cfd207423f7caefe1383a5c94c9ce5fb17" Merge remote-tracking branch 'origin/topic/jsiwek/file-caching- serialization' * origin/topic/jsiwek/file-caching-serialization: Changes to open-file caching limits and uncached file unserialization. Closes #780. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 21:34:46 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 05 May 2012 04:34:46 -0000 Subject: [Bro-Dev] #817: topic/seth/ssl-fixes In-Reply-To: <046.2ccd81d884f6564a1984efc759ddfb6b@tracker.bro-ids.org> References: <046.2ccd81d884f6564a1984efc759ddfb6b@tracker.bro-ids.org> Message-ID: <061.066ef8cbcb812dfd64b8868992771084@tracker.bro-ids.org> #817: topic/seth/ssl-fixes ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => fixed Comment: In [c327a0613a0c9185a607c7707cd403860d447034/bro]: {{{ #!CommitTicketReference repository="bro" revision="c327a0613a0c9185a607c7707cd403860d447034" Merge remote-tracking branch 'origin/topic/seth/ssl-fixes' * origin/topic/seth/ssl-fixes: More bugfixs, cleanup, and test for SSL analyzer Fixed parsing of TLS server extensions. Closes #817. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 4 21:34:46 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 05 May 2012 04:34:46 -0000 Subject: [Bro-Dev] #542: SHA-1 and SHA-256 In-Reply-To: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> References: <046.6edfaf522dfff4dedd615707b9c858f1@tracker.bro-ids.org> Message-ID: <061.61c123c445cd42ba9384e676ecf61e5f@tracker.bro-ids.org> #542: SHA-1 and SHA-256 ----------------------------+---------------------- Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: High | Milestone: Bro2.1 Component: Bro | Version: Resolution: fixed | Keywords: language ----------------------------+---------------------- Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [ed9801db988ed488620154d82aa87743d5e714a2/bro]: {{{ #!CommitTicketReference repository="bro" revision="ed9801db988ed488620154d82aa87743d5e714a2" Merge remote-tracking branch 'origin/topic/jsiwek/digests' * origin/topic/jsiwek/digests: Add SHA1 and SHA256 hashing BIFs. (addresses #542) Closes #542. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat May 5 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 5 May 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205050700.q45702I4024264@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format From bro at tracker.bro-ids.org Sat May 5 14:45:24 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 05 May 2012 21:45:24 -0000 Subject: [Bro-Dev] #816: Reworked PacketFilter framework In-Reply-To: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> References: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> Message-ID: <061.6f25f0f101ede29cdb75126315123272@tracker.bro-ids.org> #816: Reworked PacketFilter framework ----------------------------+------------------------ Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): Replying to [comment:1 seth]: > It's completely normal on deployed clusters to have small amounts of packet loss, at least that has been my experience. Increasing the delay was to reduce the volume of these notices. Large clusters were creating multiple notices per worker per minute which just looks kind of sloppy when you search through notices. My concern is that with a large interval, it will take a while until drops are reported the *first* time. If I just start Bro up on the command line, I won't notice for 5 min whether I'm putting to much load on. I suggest we either leave the default small and increase it in local.bro instead, or we at least use something smaller than 5min; perhaps 30s or 1m. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat May 5 17:19:26 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 06 May 2012 00:19:26 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.e41909da45ab3f62bd5267b7da5aa1dc@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by seth): > I'm reconsidering this one. I don't really like the bracketing in the > *.log files, that seems hurts more (for inspection & postprocessing) than > it helps. That was my first thought too. Jon pointed out that we should use brackets for consistency and that ipv6 addresses aren't exactly readable anyway. I agree with Jon's points but I'm conflicted (and yet I still like the idea of leaving out the brackets). -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sun May 6 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 6 May 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205060700.q46703wu030784@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format From bro at tracker.bro-ids.org Sun May 6 05:09:36 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sun, 06 May 2012 12:09:36 -0000 Subject: [Bro-Dev] #816: Reworked PacketFilter framework In-Reply-To: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> References: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> Message-ID: <061.1b80a20b7c2aa9d5a6bde5e6ff589ac9@tracker.bro-ids.org> #816: Reworked PacketFilter framework ----------------------------+------------------------ Reporter: seth | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by seth): > It looks like the direction of connections > isn't figured out correctly in some cases, I'm guessing because > something's wrong with the well-known port heuristic after the DPD > changes. Oh, good point. I don't think I handled that yet. I'll fix it on Monday. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Mon May 7 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 7 May 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205070700.q47702vZ003411@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format From bro at tracker.bro-ids.org Mon May 7 06:30:13 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 13:30:13 -0000 Subject: [Bro-Dev] #329: Optimizing detect-protocols-http.bro In-Reply-To: <046.fc3e396e80d9cd99cc21e00aef84ff98@tracker.bro-ids.org> References: <046.fc3e396e80d9cd99cc21e00aef84ff98@tracker.bro-ids.org> Message-ID: <061.d23752fd6865382e87b1fe7f19808fa1@tracker.bro-ids.org> #329: Optimizing detect-protocols-http.bro ---------------------+---------------------- Reporter: seth | Owner: Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: | Keywords: sprint ---------------------+---------------------- Changes (by seth): * milestone: Bro2.1 => Bro2.2 Comment: Still not crucial. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 7 06:31:43 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 13:31:43 -0000 Subject: [Bro-Dev] #544: scan.bro and hot.conn.bro need updating In-Reply-To: <047.737dcb7555d7c558c1757654428e87e0@tracker.bro-ids.org> References: <047.737dcb7555d7c558c1757654428e87e0@tracker.bro-ids.org> Message-ID: <062.593962206ef01c776f814b08310cac24@tracker.bro-ids.org> #544: scan.bro and hot.conn.bro need updating -----------------------+------------------------ Reporter: robin | Owner: seth Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: Rejected | Keywords: beta -----------------------+------------------------ Changes (by seth): * status: assigned => closed * resolution: => Rejected Comment: These are coming back eventually, but I don't think we need a ticket to track the old implementations. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 7 09:36:51 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 16:36:51 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.a4f0f20207c3c0297da7dced5fda36ef@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by jsiwek): Replying to [comment:1 seth]: > > I'm reconsidering this one. I don't really like the bracketing in the > > *.log files, that seems hurts more (for inspection & postprocessing) than > > it helps. > > That was my first thought too. Jon pointed out that we should use brackets for consistency and that ipv6 addresses aren't exactly readable anyway. I agree with Jon's points but I'm conflicted (and yet I still like the idea of leaving out the brackets). I think I'll switch it back to not adding brackets anywhere internally, adding them automatically only for conversion to string, but not when logging seems like it's just too confusing. And since there's few cases where it's actually necessary, adding an `addr_to_uri` script-level function might be enough. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 7 09:40:14 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 16:40:14 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.cc2eab295269336e3648ca816f266dac@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by robin): On Mon, May 07, 2012 at 16:36 -0000, you wrote: > logging seems like it's just too confusing. And since there's few cases > where it's actually necessary, adding an `addr_to_uri` script-level > function might be enough. What are those cases again where it's neccessary? Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 7 10:06:21 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 17:06:21 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.b6a483cc20506f09cd7b647cecb715e1@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by jsiwek): Replying to [comment:3 robin]: > On Mon, May 07, 2012 at 16:36 -0000, you wrote: > > > logging seems like it's just too confusing. And since there's few cases > > where it's actually necessary, adding an `addr_to_uri` script-level > > function might be enough. > > What are those cases again where it's neccessary? Generally whenever they could be put in a URI (two places in http and ftp scripts are the only places I found right now that do this) or specifically whenever a ":" is appended to the address string (extracted files use that format by default). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 7 11:08:00 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 18:08:00 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.46ec05e1793d0011b45866e634ab62a6@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by jsiwek): Those changes now pushed to the branch in `bro`, no changes now necessary in `bro-testing` so deleted the branch there. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 7 11:10:09 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 18:10:09 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.732230f7fdac846e357aa50f696ca95c@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by robin): On Mon, May 07, 2012 at 17:06 -0000, you wrote: > Generally whenever they could be put in a URI (two places in http and ftp > scripts are the only places I found right now that do this) or > specifically whenever a ":" is appended to the address string > (extracted files use that format by default). yeah, then the function sounds good. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 7 11:37:32 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 07 May 2012 18:37:32 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.8e3e6546bfa0ad0c90596597797a5c94@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by seth): >> Generally whenever they could be put in a URI (two places in http and > ftp >> scripts are the only places I found right now that do this) or >> specifically whenever a ":" is appended to the address string >> (extracted files use that format by default). > > yeah, then the function sounds good. Conveniently there already is a function HTTP::build_url(rec: HTTP::Info): string It just needs to be slightly extended to deal with IPv6 addresses correctly. The complications with creating URL representations was why I created that function. -- Ticket URL: Bro Tracker Bro Issue Tracker From vern at icir.org Mon May 7 12:06:04 2012 From: vern at icir.org (Vern Paxson) Date: Mon, 07 May 2012 12:06:04 -0700 Subject: [Bro-Dev] feedback from a would-be user - bite-sized Bro explanations needed Message-ID: <20120507190604.9CFB62C4002@rock.ICSI.Berkeley.EDU> This is someone who's a skilled hacker-type who on a recent thread on a private list heard about Bro as a potential solution for his home network monitoring. Note that he offers at the end to review stuff (though I kept this anonymous for now, since that's the strong culture of that list due to its private nature). Vern > I have a bit of feedback - really, a suggestion. I hope you take this > in the spirit it's intended. I'm not armchair quarterbacking, I really > would like to read this stuff. > > After perusing both Bro-ids.org and Wikipedia, I couldn't find any > document that explains what Bro _really is_ (not just the features > listed on the front page), what the architecture is, what the intended > use cases are and how you expect it to be used. > > I find a lot of open source projects miss this, but especially for > Bro, it'd be really helpful if you had something that could cover > that. I looked at the installation guide, quick start guide, and even > some of the configuration stuff. > > It looks like Bro is light years beyond what I've used before - but > without downloading it and playing with it, I can't know. And frankly, > I'm so pressed for time (and don't have an environment in which I'm > comfortable inserting software just to play with it), I'm never going > to prioritize it unless I know what I'm going to get out of it. > > Often times, when projects' web sites come up short on basic info, I > check Wikipedia which furnishes more. Check out Bro's page: > > http://en.wikipedia.org/wiki/Bro_%28software%29 > > Ouch, no help there. The link from Wikipedia's IDS page points to this > page, not bro-ids.org. Furthermore, that link is undifferentiated from > the others. I figure since snort's the best-known of the bunch, most > people are likely to click through to snort without ever considering > bro. > > http://en.wikipedia.org/wiki/Intrusion_Detection_System > > I'm sure you don't need a marketing lecture from me, and I'm sure > you're probably too busy to do this stuff, but even if you can't do > anything about this yourself, perhaps there's someone on the project > you could forward this e-mail to. Let me know if there's anything I > can do to help (I can review, etc). From noreply at bro-ids.org Tue May 8 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 8 May 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205080700.q48703eD015988@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b12a9f0 | Daniel Thayer | 2012-05-07 | Fix typo in broctl docs [4] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [5] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format [4] fastpath: http://tracker.bro-ids.org/bro/changeset/b12a9f03326b5a6a6f7849e0b1c08d7d46fed1f7/broctl [5] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From noreply at bro-ids.org Wed May 9 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 9 May 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205090700.q49705LL010233@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b12a9f0 | Daniel Thayer | 2012-05-07 | Fix typo in broctl docs [4] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [5] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format [4] fastpath: http://tracker.bro-ids.org/bro/changeset/b12a9f03326b5a6a6f7849e0b1c08d7d46fed1f7/broctl [5] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From noreply at bro-ids.org Thu May 10 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 10 May 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205100700.q4A705uf001158@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b12a9f0 | Daniel Thayer | 2012-05-07 | Fix typo in broctl docs [4] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [5] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format [4] fastpath: http://tracker.bro-ids.org/bro/changeset/b12a9f03326b5a6a6f7849e0b1c08d7d46fed1f7/broctl [5] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From noreply at bro-ids.org Fri May 11 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 11 May 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205110700.q4B703qq025680@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b12a9f0 | Daniel Thayer | 2012-05-07 | Fix typo in broctl docs [4] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [5] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format [4] fastpath: http://tracker.bro-ids.org/bro/changeset/b12a9f03326b5a6a6f7849e0b1c08d7d46fed1f7/broctl [5] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From bro at tracker.bro-ids.org Fri May 11 11:37:08 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 11 May 2012 18:37:08 -0000 Subject: [Bro-Dev] #819: topic/dnthayer/icmp-error-message Message-ID: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> #819: topic/dnthayer/icmp-error-message ---------------------------+------------------------ Reporter: dnthayer | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: ipv6 | ---------------------------+------------------------ This branch uses the (previously unused) icmp_error_message event for ICMPv6 error messages that don't have a dedicated event. Previously, icmp_sent was being generated, but icmp_error_message contains more info (icmp_sent is still being used as a fallback for other icmp messages that don't have a dedicated event). Also improved documentation comments for all icmp-related events. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 11 15:26:17 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 11 May 2012 22:26:17 -0000 Subject: [Bro-Dev] #805: Make the various "weird" events stop printing to stderr In-Reply-To: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> References: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> Message-ID: <061.b8871343dd3d6054f49da7fb9fd5fa51@tracker.bro-ids.org> #805: Make the various "weird" events stop printing to stderr ----------------------------+------------------------ Reporter: seth | Owner: dnthayer Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by dnthayer): * type: Problem => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat May 12 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 12 May 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205120700.q4C705lg031184@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] Bro | 819 [4] | dnthayer | | Normal | topic/dnthayer/icmp-error-message [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b12a9f0 | Daniel Thayer | 2012-05-07 | Fix typo in broctl docs [6] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [7] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format [4] #819: http://tracker.bro-ids.org/bro/ticket/819 [5] icmp-error-message: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/dnthayer/icmp-error-message [6] fastpath: http://tracker.bro-ids.org/bro/changeset/b12a9f03326b5a6a6f7849e0b1c08d7d46fed1f7/broctl [7] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From noreply at bro-ids.org Sun May 13 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 13 May 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205130700.q4D705iP022278@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] Bro | 819 [4] | dnthayer | | Normal | topic/dnthayer/icmp-error-message [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b12a9f0 | Daniel Thayer | 2012-05-07 | Fix typo in broctl docs [6] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [7] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format [4] #819: http://tracker.bro-ids.org/bro/ticket/819 [5] icmp-error-message: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/dnthayer/icmp-error-message [6] fastpath: http://tracker.bro-ids.org/bro/changeset/b12a9f03326b5a6a6f7849e0b1c08d7d46fed1f7/broctl [7] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From noreply at bro-ids.org Mon May 14 00:00:09 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 14 May 2012 00:00:09 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205140700.q4E709H3032609@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 816 [1] | seth | | Normal | Reworked PacketFilter framework Bro | 818 [2] | jsiwek | | Normal | topic/jsiwek/ipv6-output-format [3] Bro | 819 [4] | dnthayer | | Normal | topic/dnthayer/icmp-error-message [5] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ broctl | b12a9f0 | Daniel Thayer | 2012-05-07 | Fix typo in broctl docs [6] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [7] [1] #816: http://tracker.bro-ids.org/bro/ticket/816 [2] #818: http://tracker.bro-ids.org/bro/ticket/818 [3] ipv6-output-format: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-output-format [4] #819: http://tracker.bro-ids.org/bro/ticket/819 [5] icmp-error-message: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/dnthayer/icmp-error-message [6] fastpath: http://tracker.bro-ids.org/bro/changeset/b12a9f03326b5a6a6f7849e0b1c08d7d46fed1f7/broctl [7] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From bro at tracker.bro-ids.org Mon May 14 09:55:33 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 May 2012 16:55:33 -0000 Subject: [Bro-Dev] #805: Make the various "weird" events stop printing to stderr In-Reply-To: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> References: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> Message-ID: <061.2a62a39fea86381de8ea6ab94d968a80@tracker.bro-ids.org> #805: Make the various "weird" events stop printing to stderr ----------------------------+------------------------ Reporter: seth | Owner: dnthayer Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by dnthayer): * status: closed => reopened * resolution: fixed => -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 14 16:43:21 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Mon, 14 May 2012 23:43:21 -0000 Subject: [Bro-Dev] #816: Reworked PacketFilter framework In-Reply-To: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> References: <046.1cbe2b89832a98cbd82f94acb45002cf@tracker.bro-ids.org> Message-ID: <061.eebb6cc9e6571bf1f170efb29edbfdee@tracker.bro-ids.org> #816: Reworked PacketFilter framework ---------------------+------------------------ Reporter: seth | Owner: seth Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ---------------------+------------------------ Changes (by robin): * owner: => seth * status: new => assigned * type: Merge Request => Task -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 14 17:11:56 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 May 2012 00:11:56 -0000 Subject: [Bro-Dev] #819: topic/dnthayer/icmp-error-message In-Reply-To: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> References: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> Message-ID: <065.a2e92887c6efdeba298b82f5a83dafce@tracker.bro-ids.org> #819: topic/dnthayer/icmp-error-message ----------------------------+------------------------ Reporter: dnthayer | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Comment (by robin): Merged, but for my education, what's this testing for: {{{ if ( icmpp->icmp_type < 128 ) }}} I.e., where's the magic 128 coming from? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 14 18:18:40 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 May 2012 01:18:40 -0000 Subject: [Bro-Dev] #818: topic/jsiwek/ipv6-output-format In-Reply-To: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> References: <048.6890638d137cb72b6fae83a7476d5fc4@tracker.bro-ids.org> Message-ID: <063.6ebd6b58c1b9330768fbb1219e889963@tracker.bro-ids.org> #818: topic/jsiwek/ipv6-output-format ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ipv6 ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [cb1e9a7c6f3e85ee9a86f7189109ed88b36253aa/bro]: {{{ #!CommitTicketReference repository="bro" revision="cb1e9a7c6f3e85ee9a86f7189109ed88b36253aa" Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-output-format' * origin/topic/jsiwek/ipv6-output-format: Change IPv6 output format to no longer automatically be bracketed. Change IPv6 address/prefix output format to be bracketed. Closes #818. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 14 18:18:40 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 May 2012 01:18:40 -0000 Subject: [Bro-Dev] #819: topic/dnthayer/icmp-error-message In-Reply-To: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> References: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> Message-ID: <065.55cc2a944e7330689052e8c80bc4d8b4@tracker.bro-ids.org> #819: topic/dnthayer/icmp-error-message ----------------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ipv6 ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [8cd3404c80ac67401f7e0f5dc8ab62b8b0ab00ce/bro]: {{{ #!CommitTicketReference repository="bro" revision="8cd3404c80ac67401f7e0f5dc8ab62b8b0ab00ce" Merge remote-tracking branch 'origin/topic/dnthayer/icmp-error-message' * origin/topic/dnthayer/icmp-error-message: Generate icmp_error_message event for ICMPv6 error msgs Closes #819. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Mon May 14 18:18:40 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 May 2012 01:18:40 -0000 Subject: [Bro-Dev] #805: Make the various "weird" events stop printing to stderr In-Reply-To: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> References: <046.21500fb1bde0b9f1dd898fd92880d54b@tracker.bro-ids.org> Message-ID: <061.4f12e74188b3e68ce79a65040db5720d@tracker.bro-ids.org> #805: Make the various "weird" events stop printing to stderr ----------------------------+------------------------ Reporter: seth | Owner: dnthayer Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: reopened => closed * resolution: => fixed Comment: In [87c68e8ce7aaae56cceede6b822b0d0770d86eb7/bro]: {{{ #!CommitTicketReference repository="bro" revision="87c68e8ce7aaae56cceede6b822b0d0770d86eb7" Merge remote-tracking branch 'origin/topic/dnthayer/bug805' * origin/topic/dnthayer/bug805: Update tests (use weird.log instead of stderr) Don't print the various "weird" events to stderr Closes #805. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Tue May 15 00:00:07 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 15 May 2012 00:00:07 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205150700.q4F707Jb013948@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [1] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From bro at tracker.bro-ids.org Tue May 15 07:28:10 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 May 2012 14:28:10 -0000 Subject: [Bro-Dev] #819: topic/dnthayer/icmp-error-message In-Reply-To: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> References: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> Message-ID: <065.676047364decba12f0deeaea9159aa02@tracker.bro-ids.org> #819: topic/dnthayer/icmp-error-message ----------------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ipv6 ----------------------------+------------------------ Comment (by jsiwek): Replying to [comment:1 robin]: > Merged, but for my education, what's this testing for: > > {{{ > if ( icmpp->icmp_type < 128 ) > }}} > > I.e., where's the magic 128 coming from? http://tools.ietf.org/html/rfc4443#section-2.1: {{{ ICMPv6 messages are grouped into two classes: error messages and informational messages. Error messages are identified as such by a zero in the high-order bit of their message Type field values. Thus, error messages have message types from 0 to 127; informational messages have message types from 128 to 255. }}} Also relevant is http://tools.ietf.org/html/rfc4443#section-2.4: {{{ (c) Every ICMPv6 error message (type < 128) MUST include as much of the IPv6 offending (invoking) packet (the packet that caused the error) as possible without making the error message packet exceed the minimum IPv6 MTU }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 15 08:24:31 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 15 May 2012 15:24:31 -0000 Subject: [Bro-Dev] #819: topic/dnthayer/icmp-error-message In-Reply-To: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> References: <050.d51b4a0f93ab6a8f0dff3f936e8dae15@tracker.bro-ids.org> Message-ID: <065.e3952963e91ad6d230ea7ecb7713589f@tracker.bro-ids.org> #819: topic/dnthayer/icmp-error-message ----------------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ipv6 ----------------------------+------------------------ Comment (by dnthayer): Replying to [comment:1 robin]: > Merged, but for my education, what's this testing for: > > {{{ > if ( icmpp->icmp_type < 128 ) > }}} > > I.e., where's the magic 128 coming from? > > Sorry, I should have added a comment in the code explaining that. This is now done in fastpath (I basically just copied the comment that is 35 lines above, and added a note about the 128). -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Wed May 16 00:00:07 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 16 May 2012 00:00:07 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205160700.q4G707AB001609@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | d6fdc10 | Daniel Thayer | 2012-05-15 | Add a comment to explain the ICMPv6 error message types [1] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [2] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/d6fdc10242a409bc58829830dd48b0b6b5503f7b/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From noreply at bro-ids.org Thu May 17 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 17 May 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205170700.q4H7039x026010@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | d6fdc10 | Daniel Thayer | 2012-05-15 | Add a comment to explain the ICMPv6 error message types [1] pysubnettree | 8048fd2 | Daniel Thayer | 2012-04-25 | Fix typos [2] [1] fastpath: http://tracker.bro-ids.org/bro/changeset/d6fdc10242a409bc58829830dd48b0b6b5503f7b/bro [2] fastpath: http://tracker.bro-ids.org/bro/changeset/8048fd28ba1cc37d302596d0eab5d204273295d4/pysubnettree From bro at tracker.bro-ids.org Thu May 17 14:01:49 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 17 May 2012 21:01:49 -0000 Subject: [Bro-Dev] #820: topic/jsiwek/ipv6-comm Message-ID: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> #820: topic/jsiwek/ipv6-comm ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: ipv6 | ---------------------------+------------------------ This branch is in `bro`, `broccoli`, and `broctl` repos and adds support for Bro/Broccoli to talk to Bro peers over IPv6 (including non-global scopes like link-local that can require zone identifiers for disambiguation, see RFC 4007) and for BroControl to manage cluster nodes with IPv6 addresses. I also added some util functions to BroControl to help with consistent formatting of IP addresses depending on context (i.e. when to add a zone_id to an IPv6 address, and when encase them in square brackets, etc.). Included in that is the networks.cfg doesn't need the bracketed syntax for IPv6 prefixes, they get added when they have to be embedded in the auto-generated Bro script (takes care of #269). -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu May 17 14:16:14 2012 From: robin at icir.org (Robin Sommer) Date: Thu, 17 May 2012 14:16:14 -0700 Subject: [Bro-Dev] DataSeries support Message-ID: <20120517211614.GD12564@icir.org> Current git now has experimental support for binary output via HP Lab's DataSeries library. Feel free to give it a try. It generally seems to work, but it hasn't seen much larger-scale testing yet. More information here: http://git.bro-ids.org/bro.git/blob_plain/HEAD:/doc/logging-dataseries.rst (and soon also rendered on www.bro-ids.org once I've figured out why it's not auto-updating ....) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro-ids.org Fri May 18 00:00:11 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 18 May 2012 00:00:11 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205180700.q4I70B9S028841@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 820 [1] | jsiwek | | Normal | topic/jsiwek/ipv6-comm [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | be65ddc | Daniel Thayer | 2012-05-17 | Correct various errors in the BIF documentation [3] btest | faa2b4c | Daniel Thayer | 2012-05-17 | Correct typos in documentation [4] [1] #820: http://tracker.bro-ids.org/bro/ticket/820 [2] ipv6-comm: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-comm [3] fastpath: http://tracker.bro-ids.org/bro/changeset/be65ddca375e906bd6d409d50fbe894c759bb32d/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/faa2b4cc452fb826ec347639386297c292bb3e57/btest From adave at cyberpointllc.com Fri May 18 09:35:19 2012 From: adave at cyberpointllc.com (Dave, Anil) Date: Fri, 18 May 2012 16:35:19 +0000 Subject: [Bro-Dev] BinPAC++ dev release Message-ID: <8212326D69ABF544A5B87C9FD12E453A01DDC414@bltmmd1-exch1.cyberpointllc.com> Is the BinPAC++ release available from the git? I need to implement lots of semantic constructs into the protocol grammar language. If not available, are there work-arounds you can share? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120518/3116deb2/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5369 bytes Desc: not available Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120518/3116deb2/attachment.bin From noreply at bro-ids.org Sat May 19 00:00:07 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 19 May 2012 00:00:07 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205190700.q4J7076r013633@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 820 [1] | jsiwek | | Normal | topic/jsiwek/ipv6-comm [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 5ab765b | Daniel Thayer | 2012-05-18 | Replace ip6_hdr_chain with ip6_ext_hdr in comments [3] bro | be65ddc | Daniel Thayer | 2012-05-17 | Correct various errors in the BIF documentation [4] btest | faa2b4c | Daniel Thayer | 2012-05-17 | Correct typos in documentation [5] [1] #820: http://tracker.bro-ids.org/bro/ticket/820 [2] ipv6-comm: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-comm [3] fastpath: http://tracker.bro-ids.org/bro/changeset/5ab765b4b6643fa872889ef03f56604ba7748a2a/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/be65ddca375e906bd6d409d50fbe894c759bb32d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/faa2b4cc452fb826ec347639386297c292bb3e57/btest From seth at icir.org Sat May 19 05:51:28 2012 From: seth at icir.org (Seth Hall) Date: Sat, 19 May 2012 08:51:28 -0400 Subject: [Bro-Dev] DataSeries support In-Reply-To: <20120517211614.GD12564@icir.org> References: <20120517211614.GD12564@icir.org> Message-ID: <46914798-9E45-4A01-BFE3-29970609ADFE@icir.org> On May 17, 2012, at 5:16 PM, Robin Sommer wrote: > Current git now has experimental support for binary output via HP > Lab's DataSeries library. Feel free to give it a try. It generally > seems to work, but it hasn't seen much larger-scale testing yet. More > information here: > > http://git.bro-ids.org/bro.git/blob_plain/HEAD:/doc/logging-dataseries.rst In addition, for people running RedHat-like systems? yum install libxml2-devel boost-devel .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From noreply at bro-ids.org Sun May 20 00:00:03 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 20 May 2012 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205200700.q4K703t2005040@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 820 [1] | jsiwek | | Normal | topic/jsiwek/ipv6-comm [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 5ab765b | Daniel Thayer | 2012-05-18 | Replace ip6_hdr_chain with ip6_ext_hdr in comments [3] bro | be65ddc | Daniel Thayer | 2012-05-17 | Correct various errors in the BIF documentation [4] btest | faa2b4c | Daniel Thayer | 2012-05-17 | Correct typos in documentation [5] [1] #820: http://tracker.bro-ids.org/bro/ticket/820 [2] ipv6-comm: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-comm [3] fastpath: http://tracker.bro-ids.org/bro/changeset/5ab765b4b6643fa872889ef03f56604ba7748a2a/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/be65ddca375e906bd6d409d50fbe894c759bb32d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/faa2b4cc452fb826ec347639386297c292bb3e57/btest From noreply at bro-ids.org Mon May 21 00:00:04 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 21 May 2012 00:00:04 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205210700.q4L704BJ031341@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 820 [1] | jsiwek | | Normal | topic/jsiwek/ipv6-comm [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 5ab765b | Daniel Thayer | 2012-05-18 | Replace ip6_hdr_chain with ip6_ext_hdr in comments [3] bro | be65ddc | Daniel Thayer | 2012-05-17 | Correct various errors in the BIF documentation [4] btest | faa2b4c | Daniel Thayer | 2012-05-17 | Correct typos in documentation [5] [1] #820: http://tracker.bro-ids.org/bro/ticket/820 [2] ipv6-comm: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-comm [3] fastpath: http://tracker.bro-ids.org/bro/changeset/5ab765b4b6643fa872889ef03f56604ba7748a2a/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/be65ddca375e906bd6d409d50fbe894c759bb32d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/faa2b4cc452fb826ec347639386297c292bb3e57/btest From noreply at bro-ids.org Tue May 22 00:00:05 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 22 May 2012 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205220700.q4M705pP007750@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 820 [1] | jsiwek | | Normal | topic/jsiwek/ipv6-comm [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 5ab765b | Daniel Thayer | 2012-05-18 | Replace ip6_hdr_chain with ip6_ext_hdr in comments [3] bro | be65ddc | Daniel Thayer | 2012-05-17 | Correct various errors in the BIF documentation [4] btest | faa2b4c | Daniel Thayer | 2012-05-17 | Correct typos in documentation [5] [1] #820: http://tracker.bro-ids.org/bro/ticket/820 [2] ipv6-comm: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-comm [3] fastpath: http://tracker.bro-ids.org/bro/changeset/5ab765b4b6643fa872889ef03f56604ba7748a2a/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/be65ddca375e906bd6d409d50fbe894c759bb32d/bro [5] fastpath: http://tracker.bro-ids.org/bro/changeset/faa2b4cc452fb826ec347639386297c292bb3e57/btest From bro at tracker.bro-ids.org Tue May 22 14:03:27 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 22 May 2012 21:03:27 -0000 Subject: [Bro-Dev] #821: topic/jsiwek/ipv6-flow-label Message-ID: <048.c7fe64c60012f55cdcdb3f657821b364@tracker.bro-ids.org> #821: topic/jsiwek/ipv6-flow-label ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ This branch makes IPv6 flow label information more available on a per- connection basis rather than just a per-packet basis. See [5312b21d7bd4e19f7fbd8dffa6e0f6277014fb01/bro] for more. I didn't add this information to any of the default logs as it's not yet clear how useful it would be. See http://tools.ietf.org/html/rfc6294 for proposed use cases of flow labels, and http://tools.ietf.org/html/rfc3697 for the flow label specification. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Wed May 23 00:00:02 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 23 May 2012 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205230700.q4N7023w032133@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 820 [1] | jsiwek | | Normal | topic/jsiwek/ipv6-comm [2] Bro | 821 [3] | jsiwek | | Normal | topic/jsiwek/ipv6-flow-label [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 5ab765b | Daniel Thayer | 2012-05-18 | Replace ip6_hdr_chain with ip6_ext_hdr in comments [5] bro | be65ddc | Daniel Thayer | 2012-05-17 | Correct various errors in the BIF documentation [6] btest | faa2b4c | Daniel Thayer | 2012-05-17 | Correct typos in documentation [7] [1] #820: http://tracker.bro-ids.org/bro/ticket/820 [2] ipv6-comm: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-comm [3] #821: http://tracker.bro-ids.org/bro/ticket/821 [4] ipv6-flow-label: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-flow-label [5] fastpath: http://tracker.bro-ids.org/bro/changeset/5ab765b4b6643fa872889ef03f56604ba7748a2a/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/be65ddca375e906bd6d409d50fbe894c759bb32d/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/faa2b4cc452fb826ec347639386297c292bb3e57/btest From noreply at bro-ids.org Thu May 24 00:00:13 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 24 May 2012 00:00:13 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205240700.q4O70Dmw023476@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 820 [1] | jsiwek | | Normal | topic/jsiwek/ipv6-comm [2] Bro | 821 [3] | jsiwek | | Normal | topic/jsiwek/ipv6-flow-label [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 074a0a9 | Jon Siwek | 2012-05-23 | Documentation fixes. [5] bro | 5ab765b | Daniel Thayer | 2012-05-18 | Replace ip6_hdr_chain with ip6_ext_hdr in comments [6] bro | be65ddc | Daniel Thayer | 2012-05-17 | Correct various errors in the BIF documentation [7] btest | faa2b4c | Daniel Thayer | 2012-05-17 | Correct typos in documentation [8] [1] #820: http://tracker.bro-ids.org/bro/ticket/820 [2] ipv6-comm: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-comm [3] #821: http://tracker.bro-ids.org/bro/ticket/821 [4] ipv6-flow-label: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/ipv6-flow-label [5] fastpath: http://tracker.bro-ids.org/bro/changeset/074a0a9dce5dca4219e213c83264e16ef4450733/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/5ab765b4b6643fa872889ef03f56604ba7748a2a/bro [7] fastpath: http://tracker.bro-ids.org/bro/changeset/be65ddca375e906bd6d409d50fbe894c759bb32d/bro [8] fastpath: http://tracker.bro-ids.org/bro/changeset/faa2b4cc452fb826ec347639386297c292bb3e57/btest From bro at tracker.bro-ids.org Thu May 24 18:28:04 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 25 May 2012 01:28:04 -0000 Subject: [Bro-Dev] #820: topic/jsiwek/ipv6-comm In-Reply-To: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> References: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> Message-ID: <063.d4e30a1123c18da1ff13a064d525ca63@tracker.bro-ids.org> #820: topic/jsiwek/ipv6-comm ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ipv6 ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [f7261a78513dd9e57739995fae494a9a779a0e86/bro]: {{{ #!CommitTicketReference repository="bro" revision="f7261a78513dd9e57739995fae494a9a779a0e86" Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-comm' * origin/topic/jsiwek/ipv6-comm: Enable Bro to communicate with peers over non-global IPv6 addresses. Add unit tests for Broccoli SSL and Broccoli IPv6 connectivity. Remove AI_ADDRCONFIG getaddrinfo hints flag for listening sockets. Undo communication protocol version bump. Add support to Bro for connecting with peers over IPv6. Closes #820. Conflicts: src/bro.bif }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 24 18:28:05 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 25 May 2012 01:28:05 -0000 Subject: [Bro-Dev] #821: topic/jsiwek/ipv6-flow-label In-Reply-To: <048.c7fe64c60012f55cdcdb3f657821b364@tracker.bro-ids.org> References: <048.c7fe64c60012f55cdcdb3f657821b364@tracker.bro-ids.org> Message-ID: <063.93d0268ddec13a580ce134c65b1f1dbc@tracker.bro-ids.org> #821: topic/jsiwek/ipv6-flow-label ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [7e961606cd680504c5378b795fef2a6a4dfa4c5c/bro]: {{{ #!CommitTicketReference repository="bro" revision="7e961606cd680504c5378b795fef2a6a4dfa4c5c" Merge remote-tracking branch 'origin/topic/jsiwek/ipv6-flow-label' * origin/topic/jsiwek/ipv6-flow-label: Improve availability of IPv6 flow label in connection records. Closes #821. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 24 18:28:52 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 25 May 2012 01:28:52 -0000 Subject: [Bro-Dev] #820: topic/jsiwek/ipv6-comm In-Reply-To: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> References: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> Message-ID: <063.5f46ea0a8abc381ff9847bc4580221f2@tracker.bro-ids.org> #820: topic/jsiwek/ipv6-comm ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: reopened Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------------+------------------------ Changes (by robin): * status: closed => reopened * resolution: fixed => Comment: I've merged these, but 3 tests fail for me on Linux: {{{ istate.bro-ipv6-socket ... failed istate.broccoli-ipv6-socket ... failed istate.broccoli-ssl ... failed istate.bro-ipv6-socket ? failed }}} Detailed output below. I'm pushing the merge as these tests seem to be non-crucial for most (non v6) deployments. Can you see if it works for you? {{{ % 'btest-diff recv/.stdout' failed unexpectedly (exit code 1) % cat .diag == File =============================== handshake done with peer: ::1 handshake done with peer: ::1 == Diff =============================== --- /tmp/test-diff.8321.recv..stdout.baseline.tmp 2012-05-25 01:20:08.529539077 +0000 +++ /tmp/test-diff.8321.recv..stdout.tmp 2012-05-25 01:20:08.540539501 +0000 @@ -1 +1,2 @@ handshake done with peer: ::1 +handshake done with peer: ::1 ======================================= % cat .stderr <<< [8002] bro -b ../recv.bro received termination signal >>> <<< [8147] bro -b ../send.bro received termination signal >>> istate.broccoli-ipv6-socket ... failed % 'btest-diff bro/.stdout' failed unexpectedly (exit code 1) % cat .diag == File =============================== == Diff =============================== --- /tmp/test-diff.9649.bro..stdout.baseline.tmp 2012-05-25 01:20:29.605352052 +0000 +++ /tmp/test-diff.9649.bro..stdout.tmp 2012-05-25 01:20:29.606352091 +0000 @@ -1,9 +0,0 @@ -handshake done with peer -bro_addr(1.2.3.4) -bro_subnet(10.0.0.0/16) -bro_addr(2607:f8b0:4009:802::1014) -bro_subnet(2607:f8b0::/32) -broccoli_addr(1.2.3.4) -broccoli_subnet(10.0.0.0/16) -broccoli_addr(2607:f8b0:4009:802::1014) -broccoli_subnet(2607:f8b0::/32) ======================================= % cat .stderr <<< [8046] bro /da/home/robin/bro/master/testing/btest/../../aux/broccoli/test/broccoli- v6addrs.bro Communication::listen_ipv6=T >>> <<< [8150] /da/home/robin/bro/master/testing/btest/../../build/aux/broccoli/test /broccoli-v6addrs -6 ::1 >>> istate.broccoli-ssl ... failed % 'btest-bg-wait -k 20' failed unexpectedly (exit code 1) % cat .stderr <<< [8141] bro /da/home/robin/bro/master/testing/btest/../../aux/broccoli/test/broccoli- v6addrs.bro Communication::listen_ssl=T ssl_ca_certificate=../ca_cert.pem ssl_priv >>> <<< [8292] BROCCOLI_CONFIG_FILE=../broccoli.conf /da/home/robin/bro/master/testing/btest/../../build/aux/broccoli/test /broccoli-v6addrs failed to connect to localhost:47757 >>> >>> process 8292 failed with exitcode 1: BROCCOLI_CONFIG_FILE=../broccoli.conf /da/home/robin/bro/master/testing/btest/../../build/aux/broccoli/test /broccoli-v6addrs }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 24 18:29:09 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 25 May 2012 01:29:09 -0000 Subject: [Bro-Dev] #820: topic/jsiwek/ipv6-comm In-Reply-To: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> References: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> Message-ID: <063.205d6b6f50b024e2a0a08f8e5c0fff42@tracker.bro-ids.org> #820: topic/jsiwek/ipv6-comm ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------+------------------------ Changes (by robin): * owner: robin => jsiwek * status: reopened => assigned * type: Merge Request => Problem -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri May 25 11:05:30 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 25 May 2012 18:05:30 -0000 Subject: [Bro-Dev] #269: broctl doesn't support v6 networks in networks.cfg In-Reply-To: <047.3e65f08bb843eaf3b0c1f0b12556d57d@tracker.bro-ids.org> References: <047.3e65f08bb843eaf3b0c1f0b12556d57d@tracker.bro-ids.org> Message-ID: <062.fb8f8391fa8e1c32f8633d086c711902@tracker.bro-ids.org> #269: broctl doesn't support v6 networks in networks.cfg -----------------------------+-------------------- Reporter: robin | Owner: robin Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: BroControl | Version: 1.5.2 Resolution: Solved/Applied | Keywords: ipv6 -----------------------------+-------------------- Changes (by jsiwek): * status: new => closed * resolution: => Solved/Applied Comment: Works now and as of [892b60edb967bb456872638f22ba994e84530137/broctl], IPv6 prefixes in networks.cfg shouldn't need square bracketing. -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Fri May 25 11:53:53 2012 From: vallentin at icir.org (Matthias Vallentin) Date: Fri, 25 May 2012 18:53:53 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] master: Switching default DS compression to gzip. (da34266) In-Reply-To: <201205251545.q4PFjRAn017583@bro-ids.icir.org> References: <201205251545.q4PFjRAn017583@bro-ids.icir.org> Message-ID: > ? ?Switching default DS compression to gzip. Would you mind elaborating why? I thought lzo is faster than gzip. Matthias From robin at icir.org Fri May 25 15:52:39 2012 From: robin at icir.org (Robin Sommer) Date: Fri, 25 May 2012 15:52:39 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] master: Switching default DS compression to gzip. (da34266) In-Reply-To: References: <201205251545.q4PFjRAn017583@bro-ids.icir.org> Message-ID: <20120525225239.GF35701@icir.org> On Fri, May 25, 2012 at 18:53 +0000, you wrote: > > ? ?Switching default DS compression to gzip. > > Would you mind elaborating why? I thought lzo is faster than gzip. That's right, but gzip compresses better. Compression runs in a separate thread, so CPU load shouldn't matter that much (I hope). Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Fri May 25 17:46:44 2012 From: seth at icir.org (Seth Hall) Date: Fri, 25 May 2012 20:46:44 -0400 Subject: [Bro-Dev] logging types in types.bif? Message-ID: This is mostly a question for Robin, but I thought it made sense to ask publicly. Is there a particular reason that Log::Writer and Log::ID types are defined in types.bif instead of logging.bif? It seems like it makes things more complicated than necessary by splitting them from their brethren BiFs in logging.bif. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro-ids.org Sat May 26 04:50:36 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 26 May 2012 11:50:36 -0000 Subject: [Bro-Dev] #822: Segmentation fault ICMP Analizer Message-ID: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> #822: Segmentation fault ICMP Analizer ----------------------------+--------------------- Reporter: Tyler.Schoenke | Type: Problem Status: new | Priority: Normal Milestone: | Component: Bro Version: git/master | Keywords: ----------------------------+--------------------- {{{ # bro -v bro version 2.0-372-debug # bro -r ../pcap/bro-icmp.pcap local WARNING: No Site::local_nets have been defined. It's usually a good idea to define your local networks. bro: /root/src/bro/src/ICMP.cc:52: virtual void ICMP_Analyzer::DeliverPacket(int, const u_char*, bool, int, const IP_Hdr*, int): Assertion `caplen >= len' failed. Aborted (core dumped) }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Sat May 26 05:28:37 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Sat, 26 May 2012 12:28:37 -0000 Subject: [Bro-Dev] #822: Segmentation fault ICMP Analizer In-Reply-To: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> References: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> Message-ID: <071.8d6b7774ced6ff301007a23e5ece5220@tracker.bro-ids.org> #822: Segmentation fault ICMP Analizer -----------------------------+------------------------ Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: -----------------------------+------------------------ Comment (by Tyler.Schoenke): This is crashing four workers on one server. I'm using the cFlow to load balance, but sending the traffic to a single NIC on this server and using BPF filters to mask the MAC addresses so each worker sees their own. Why does the ICMP crash all four workers? Is BPF filtering happening after the protocol analysis or is it coincidence that four of the 12 src/dst tuples with the problem all happen to be on the same server? -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Sat May 26 06:25:46 2012 From: vallentin at icir.org (Matthias Vallentin) Date: Sat, 26 May 2012 13:25:46 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] master: Switching default DS compression to gzip. (da34266) In-Reply-To: <20120525225239.GF35701@icir.org> References: <201205251545.q4PFjRAn017583@bro-ids.icir.org> <20120525225239.GF35701@icir.org> Message-ID: > That's right, but gzip compresses better. Compression runs in a > separate thread, so CPU load shouldn't matter that much (I hope). That makes sense, theoretically. I could see it working if the cores are not too oversubscribed. As I lost track of how many threads Bro currently spawns with logging and input framework, I have no clue how this looks like in practice; crossing my fingers... Matthias From bro at tracker.bro-ids.org Tue May 29 09:04:04 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 29 May 2012 16:04:04 -0000 Subject: [Bro-Dev] #822: Segmentation fault ICMP Analizer In-Reply-To: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> References: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> Message-ID: <071.960bcdae923d2038e9c85f483c51fbc7@tracker.bro-ids.org> #822: Segmentation fault ICMP Analizer -----------------------------+------------------------ Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: -----------------------------+------------------------ Changes (by robin): * milestone: => Bro2.1 Comment: Test trace came by mail, ask Robin. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue May 29 09:10:36 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 29 May 2012 16:10:36 -0000 Subject: [Bro-Dev] #822: Segmentation fault ICMP Analizer In-Reply-To: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> References: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> Message-ID: <071.3c29b063c9419468e36edc4bf000b89f@tracker.bro-ids.org> #822: Segmentation fault ICMP Analizer -----------------------------+------------------------ Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: -----------------------------+------------------------ Comment (by robin): On Sat, May 26, 2012 at 12:28 -0000, you wrote: > does the ICMP crash all four workers? Is BPF filtering happening after > the protocol analysis or is it coincidence that four of the 12 src/dst > tuples with the problem all happen to be on the same server? We'll look into the crash. Regarding the workers, BPF filtering happens before everything else so if the filters are set up as you describe, each packet should indeed only arrive at a single worker. So it may either be coincidence, or there's something else particular to that server that triggers it. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Tue May 29 09:14:21 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 29 May 2012 09:14:21 -0700 Subject: [Bro-Dev] logging types in types.bif? In-Reply-To: References: Message-ID: <20120529161421.GC82541@icir.org> On Fri, May 25, 2012 at 20:46 -0400, you wrote: > ask publicly. Is there a particular reason that Log::Writer and > Log::ID types are defined in types.bif instead of logging.bif? Yeah, putting them into logging.bif should work just as well and looks indeed like the right thing to do. As far as I recall, the only reason for having them in types.bif is that other enums are defined there. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From robin at icir.org Tue May 29 09:19:57 2012 From: robin at icir.org (Robin Sommer) Date: Tue, 29 May 2012 09:19:57 -0700 Subject: [Bro-Dev] BinPAC++ dev release In-Reply-To: <8212326D69ABF544A5B87C9FD12E453A01DDC414@bltmmd1-exch1.cyberpointllc.com> References: <8212326D69ABF544A5B87C9FD12E453A01DDC414@bltmmd1-exch1.cyberpointllc.com> Message-ID: <20120529161957.GE82541@icir.org> (This hadn't seen a reply yet, sorry about that.) On Fri, May 18, 2012 at 16:35 +0000, you wrote: > Is the BinPAC++ release available from the git? BinPAC++ exists only in early prototype stage at this time, nothing that could be meaningfully used yet. For now, the only way to add semantic constructs is to use corresponding C++ code with the current BinPAC. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro-ids.org Tue May 29 15:30:21 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 29 May 2012 22:30:21 -0000 Subject: [Bro-Dev] #822: Segmentation fault ICMP Analizer In-Reply-To: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> References: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> Message-ID: <071.dd4d08cec902c17fe8b30a6a275d7061@tracker.bro-ids.org> #822: Segmentation fault ICMP Analizer -----------------------------+------------------------ Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: -----------------------------+------------------------ Comment (by jsiwek): In [0aecca979e830d0ee8f6524c4dee3fe83cfc3c4c/bro]: {{{ #!CommitTicketReference repository="bro" revision="0aecca979e830d0ee8f6524c4dee3fe83cfc3c4c" Remove unnecessary assert in ICMP analyzer (addresses #822). The ICMP/ICMPv6 analyzers function correctly when full packets have not been captured, but everything up to and including the ICMP header is there (e.g. the functions that inspect ICMP error message context correctly check the caplen to see if more info can be extracted). The "Should have been caught earlier already." comment may have referred to NetSessions::CheckHeaderTrunc, which works as intended to catch cases where the ICMP header is not there in full, but then the assert was still not correctly formulated for that... Also changed the ICMP checksum calculation to not occur when the full packet has not been captured, which seems consistent with what the UDP analysis does. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Wed May 30 00:01:58 2012 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 30 May 2012 00:01:58 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201205300701.q4U71wjc025203@bro-ids.icir.org> > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ | [1] | | | | 200 Ok | [2] | | | | | [3] | | | |

Ok

| [4] | | | |

The server encountered an internal error or | [5] | | | | misconfiguration and was unable to complete | [6] | | | | your request.

| [7] | | | |

Please contact the server administrator, | [8] | | | | info at bro-ids.org and inform them of the time the error occurred, | [9] | | | | and anything you might have done that may have | [10] | | | | caused the error.

| [11] | | | |

More information about this error may be available | [12] | | | | in the server error log.

| [13] | | | | | [14] | | | | > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 0aecca9 | Jon Siwek | 2012-05-29 | Remove unnecessary assert in ICMP analyzer (addresses #822). [15] bro | 0c5afc5 | Jon Siwek | 2012-05-29 | Improve script debugger backtrace and print commands. [16] [1] #0: http://tracker.bro-ids.org/bro/ticket/ [2] #0: http://tracker.bro-ids.org/bro/ticket/ [3] #0: http://tracker.bro-ids.org/bro/ticket/ [4] #0: http://tracker.bro-ids.org/bro/ticket/ [5] #0: http://tracker.bro-ids.org/bro/ticket/ [6] #0: http://tracker.bro-ids.org/bro/ticket/ [7] #0: http://tracker.bro-ids.org/bro/ticket/ [8] #0: http://tracker.bro-ids.org/bro/ticket/ [9] #0: http://tracker.bro-ids.org/bro/ticket/ [10] #0: http://tracker.bro-ids.org/bro/ticket/ [11] #0: http://tracker.bro-ids.org/bro/ticket/ [12] #0: http://tracker.bro-ids.org/bro/ticket/ [13] #0: http://tracker.bro-ids.org/bro/ticket/ [14] #0: http://tracker.bro-ids.org/bro/ticket/ [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0aecca979e830d0ee8f6524c4dee3fe83cfc3c4c/bro [1] fastpath: http://tracker.bro-ids.org/bro/changeset/0c5afc59f79099fa1874cbe96e3bb74b7df693ad/bro From bro at tracker.bro-ids.org Wed May 30 17:48:51 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 31 May 2012 00:48:51 -0000 Subject: [Bro-Dev] #822: Segmentation fault ICMP Analizer In-Reply-To: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> References: <056.c05bcf7b45c705fd44326f7779a83361@tracker.bro-ids.org> Message-ID: <071.d7574dcbed6904dcf1c39d903126362a@tracker.bro-ids.org> #822: Segmentation fault ICMP Analizer -----------------------------+------------------------ Reporter: Tyler.Schoenke | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: -----------------------------+------------------------ Comment (by robin): In [e9354284eb573356edc1b194631bada29aaacc47/bro]: {{{ #!CommitTicketReference repository="bro" revision="e9354284eb573356edc1b194631bada29aaacc47" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Remove unnecessary assert in ICMP analyzer (addresses #822). Improve script debugger backtrace and print commands. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed May 30 19:28:37 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 31 May 2012 02:28:37 -0000 Subject: [Bro-Dev] #823: Remaining input framework todos Message-ID: <047.5e447178368a3a40b99fd343d1c743c6@tracker.bro-ids.org> #823: Remaining input framework todos ---------------------+------------------------ Reporter: robin | Owner: bernhard Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ The input framework is merged into git master. A few little things remain to do: - core.check-unused-event-handlers fails with this {{{ == Diff =============================== --- /tmp/test-diff.16838..stderr.baseline.tmp 2012-05-31 02:05:06.318172610 +0000 +++ /tmp/test-diff.16838..stderr.tmp 2012-05-31 02:05:06.328172991 +0000 @@ -1 +1,2 @@ +warning in , line 1: event handler never invoked: Input::update_finished warning in , line 1: event handler never invoked: this_is_never_used ======================================= }}} I.e., the event will never be raised. I didn't see this before the merge into master, not sure why it now has started appearing? - Track down memory leaks. - Document ReaderMode in src/input/ReaderBackend.h: - Please address this one {{{ ReaderFrontend.cc: // FIXME: cleanup of disabled inputreaders is missing. we need this, because // stuff can e.g. fail in init and might never be removed afterwards. }}} - Extend doc/input.rst with more examples. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 31 10:13:05 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 31 May 2012 17:13:05 -0000 Subject: [Bro-Dev] #820: topic/jsiwek/ipv6-comm In-Reply-To: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> References: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> Message-ID: <063.7137826077c79e0f086f661cf52fcb3f@tracker.bro-ids.org> #820: topic/jsiwek/ipv6-comm ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------+------------------------ Comment (by jsiwek): Replying to [comment:2 robin]: > I've merged these, but 3 tests fail for me on Linux: > > {{{ > istate.bro-ipv6-socket ... failed > istate.broccoli-ipv6-socket ... failed > istate.broccoli-ssl ... failed > istate.bro-ipv6-socket ? failed > }}} > > Detailed output below. I'm pushing the merge as these tests seem to be non-crucial for most (non v6) deployments. Can you see if it works for you? It looked like you did a fix for these tests that was causing them to run in parallel, was that the problem or do they still fail for you? If they fail, can you let me know what distro you were using? I did just make some fastpath commits for `bro` and `broccoli-python` to fix issues on 32-bit systems, but if that was your problem there should have been more failing tests. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 31 12:38:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 31 May 2012 19:38:16 -0000 Subject: [Bro-Dev] #820: topic/jsiwek/ipv6-comm In-Reply-To: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> References: <048.667577c76723471f4b11bc4aa15ed255@tracker.bro-ids.org> Message-ID: <063.c18ab5f9be7a7032f6637bedda77bcfe@tracker.bro-ids.org> #820: topic/jsiwek/ipv6-comm ----------------------+------------------------ Reporter: jsiwek | Owner: jsiwek Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ipv6 ----------------------+------------------------ Changes (by robin): * status: assigned => closed Comment: On Thu, May 31, 2012 at 17:13 -0000, you wrote: > It looked like you did a fix for these tests that was causing them to run > in parallel, was that the problem or do they still fail for you? Indeed, that fixed it. I realized that only yesterday, forgot to close the ticket. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 31 12:56:15 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 31 May 2012 19:56:15 -0000 Subject: [Bro-Dev] #824: Default the connection and alarm summaries to once per day Message-ID: <056.dadb50a21009b083c39e1a280f60c9e9@tracker.bro-ids.org> #824: Default the connection and alarm summaries to once per day ----------------------------+----------------------------- Reporter: Tyler.Schoenke | Type: Feature Request Status: new | Priority: Normal Milestone: | Component: Bro Version: git/master | Keywords: ----------------------------+----------------------------- This was mentioned on the mailing list, and I brought it up with Seth separately when I moved to 2.0. It would be nice to default both the Connection and Alarm summaries to a once-per-day email. It might be handy to have configurable values to change the frequency for each separately. It is fine for logs to continue to compress on an hourly basis. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Thu May 31 13:38:16 2012 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Thu, 31 May 2012 20:38:16 -0000 Subject: [Bro-Dev] #823: Remaining input framework todos In-Reply-To: <047.5e447178368a3a40b99fd343d1c743c6@tracker.bro-ids.org> References: <047.5e447178368a3a40b99fd343d1c743c6@tracker.bro-ids.org> Message-ID: <062.e7231992a6470dd105857589944f5935@tracker.bro-ids.org> #823: Remaining input framework todos ----------------------+------------------------ Reporter: robin | Owner: bernhard Type: Problem | Status: new Priority: Normal | Milestone: Bro2.1 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [eeb1609768063478f85064c9be55b1f46ede7bf7/bro]: {{{ #!CommitTicketReference repository="bro" revision="eeb1609768063478f85064c9be55b1f46ede7bf7" Change Input::update_finished lookup to happen at init time. Also going through the internal_handler() function will set the event as "used" (i.e. it's marked as being raised somewhere) and fixes the core.check-unused-event-handlers test failure (addresses #823). }}} -- Ticket URL: Bro Tracker Bro Issue Tracker