From noreply at bro-ids.org Fri Mar 1 00:00:04 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Fri, 1 Mar 2013 00:00:04 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303010800.r21804qt019747@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 934 [1] | liamrandall | | Normal | GPRS Tunneling Protocol (GTP) Analyzer Bro | 946 [2] | seth | | Medium | Async scriptland functions stack explosion > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 2481f9f | Jon Siwek | 2013-02-27 | Fix possible null pointer dereference in identify_data BIF. [3] bro | dd9f361 | Jon Siwek | 2013-02-22 | Fix build on OpenBSD 5.2. [4] [1] #934: http://tracker.bro-ids.org/bro/ticket/934 [2] #946: http://tracker.bro-ids.org/bro/ticket/946 [3] fastpath: http://tracker.bro-ids.org/bro/changeset/2481f9f83772a4e934f72c1bf9ac35fd0ea7c096/bro [4] fastpath: http://tracker.bro-ids.org/bro/changeset/dd9f361bc739f5aa4bc11f70569499e9115d0d50/bro From bro at tracker.bro-ids.org Fri Mar 1 09:51:26 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 01 Mar 2013 17:51:26 -0000 Subject: [Bro-Dev] #12: Capture from multiple interfaces In-Reply-To: <047.64011cc28bcfc8034dfa19cd40719ef4@tracker.bro-ids.org> References: <047.64011cc28bcfc8034dfa19cd40719ef4@tracker.bro-ids.org> Message-ID: <062.430459dcb23d2b6cce7fc5516ad66863@tracker.bro-ids.org> #12: Capture from multiple interfaces ------------------------------+---------------------- Reporter: robin | Owner: robin Type: Feature Request | Status: accepted Priority: Low | Milestone: Component: BroControl | Version: 1.5.2 Resolution: | Keywords: ------------------------------+---------------------- Comment (by james.lay): Was this ever implemented for a standalone with multiple interfaces? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Mar 1 10:28:46 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 01 Mar 2013 18:28:46 -0000 Subject: [Bro-Dev] #949: High CPU from polling loop on low traffic links In-Reply-To: <053.0bdaeaf204bc1a075b5e23a5d9c4cc09@tracker.bro-ids.org> References: <053.0bdaeaf204bc1a075b5e23a5d9c4cc09@tracker.bro-ids.org> Message-ID: <068.9b1fb299e4e169fe676245da0dcdc632@tracker.bro-ids.org> #949: High CPU from polling loop on low traffic links --------------------------+------------------------ Reporter: liamrandall | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: --------------------------+------------------------ Comment (by james.lay): Hi Seth, This machine is already running an IDS...Bro would be complementing this. That said, I can't have Bro taking up 50% CPU with no traffic running. My perception (expectation?) is that high traffic = high cpu, low traffic = low cpu...though that my not be accurate or reasonable. Thanks for all your work on this Seth. James -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Mar 1 10:38:14 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 01 Mar 2013 18:38:14 -0000 Subject: [Bro-Dev] #12: Capture from multiple interfaces In-Reply-To: <047.64011cc28bcfc8034dfa19cd40719ef4@tracker.bro-ids.org> References: <047.64011cc28bcfc8034dfa19cd40719ef4@tracker.bro-ids.org> Message-ID: <062.80c0eba222a1421734210a3caf0f0b5f@tracker.bro-ids.org> #12: Capture from multiple interfaces ------------------------------+---------------------- Reporter: robin | Owner: robin Type: Feature Request | Status: accepted Priority: Low | Milestone: Component: BroControl | Version: 1.5.2 Resolution: | Keywords: ------------------------------+---------------------- Comment (by seth): > Was this ever implemented for a standalone with multiple interfaces? Not yet. :) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Mar 1 10:40:31 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 01 Mar 2013 18:40:31 -0000 Subject: [Bro-Dev] #949: High CPU from polling loop on low traffic links In-Reply-To: <053.0bdaeaf204bc1a075b5e23a5d9c4cc09@tracker.bro-ids.org> References: <053.0bdaeaf204bc1a075b5e23a5d9c4cc09@tracker.bro-ids.org> Message-ID: <068.e5d3129a7885ea8845c2e74e272fc00f@tracker.bro-ids.org> #949: High CPU from polling loop on low traffic links --------------------------+------------------------ Reporter: liamrandall | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: --------------------------+------------------------ Comment (by seth): > This machine is already running an IDS...Bro would be complementing this. > That said, I can't have Bro taking up 50% CPU with no traffic running. My > perception (expectation?) is that high traffic = high cpu, low traffic = > low cpu...though that my not be accurate or reasonable. Thanks for all > your work on this Seth. Once traffic starts flowing through the box, Bro's CPU load will start to drop (oddly enough) until eventually it starts to go back up again if the traffic load is high enough. Bro needs to take care of a lot of housekeeping tasks and we keep a fairly tight loop to make sure that everything is taken care of with low latency. We are drawing up plans for some rework to our communication code (which contributes to the tight loop) and it may take care of some of the load problem. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Fri Mar 1 14:49:37 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Fri, 01 Mar 2013 22:49:37 -0000 Subject: [Bro-Dev] #952: topic/jsiwek/local-container-init Message-ID: <048.d75783484bb1250a93b800b1a520fcec@tracker.bro-ids.org> #952: topic/jsiwek/local-container-init ---------------------------+------------------------ Reporter: jsiwek | Owner: Type: Merge Request | Status: new Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ Local sets and vector couldn't be initialized via the {} constructor. See [c88babf6ef169cb2007188ffecfeccea5aed6882/bro] -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Sat Mar 2 00:00:03 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sat, 2 Mar 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303020800.r22803Al018789@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 934 [1] | liamrandall | | Normal | GPRS Tunneling Protocol (GTP) Analyzer Bro | 946 [2] | seth | | Medium | Async scriptland functions stack explosion Bro | 952 [3] | jsiwek | | Medium | topic/jsiwek/local-container-init [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 2481f9f | Jon Siwek | 2013-02-27 | Fix possible null pointer dereference in identify_data BIF. [5] bro | dd9f361 | Jon Siwek | 2013-02-22 | Fix build on OpenBSD 5.2. [6] [1] #934: http://tracker.bro-ids.org/bro/ticket/934 [2] #946: http://tracker.bro-ids.org/bro/ticket/946 [3] #952: http://tracker.bro-ids.org/bro/ticket/952 [4] local-container-init: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/local-container-init [5] fastpath: http://tracker.bro-ids.org/bro/changeset/2481f9f83772a4e934f72c1bf9ac35fd0ea7c096/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dd9f361bc739f5aa4bc11f70569499e9115d0d50/bro From noreply at bro-ids.org Sun Mar 3 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Sun, 3 Mar 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303030800.r23802QA008882@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 934 [1] | liamrandall | | Normal | GPRS Tunneling Protocol (GTP) Analyzer Bro | 946 [2] | seth | | Medium | Async scriptland functions stack explosion Bro | 952 [3] | jsiwek | | Medium | topic/jsiwek/local-container-init [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 2481f9f | Jon Siwek | 2013-02-27 | Fix possible null pointer dereference in identify_data BIF. [5] bro | dd9f361 | Jon Siwek | 2013-02-22 | Fix build on OpenBSD 5.2. [6] [1] #934: http://tracker.bro-ids.org/bro/ticket/934 [2] #946: http://tracker.bro-ids.org/bro/ticket/946 [3] #952: http://tracker.bro-ids.org/bro/ticket/952 [4] local-container-init: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/local-container-init [5] fastpath: http://tracker.bro-ids.org/bro/changeset/2481f9f83772a4e934f72c1bf9ac35fd0ea7c096/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dd9f361bc739f5aa4bc11f70569499e9115d0d50/bro From noreply at bro-ids.org Mon Mar 4 00:00:04 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Mon, 4 Mar 2013 00:00:04 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303040800.r24804wn024818@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 934 [1] | liamrandall | | Normal | GPRS Tunneling Protocol (GTP) Analyzer Bro | 946 [2] | seth | | Medium | Async scriptland functions stack explosion Bro | 952 [3] | jsiwek | | Medium | topic/jsiwek/local-container-init [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 2481f9f | Jon Siwek | 2013-02-27 | Fix possible null pointer dereference in identify_data BIF. [5] bro | dd9f361 | Jon Siwek | 2013-02-22 | Fix build on OpenBSD 5.2. [6] [1] #934: http://tracker.bro-ids.org/bro/ticket/934 [2] #946: http://tracker.bro-ids.org/bro/ticket/946 [3] #952: http://tracker.bro-ids.org/bro/ticket/952 [4] local-container-init: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/local-container-init [5] fastpath: http://tracker.bro-ids.org/bro/changeset/2481f9f83772a4e934f72c1bf9ac35fd0ea7c096/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dd9f361bc739f5aa4bc11f70569499e9115d0d50/bro From noreply at bro-ids.org Tue Mar 5 00:00:05 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Tue, 5 Mar 2013 00:00:05 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303050800.r258058O019943@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 934 [1] | liamrandall | | Normal | GPRS Tunneling Protocol (GTP) Analyzer Bro | 946 [2] | seth | | Medium | Async scriptland functions stack explosion Bro | 952 [3] | jsiwek | | Medium | topic/jsiwek/local-container-init [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 2481f9f | Jon Siwek | 2013-02-27 | Fix possible null pointer dereference in identify_data BIF. [5] bro | dd9f361 | Jon Siwek | 2013-02-22 | Fix build on OpenBSD 5.2. [6] [1] #934: http://tracker.bro-ids.org/bro/ticket/934 [2] #946: http://tracker.bro-ids.org/bro/ticket/946 [3] #952: http://tracker.bro-ids.org/bro/ticket/952 [4] local-container-init: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/local-container-init [5] fastpath: http://tracker.bro-ids.org/bro/changeset/2481f9f83772a4e934f72c1bf9ac35fd0ea7c096/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dd9f361bc739f5aa4bc11f70569499e9115d0d50/bro From bro at tracker.bro-ids.org Tue Mar 5 10:47:04 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Tue, 05 Mar 2013 18:47:04 -0000 Subject: [Bro-Dev] #953: SSL Analyzer: return the root CA used to validate a cert Message-ID: <053.5789ace0aebcbfe9033863f48f910640@tracker.bro-ids.org> #953: SSL Analyzer: return the root CA used to validate a cert -------------------------+------------------------------------ Reporter: liamrandall | Type: Feature Request Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: SSL Analyzer, Root, CA -------------------------+------------------------------------ Since Bro will validate certs can we add a variable that says who the root CA was; would be useful for CA pinning, white listing or black listing. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Tue Mar 5 16:24:30 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 06 Mar 2013 00:24:30 -0000 Subject: [Bro-Dev] #953: SSL Analyzer: return the root CA used to validate a cert In-Reply-To: <053.5789ace0aebcbfe9033863f48f910640@tracker.bro-ids.org> References: <053.5789ace0aebcbfe9033863f48f910640@tracker.bro-ids.org> Message-ID: <068.a02115fbbc1067941164837f15ce1a03@tracker.bro-ids.org> #953: SSL Analyzer: return the root CA used to validate a cert ------------------------------+------------------------------------ Reporter: liamrandall | Owner: amannb Type: Feature Request | Status: assigned Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: SSL Analyzer, Root, CA ------------------------------+------------------------------------ Changes (by amannb): * owner: => amannb * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Wed Mar 6 00:00:10 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Wed, 6 Mar 2013 00:00:10 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303060800.r2680A2n026553@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 934 [1] | liamrandall | | Normal | GPRS Tunneling Protocol (GTP) Analyzer Bro | 946 [2] | seth | | Medium | Async scriptland functions stack explosion Bro | 952 [3] | jsiwek | | Medium | topic/jsiwek/local-container-init [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 2481f9f | Jon Siwek | 2013-02-27 | Fix possible null pointer dereference in identify_data BIF. [5] bro | dd9f361 | Jon Siwek | 2013-02-22 | Fix build on OpenBSD 5.2. [6] [1] #934: http://tracker.bro-ids.org/bro/ticket/934 [2] #946: http://tracker.bro-ids.org/bro/ticket/946 [3] #952: http://tracker.bro-ids.org/bro/ticket/952 [4] local-container-init: http://tracker.bro-ids.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/jsiwek/local-container-init [5] fastpath: http://tracker.bro-ids.org/bro/changeset/2481f9f83772a4e934f72c1bf9ac35fd0ea7c096/bro [6] fastpath: http://tracker.bro-ids.org/bro/changeset/dd9f361bc739f5aa4bc11f70569499e9115d0d50/bro From bro at tracker.bro-ids.org Wed Mar 6 07:09:13 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 06 Mar 2013 15:09:13 -0000 Subject: [Bro-Dev] #954: topic/seth/notice-framework-updates Message-ID: <046.73a7515562a0303b9510d763588341f3@tracker.bro-ids.org> #954: topic/seth/notice-framework-updates ---------------------+------------------------ Reporter: seth | Owner: robin Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ This branch updates the notice framework to use the new hook mechanism and removes the old set based notice policy mechanism. It breaks existing code, but we have generally considered it acceptable because very few people have finely configured notice policy settings and this new branch clarifies notice policy handling quite a bit. All tests pass for me (internal test repository has it's own topic/seth /notice-framework-updates branch) and documentation has been updated. -- Ticket URL: Bro Tracker Bro Issue Tracker From vallentin at icir.org Wed Mar 6 09:23:50 2013 From: vallentin at icir.org (Matthias Vallentin) Date: Wed, 6 Mar 2013 09:23:50 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/notice-framework-updates: Update notice framework documentation to represent the new reality. (e56a33b) In-Reply-To: <201303061506.r26F62Fs032141@bro-ids.icir.org> References: <201303061506.r26F62Fs032141@bro-ids.icir.org> Message-ID: > +Hooks can also abort later hook bodies with the ``break`` keyword. This > +is primarily useful if one wants to completely preempt processing by > +lower priority :bro:see:`Notice::policy` hooks. Is this replacing the $halt functionality? So would I just use a high-prioritized Notice::policy hook and break if I wanted to skip a certain notice? Matthias From bro at tracker.bro-ids.org Wed Mar 6 09:38:33 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 06 Mar 2013 17:38:33 -0000 Subject: [Bro-Dev] #954: topic/seth/notice-framework-updates In-Reply-To: <046.73a7515562a0303b9510d763588341f3@tracker.bro-ids.org> References: <046.73a7515562a0303b9510d763588341f3@tracker.bro-ids.org> Message-ID: <061.bbc9dae187fd3a1e17021eec504a8bfd@tracker.bro-ids.org> #954: topic/seth/notice-framework-updates ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by seth): * type: Problem => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Wed Mar 6 09:41:30 2013 From: seth at icir.org (Seth Hall) Date: Wed, 6 Mar 2013 12:41:30 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/notice-framework-updates: Update notice framework documentation to represent the new reality. (e56a33b) In-Reply-To: References: <201303061506.r26F62Fs032141@bro-ids.icir.org> Message-ID: On Mar 6, 2013, at 12:23 PM, Matthias Vallentin wrote: >> +Hooks can also abort later hook bodies with the ``break`` keyword. This >> +is primarily useful if one wants to completely preempt processing by >> +lower priority :bro:see:`Notice::policy` hooks. > > Is this replacing the $halt functionality? So would I just use a > high-prioritized Notice::policy hook and break if I wanted to skip a > certain notice? Correct. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From vallentin at icir.org Wed Mar 6 09:45:32 2013 From: vallentin at icir.org (Matthias Vallentin) Date: Wed, 6 Mar 2013 09:45:32 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/notice-framework-updates: Update notice framework documentation to represent the new reality. (e56a33b) In-Reply-To: References: <201303061506.r26F62Fs032141@bro-ids.icir.org> Message-ID: > Correct. Cool. Looking forward to Robin merging this :-). Matthias From bro at tracker.bro-ids.org Wed Mar 6 13:21:16 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 06 Mar 2013 21:21:16 -0000 Subject: [Bro-Dev] #953: SSL Analyzer: return the root CA used to validate a cert In-Reply-To: <053.5789ace0aebcbfe9033863f48f910640@tracker.bro-ids.org> References: <053.5789ace0aebcbfe9033863f48f910640@tracker.bro-ids.org> Message-ID: <068.a328824399ac066e9d31a6221f15c102@tracker.bro-ids.org> #953: SSL Analyzer: return the root CA used to validate a cert ------------------------------+------------------------------------ Reporter: liamrandall | Owner: amannb Type: Feature Request | Status: assigned Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: SSL Analyzer, Root, CA ------------------------------+------------------------------------ Comment (by amannb): In [changeset:a97d62600f00ed324f45a6e0d04575a2d7807150/bro]: {{{ #!CommitTicketReference repository="bro" revision="a97d62600f00ed324f45a6e0d04575a2d7807150" change the x509 verify bif to return a record that includes the success/error code and the full used chain of certificates. Addresses #953 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Mar 6 13:25:33 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 06 Mar 2013 21:25:33 -0000 Subject: [Bro-Dev] #953: SSL Analyzer: return the root CA used to validate a cert In-Reply-To: <053.5789ace0aebcbfe9033863f48f910640@tracker.bro-ids.org> References: <053.5789ace0aebcbfe9033863f48f910640@tracker.bro-ids.org> Message-ID: <068.a1166607d7ca95098cafcf62b40e4821@tracker.bro-ids.org> #953: SSL Analyzer: return the root CA used to validate a cert ------------------------------+------------------------------------ Reporter: liamrandall | Owner: amannb Type: Feature Request | Status: assigned Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: SSL Analyzer, Root, CA ------------------------------+------------------------------------ Comment (by amannb): The branch topic/bernhard/ticket-953 changes the x509_verify bif. Instead of just returning the error code, it now returns a record containing * the openssl error code * ascii description of the code * the full used chain, in case chain resolution was successful, as a vector of string. At the moment, the individual certificates returned in the vector are not parsed -- for blacklist lookups that is not really necessary (and at the moment there also is no way to feed the certificates back into the bro x509 parsing code, which is in the ssl analyzer). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Mar 6 13:49:24 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 06 Mar 2013 21:49:24 -0000 Subject: [Bro-Dev] #955: Merge topic/bernhard/remove-length Message-ID: <048.2c98300b3298cc7d8ff4023a3c72f9cd@tracker.bro-ids.org> #955: Merge topic/bernhard/remove-length ---------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ the topic/bernhard/remove-length removes both the byte_len and length bifs and adapts all scripts that used them. Those are no longer necessary because bro supports getting the length using ||. I think removing them is a good idea to keep people (like me) from stumbling into them and using them instead of language features. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro-ids.org Wed Mar 6 14:12:19 2013 From: bro at tracker.bro-ids.org (Bro Tracker) Date: Wed, 06 Mar 2013 22:12:19 -0000 Subject: [Bro-Dev] #956: Merge topic/bernhard/vector-assignment Message-ID: <048.69f377bf803196c15b42780e93c76a48@tracker.bro-ids.org> #956: Merge topic/bernhard/vector-assignment ---------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ topic/bernhard/vector-assignment changes the Assign operator for VectorVals and removes the expr-argument. expr was/is not used in the assignment function and it confuses me each time when I use VectorVal, forget that it is not used, and look it up again :) As an added bonus, now Record, Table and Vector Assignments have the same syntax (I think). -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Wed Mar 6 14:15:42 2013 From: robin at icir.org (Robin Sommer) Date: Wed, 6 Mar 2013 14:15:42 -0800 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/remove-length: remove the byte_len and length bifs (986b346) In-Reply-To: <201303062147.r26LlC1E017274@bro-ids.icir.org> References: <201303062147.r26LlC1E017274@bro-ids.icir.org> Message-ID: <20130306221542.GC76013@icir.org> I'm all for this but it may break peoples' code. Any objections? Robin On Wed, Mar 06, 2013 at 13:47 -0800, Bernhard Amann wrote: > Repository : ssh://git at bro-ids.icir.org/bro > > On branch : topic/bernhard/remove-length > Link : http://tracker.bro-ids.org/bro/changeset/986b346e3f3d58a4052815bc1ee9c9dc7a19638f/bro > > >--------------------------------------------------------------- > > commit 986b346e3f3d58a4052815bc1ee9c9dc7a19638f > Author: Bernhard Amann > Date: Wed Mar 6 13:45:42 2013 -0800 > > remove the byte_len and length bifs > > > >--------------------------------------------------------------- -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From seth at icir.org Wed Mar 6 17:28:51 2013 From: seth at icir.org (Seth Hall) Date: Wed, 6 Mar 2013 20:28:51 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/remove-length: remove the byte_len and length bifs (986b346) In-Reply-To: <20130306221542.GC76013@icir.org> References: <201303062147.r26LlC1E017274@bro-ids.icir.org> <20130306221542.GC76013@icir.org> Message-ID: <621ED2A3-4389-4DD3-A74B-9DBC960C1B8F@icir.org> On Mar 6, 2013, at 5:15 PM, Robin Sommer wrote: > I'm all for this but it may break peoples' code. Any objections? I've been meaning to remove those for a long time. We're still in a fortunate situation where there is so little third party code that these changes can be absorbed relatively easily. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/ From bro at tracker.bro.org Wed Mar 6 17:35:39 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 01:35:39 -0000 Subject: [Bro-Dev] #954: topic/seth/notice-framework-updates In-Reply-To: <042.3de065cfa6f5a1cfaaae46cd9cc0f313@tracker.bro.org> References: <042.3de065cfa6f5a1cfaaae46cd9cc0f313@tracker.bro.org> Message-ID: <057.3241157424b3eb48019eb60d35f33d4c@tracker.bro.org> #954: topic/seth/notice-framework-updates ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Comment (by robin): | All tests pass for me (internal test repository has it's own topic/seth /notice-framework-updates branch) and documentation has been updated. external/bro-testing fails for me but I don't see a branch there. Don't you see those failures? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 6 18:33:52 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 02:33:52 -0000 Subject: [Bro-Dev] #946: Async scriptland functions stack explosion In-Reply-To: <042.f001e605e283dc0f4db60ff8122a5147@tracker.bro.org> References: <042.f001e605e283dc0f4db60ff8122a5147@tracker.bro.org> Message-ID: <057.7ca2fe011991dee4342a9c0ccf82d0b4@tracker.bro.org> #946: Async scriptland functions stack explosion ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:d93107902189eec812ecfb6d0acdf44cce7d1621/bro]: {{{ #!CommitTicketReference repository="bro" revision="d93107902189eec812ecfb6d0acdf44cce7d1621" Merge remote-tracking branch 'origin/topic/jsiwek/ticket946' Closes #946. * origin/topic/jsiwek/ticket946: Fix memory leaks resulting from 'when' and 'return when' statements. Fix three bugs with 'when' and 'return when' statements. Addresses #946 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 6 18:33:52 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 02:33:52 -0000 Subject: [Bro-Dev] #952: topic/jsiwek/local-container-init In-Reply-To: <044.efbf3049dd968b23579ab37eefd12e58@tracker.bro.org> References: <044.efbf3049dd968b23579ab37eefd12e58@tracker.bro.org> Message-ID: <059.334122b50c78dd5f0267880e5a3f055e@tracker.bro.org> #952: topic/jsiwek/local-container-init ----------------------------+------------------------ Reporter: jsiwek | Owner: robin Type: Merge Request | Status: closed Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:9f99a4a94276852d103b862e4bd4b55ce43999fc/bro]: {{{ #!CommitTicketReference repository="bro" revision="9f99a4a94276852d103b862e4bd4b55ce43999fc" Merge remote-tracking branch 'origin/topic/jsiwek/local-container-init' Closes #952. * origin/topic/jsiwek/local-container-init: Fix init of local sets/vectors via curly brace initializer lists. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 6 18:33:52 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 02:33:52 -0000 Subject: [Bro-Dev] #954: topic/seth/notice-framework-updates In-Reply-To: <042.3de065cfa6f5a1cfaaae46cd9cc0f313@tracker.bro.org> References: <042.3de065cfa6f5a1cfaaae46cd9cc0f313@tracker.bro.org> Message-ID: <057.3263fa1ea017fd42dd917e19957cb34e@tracker.bro.org> #954: topic/seth/notice-framework-updates ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => fixed Comment: In [changeset:1bd2f26df33137a41f404e0255b4abca4f659ad4/bro]: {{{ #!CommitTicketReference repository="bro" revision="1bd2f26df33137a41f404e0255b4abca4f659ad4" Merge remote-tracking branch 'origin/topic/seth/notice-framework-updates' So much nicer! Closes #954. * origin/topic/seth/notice-framework-updates: Update notice framework documentation to represent the new reality. Complete removal of the old table based notice policy mechanism. Updates for the notices framework. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 6 18:33:52 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 02:33:52 -0000 Subject: [Bro-Dev] #955: Merge topic/bernhard/remove-length In-Reply-To: <044.6003c5a4f096d135cc846ff2cf2a3580@tracker.bro.org> References: <044.6003c5a4f096d135cc846ff2cf2a3580@tracker.bro.org> Message-ID: <059.e34ac734ab08de68fcde8e1d51c7b068@tracker.bro.org> #955: Merge topic/bernhard/remove-length ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:8a6d68e00f069756db49bef02a069bdd364bfa0f/bro]: {{{ #!CommitTicketReference repository="bro" revision="8a6d68e00f069756db49bef02a069bdd364bfa0f" Merge remote-tracking branch 'origin/topic/bernhard/remove-length' Closes #955. * origin/topic/bernhard/remove-length: forgot to remove the baselines for the now unnecessary bifs remove the byte_len and length bifs }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 6 18:33:52 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 02:33:52 -0000 Subject: [Bro-Dev] #956: Merge topic/bernhard/vector-assignment In-Reply-To: <044.9cf84a2b8beec52cad2eb58fc6960b41@tracker.bro.org> References: <044.9cf84a2b8beec52cad2eb58fc6960b41@tracker.bro.org> Message-ID: <059.a917ea80a4760e09cfa5389800ef49e1@tracker.bro.org> #956: Merge topic/bernhard/vector-assignment ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:a4e40bb402578c354ebbc249786cfcef3ca2c657/bro]: {{{ #!CommitTicketReference repository="bro" revision="a4e40bb402578c354ebbc249786cfcef3ca2c657" Merge remote-tracking branch 'origin/topic/bernhard/vector-assignment' Closes #956. * origin/topic/bernhard/vector-assignment: change vector assignment operator and remove unnecessary argument (expr) }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 6 18:39:35 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 02:39:35 -0000 Subject: [Bro-Dev] #934: GPRS Tunneling Protocol (GTP) Analyzer In-Reply-To: <049.1635000582f288d8b4fe141e36aa37ab@tracker.bro.org> References: <049.1635000582f288d8b4fe141e36aa37ab@tracker.bro.org> Message-ID: <064.629895b2bc59392579797b0b04dd71ce@tracker.bro.org> #934: GPRS Tunneling Protocol (GTP) Analyzer -----------------------------+----------------------------------------- Reporter: liamrandall | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: GTP GPRS Tunneling Protocol -----------------------------+----------------------------------------- Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro-ids.org Thu Mar 7 00:00:02 2013 From: noreply at bro-ids.org (Merge Tracker) Date: Thu, 7 Mar 2013 00:00:02 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303070800.r27802jb021064@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ | [1] | | | | 301 Moved Permanently | [2] | | | | | [3] | | | |

Moved Permanently

| [4] | | | |

The document has moved here.

| [5] | | | | | [6] | | | | > Open Merge Requests for Bro2.1 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ | [7] | | | | 301 Moved Permanently | [8] | | | | | [9] | | | |

Moved Permanently

| [10] | | | |

The document has moved here.

| [11] | | | | | [12] | | | | [1] #0: http://tracker.bro-ids.org/bro/ticket/ [2] #0: http://tracker.bro-ids.org/bro/ticket/ [3] #0: http://tracker.bro-ids.org/bro/ticket/ [4] #0: http://tracker.bro-ids.org/bro/ticket/ [5] #0: http://tracker.bro-ids.org/bro/ticket/ [6] #0: http://tracker.bro-ids.org/bro/ticket/ [7] #0: http://tracker.bro-ids.org/bro/ticket/ [8] #0: http://tracker.bro-ids.org/bro/ticket/ [9] #0: http://tracker.bro-ids.org/bro/ticket/ [10] #0: http://tracker.bro-ids.org/bro/ticket/ [11] #0: http://tracker.bro-ids.org/bro/ticket/ [12] #0: http://tracker.bro-ids.org/bro/ticket/ From bro at tracker.bro.org Thu Mar 7 07:51:25 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 15:51:25 -0000 Subject: [Bro-Dev] #957: Argument names must match when passing a function by value Message-ID: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> #957: Argument names must match when passing a function by value ------------------------+--------------------- Reporter: srunnels | Type: Problem Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- It appears you have to match the name of arguments passed to functions in order to pass those functions by value. If the arguments in the prototypes don't match a type clash occurs. Example script: function double_string(s: string): string { return string_cat(s, " ", s); } function triple_string(str: string): string { return string_cat(str, " ", str, " ", str); } type sample_function: record { s: string; f: function(str: string): string; }; event bro_init() { local test_sf: sample_function; test_sf$s = "Brogrammers, like bowties, are cool."; # Works as expected test_sf$f = triple_string; print test_sf$f(test_sf$s); # Fails with: error in , line 22: type clash in assignment (test_sf$f = double_string) test_sf$f = double_string; print test_sf$f(test_sf$s); # Works as expected test_sf$f = function(str: string): string { return to_upper(str); }; print test_sf$f(test_sf$s); # Fails with: error in , lines 38-39: type clash in assignment (test_sf$f = anonymous-function{ return (to_upper(s))}) test_sf$f = function(s: string): string { return to_upper(s); }; print test_sf$f(test_sf$s); } -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Mar 7 08:40:33 2013 From: robin at icir.org (Robin Sommer) Date: Thu, 7 Mar 2013 08:40:33 -0800 Subject: [Bro-Dev] #957: Argument names must match when passing a function by value In-Reply-To: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> References: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> Message-ID: <20130307164033.GC93666@icir.org> I'd love to see this fixed, I believe there a other situations as well that trigger a similar error unnecessarily. When type-checking functions, parameter names should be ignored. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro.org Thu Mar 7 08:41:34 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 16:41:34 -0000 Subject: [Bro-Dev] #957: Argument names must match when passing a function by value In-Reply-To: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> References: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> Message-ID: <061.4772a9ebd1f89be7d52679f3d6bff025@tracker.bro.org> #957: Argument names must match when passing a function by value -----------------------+------------------------ Reporter: srunnels | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by robin): I'd love to see this fixed, I believe there a other situations as well that trigger a similar error unnecessarily. When type-checking functions, parameter names should be ignored. Robin -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 7 11:09:16 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 19:09:16 -0000 Subject: [Bro-Dev] #957: Argument names must match when passing a function by value In-Reply-To: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> References: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> Message-ID: <061.96669f0c6029683718b824b7e120bbae@tracker.bro.org> #957: Argument names must match when passing a function by value -----------------------+------------------------ Reporter: srunnels | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: -----------------------+------------------------ Comment (by jsiwek): In [changeset:2293443ea0ceec8fca018556f41646fdb8da45d0/bro]: {{{ #!CommitTicketReference repository="bro" revision="2293443ea0ceec8fca018556f41646fdb8da45d0" Fix function type-equivalence requiring same param names, addresses #957 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 7 11:12:49 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 19:12:49 -0000 Subject: [Bro-Dev] #957: Argument names must match when passing a function by value In-Reply-To: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> References: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> Message-ID: <061.7ce51940052be2a72a4ba000e75294f9@tracker.bro.org> #957: Argument names must match when passing a function by value ----------------------------+------------------------ Reporter: srunnels | Owner: Type: Merge Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by jsiwek): * type: Problem => Merge Request Comment: Fix in `topic/jsiwek/ticket-957`. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 7 11:25:00 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 19:25:00 -0000 Subject: [Bro-Dev] #958: Mismatched New [] / Delete in RE.cc Message-ID: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> #958: Mismatched New [] / Delete in RE.cc ------------------------+------------------- Reporter: jbaines | Type: Patch Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+------------------- There is a mismatched new[] and delete in RE.cc. RE.cc:495 allocates a char array using [] notation, but on 499 the allocation is deleted without [] notation. Attached is a patch that simply inserts the [] appropriately. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 7 12:46:23 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 07 Mar 2013 20:46:23 -0000 Subject: [Bro-Dev] #958: Mismatched New [] / Delete in RE.cc In-Reply-To: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> References: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> Message-ID: <060.a746ce1e2fb3f98af0bd287e2a5c01db@tracker.bro.org> #958: Mismatched New [] / Delete in RE.cc ----------------------+------------------------ Reporter: jbaines | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [changeset:7e4963b22ca3b6ebd8c23e36f5f15d9cacbd974f/bro]: {{{ #!CommitTicketReference repository="bro" revision="7e4963b22ca3b6ebd8c23e36f5f15d9cacbd974f" Fix new[]/delete mismatch in RE.cc reported by jbaines, addresses #958. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 7 16:03:21 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Fri, 08 Mar 2013 00:03:21 -0000 Subject: [Bro-Dev] #957: Argument names must match when passing a function by value In-Reply-To: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> References: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> Message-ID: <061.dd3d601a863e8abe471cdd3dfe963575@tracker.bro.org> #957: Argument names must match when passing a function by value ----------------------------+------------------------ Reporter: srunnels | Owner: robin Type: Merge Request | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:d3bf552a63f199876de41b49e919afcf98c5f055/bro]: {{{ #!CommitTicketReference repository="bro" revision="d3bf552a63f199876de41b49e919afcf98c5f055" Merge remote-tracking branch 'origin/topic/jsiwek/ticket-957' * origin/topic/jsiwek/ticket-957: Fix function type-equivalence requiring same param names, addresses #957 Closes #957. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 7 16:03:21 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Fri, 08 Mar 2013 00:03:21 -0000 Subject: [Bro-Dev] #958: Mismatched New [] / Delete in RE.cc In-Reply-To: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> References: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> Message-ID: <060.6a80ba2fd3d7f394563fd67dc6b1f005@tracker.bro.org> #958: Mismatched New [] / Delete in RE.cc ----------------------+------------------------ Reporter: jbaines | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): In [changeset:3cd3e26154a0a6a3f7fb94a12c7a4ea79b2f0bff/bro]: {{{ #!CommitTicketReference repository="bro" revision="3cd3e26154a0a6a3f7fb94a12c7a4ea79b2f0bff" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Fix new[]/delete mismatch in RE.cc reported by jbaines, addresses #958. Fix compiler warnings. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 7 16:27:09 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Fri, 08 Mar 2013 00:27:09 -0000 Subject: [Bro-Dev] #958: Mismatched New [] / Delete in RE.cc In-Reply-To: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> References: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> Message-ID: <060.2c6ebe86f38819f761879af39b646100@tracker.bro.org> #958: Mismatched New [] / Delete in RE.cc -----------------------------+------------------------ Reporter: jbaines | Owner: Type: Patch | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Mar 7 17:07:56 2013 From: robin at icir.org (Robin Sommer) Date: Thu, 7 Mar 2013 17:07:56 -0800 Subject: [Bro-Dev] UnitTests - Build # 904 - Failure! In-Reply-To: <1489645427.5.1362704556244.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> References: <1489645427.5.1362704556244.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> Message-ID: <20130308010756.GC12708@icir.org> On Thu, Mar 07, 2013 at 19:02 -0600, jenkins at brotestbed.ncsa.illinois.edu wrote: > scripts.base.frameworks.input.tableevent ... failed This one keeps failing frequently (but not always) for me too. Anybody up for seeing if it can be fixed? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bernhard at ICSI.Berkeley.EDU Thu Mar 7 20:09:40 2013 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Thu, 7 Mar 2013 20:09:40 -0800 Subject: [Bro-Dev] UnitTests - Build # 904 - Failure! In-Reply-To: <20130308010756.GC12708@icir.org> References: <1489645427.5.1362704556244.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20130308010756.GC12708@icir.org> Message-ID: <69DB9AFD-80E0-49EC-9A34-6563F89543CF@icsi.berkeley.edu> On Mar 7, 2013, at 5:07 PM, Robin Sommer wrote: > > > On Thu, Mar 07, 2013 at 19:02 -0600, jenkins at brotestbed.ncsa.illinois.edu wrote: > >> scripts.base.frameworks.input.tableevent ... failed > > This one keeps failing frequently (but not always) for me too. Anybody > up for seeing if it can be fixed? I will take a look at it... From bernhard at ICSI.Berkeley.EDU Thu Mar 7 20:25:03 2013 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Thu, 7 Mar 2013 20:25:03 -0800 Subject: [Bro-Dev] UnitTests - Build # 904 - Failure! In-Reply-To: <69DB9AFD-80E0-49EC-9A34-6563F89543CF@icsi.berkeley.edu> References: <1489645427.5.1362704556244.JavaMail.jenkins@brotestbed.ncsa.illinois.edu> <20130308010756.GC12708@icir.org> <69DB9AFD-80E0-49EC-9A34-6563F89543CF@icsi.berkeley.edu> Message-ID: Ok, I think I got it. That is a fun race condition that I did not think of while writing the test. At the moment, the test depends on the fact that the event that prints the output will not be called before all lines have been handled by the input-manager. However, while this apparently is true in most cases - it does not always have to be true. Sometimes, the first queued events are handled by the bro scripting layer before the input manager got all lines from the reader. Hence, the table output differs. Will commit a fixed version in a minute :) On Mar 7, 2013, at 8:09 PM, Bernhard Amann wrote: > > On Mar 7, 2013, at 5:07 PM, Robin Sommer wrote: > >> >> >> On Thu, Mar 07, 2013 at 19:02 -0600, jenkins at brotestbed.ncsa.illinois.edu wrote: >> >>> scripts.base.frameworks.input.tableevent ... failed >> >> This one keeps failing frequently (but not always) for me too. Anybody >> up for seeing if it can be fixed? > > I will take a look at it... > > > _______________________________________________ > bro-dev mailing list > bro-dev at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev From bro at tracker.bro.org Fri Mar 8 00:34:22 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Fri, 08 Mar 2013 08:34:22 -0000 Subject: [Bro-Dev] #959: Issue with HTTP POST file extraction Message-ID: <053.73b1f09c914ba29a5a03087f31031eae@tracker.bro.org> #959: Issue with HTTP POST file extraction -----------------------------+--------------------- Reporter: gregoire.moreau | Type: Problem Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: 2.1 | Keywords: -----------------------------+--------------------- I've had a problem with the extraction of HTTP POST file content with bro2.1 stable, there's no problem with incoming content. I use a modified http/file-extract.bro script. My tests were mainly done with PDF content. The problem is whenever a 0x0d is found in the content, it is replaced with 0x0d0a. I've found a little workaround, but I'm not sure about all the borders effects it could have. Also, it may not be the good way to correct the problem... The workaround is as follow in HTTP.cc : *************** HTTP_Analyzer::HTTP_Analyzer(Connection* *** 808,813 **** --- 808,814 ---- reply_reason_phrase = 0; content_line_orig = new ContentLine_Analyzer(conn, true); + content_line_orig->SetCRLFAsEOL(CR_as_EOL & LF_as_EOL); AddSupportAnalyzer(content_line_orig); With the workaround it still add one CRLF at the end of some PDF files. As I wish to keep the hashes of the files it does matter :) -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro.org Fri Mar 8 00:00:03 2013 From: noreply at bro.org (Merge Tracker) Date: Fri, 8 Mar 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303080800.r28803jM026388@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 1fb05da | Bernhard Amann | 2013-03-07 | Fix race-condition in table-event test. [1] pysubnettree | da9a8cf | Jon Siwek | 2013-03-07 | Fix warning: comparison of unsigned expression < 0 is always false. [2] [1] fastpath: http://tracker.bro.org/bro/changeset/1fb05da9cd7df317fb758ba24c3b4edb47e5651f/bro [2] fastpath: http://tracker.bro.org/bro/changeset/da9a8cf4d2e7d3e8ba61ff75336dceb74e95740e/pysubnettree From bro at tracker.bro.org Fri Mar 8 14:12:04 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Fri, 08 Mar 2013 22:12:04 -0000 Subject: [Bro-Dev] #960: topic/dnthayer/cleanup Message-ID: <046.863b76dbfffce94f920d191492d36a13@tracker.bro.org> #960: topic/dnthayer/cleanup ---------------------------+------------------------ Reporter: dnthayer | Owner: Type: Merge Request | Status: new Priority: Low | Milestone: Bro2.2 Component: BroControl | Version: git/master Keywords: | ---------------------------+------------------------ This branch fixes various issues with broctl. Most of the fixes are related to the broctl plugin API. Here are the one-line summaries of all commits in this branch: Check for plugins with same prefix Prevent capstats from being run with invalid args Fix plugin inconsistency for certain broctl commands Document the broctl user option KeepLogs Add a note in documentation about editing crontab Fix broctl plugin option names to be case-insensitive Remove reserved word "cluster" from node args Fix documentation of broctl commands Add calls to plugin cmd_restart_pre/post methods Fix instructions for adding plugin directories Fix the broctl check command to report results Fix handling of cmd_diag_pre for diag command Changed return value of plugin API "execute" method Add return value to some cmd__pre methods Add a check for state variables in broctl.cfg Changed "hosts" method to return list of hosts Call "done" method from plugin API Call hostStatusChanged with correct arg type Fix the parseNodes method in plugin API Fix the "error" method in broctl plugin API Fixed tab-completion of commands with node args Fix broctl plugin API documentation errors Fix typos in TestPlugin output messages Add cron "--no-watch" option to broctl "help" output Fix the "execute" method of the Plugin class Fix various bugs and remove some unused code -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Fri Mar 8 14:58:49 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Fri, 08 Mar 2013 22:58:49 -0000 Subject: [Bro-Dev] #959: Issue with HTTP POST file extraction In-Reply-To: <053.73b1f09c914ba29a5a03087f31031eae@tracker.bro.org> References: <053.73b1f09c914ba29a5a03087f31031eae@tracker.bro.org> Message-ID: <068.1b3afdcc7bb4e6ac775e76ebd5cdb5f5@tracker.bro.org> #959: Issue with HTTP POST file extraction ------------------------------+-------------------- Reporter: gregoire.moreau | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: 2.1 Resolution: | Keywords: ------------------------------+-------------------- Comment (by jsiwek): Are you able to provide a pcap file that triggers this? -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro.org Sat Mar 9 00:00:03 2013 From: noreply at bro.org (Merge Tracker) Date: Sat, 9 Mar 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303090800.r29803rR005845@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 960 [1] | dnthayer | | Low | topic/dnthayer/cleanup [2] [1] #960: http://tracker.bro.org/bro/ticket/960 [2] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From noreply at bro.org Sun Mar 10 00:00:03 2013 From: noreply at bro.org (Merge Tracker) Date: Sun, 10 Mar 2013 00:00:03 -0800 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303100800.r2A803Pc017814@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 960 [1] | dnthayer | | Low | topic/dnthayer/cleanup [2] [1] #960: http://tracker.bro.org/bro/ticket/960 [2] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From bro at tracker.bro.org Sun Mar 10 12:24:12 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Sun, 10 Mar 2013 19:24:12 -0000 Subject: [Bro-Dev] #961: Large Memory Allocation Message-ID: <045.0bd9017d66493b6fcbeda3d7ff367577@tracker.bro.org> #961: Large Memory Allocation ------------------------+--------------------- Reporter: jbaines | Type: Problem Status: new | Priority: Medium Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- '''Version''': Master (0075973249906ce1374948b567d261395f99220e) '''Description''': A wireshark fuzz capture causes a near max uint allocation resulting in an out of memory error. '''File''': https://www.wireshark.org/download/automated/captures/fuzz-2007-12-18-26236.pcap '''Output''' ''Command line'' {{{ ./bro -C -r fuzz-2007-12-18-26236.pcap out of memory in new. 1075754676.257579 fatal error: out of memory in new. }}} ''Valgrind'' {{{ ==32162== Warning: silly arg (-9) to __builtin_vec_new() **32162** new/new[] failed and should throw an exception, but Valgrind **32162** cannot throw exceptions and so is aborting instead. Sorry. ==32162== at 0x402A02C: ??? (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==32162== by 0x402B2A9: operator new[](unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==32162== by 0x83964D7: DataBlock::DataBlock(unsigned char const*, int, int, DataBlock*, DataBlock*) (Reassem.cc:23) ==32162== by 0x8396721: Reassembler::NewBlock(double, int, int, unsigned char const*) (Reassem.cc:85) ==32162== by 0x831EA53: FragReassembler::AddFragment(double, IP_Hdr const*, unsigned char const*) (Frag.cc:148) ==32162== by 0x831E6AF: FragReassembler::FragReassembler(NetSessions*, IP_Hdr const*, unsigned char const*, HashKey*, double) (Frag.cc:63) ==32162== by 0x83C77A5: NetSessions::NextFragment(double, IP_Hdr const*, unsigned char const*) (Sessions.cc:844) ==32162== by 0x83C6089: NetSessions::DoNextPacket(double, pcap_pkthdr const*, IP_Hdr const*, unsigned char const*, int, EncapsulationStack const*) (Sessions.cc:417) ==32162== by 0x83C57AD: NetSessions::NextPacket(double, pcap_pkthdr const*, unsigned char const*, int, PacketSortElement*) (Sessions.cc:238) ==32162== by 0x83C55AC: NetSessions::DispatchPacket(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) (Sessions.cc:186) ==32162== by 0x8374B67: net_packet_dispatch(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*, PacketSortElement*) (Net.cc:353) ==32162== by 0x8374DA1: net_packet_arrival(double, pcap_pkthdr const*, unsigned char const*, int, PktSrc*) (Net.cc:416) }}} '''The Problem''' The problem is quite simply the subtraction at Frag.cc:148. The subtraction can cause a rollover when hdr_len > len which eventually causes a very large allocation attempt. '''The Fix''' Attached is a simple fix that checks if hdr_len > len and returns. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Sun Mar 10 12:57:14 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Sun, 10 Mar 2013 19:57:14 -0000 Subject: [Bro-Dev] #962: Internal Error: IPv6_HdrChain Message-ID: <045.aeac58108d1ded52b83d832304e7a1a1@tracker.bro.org> #962: Internal Error: IPv6_HdrChain ------------------------+------------------- Reporter: jbaines | Type: Patch Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+------------------- '''Version''': Master (0075973249906ce1374948b567d261395f99220e) '''Description''': A wireshark fuzz capture causes an internal error ''IPv6_HdrChain::Init with truncated IP header'' '''File''': https://www.wireshark.org/download/automated/captures/fuzz-2007-03-23-3696.pcap '''Output''' ''Command line'' {{{ ./bro -C -r fuzz-2007-03-23-3696.pcap 1174679695.036000 internal error: IPv6_HdrChain::Init with truncated IP header Aborted (core dumped) }}} ''gdb'' {{{ 1174679695.036000 internal error: IPv6_HdrChain::Init with truncated IP header Program received signal SIGABRT, Aborted. 0xb7fdd424 in __kernel_vsyscall () (gdb) bt #0 0xb7fdd424 in __kernel_vsyscall () #1 0xb7a201df in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #2 0xb7a23825 in __GI_abort () at abort.c:91 #3 0x08364eb8 in Reporter::InternalError (this=0x859d2c8, fmt=0x84880d4 "IPv6_HdrChain::Init with truncated IP header") at /projects/bro/src/Reporter.cc:137 #4 0x083583da in IPv6_Hdr_Chain::Init (this=0x8fa8370, ip6=0x8f7fc2e, total_len=-13, set_next=false, next=0) at /projects/bro/src/IP.cc:436 #5 0x0831f091 in IPv6_Hdr_Chain::IPv6_Hdr_Chain (this=0x8fa8370, ip6=0x8f7fc2e, len=-13) at /projects/bro/src/IP.h:149 #6 0x0831f34d in IP_Hdr::IP_Hdr (this=0xbfffed4c, arg_ip6=0x8f7fc2e, arg_del=false, len=-13, c=0x0) at /projects/bro/src/IP.h:359 #7 0x083c5831 in NetSessions::NextPacket (this=0x8f8fc28, t=1174679695.036, hdr=0x8f7f5a8, pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent- Le\aA\324\005", hdr_size=14, pkt_elem=0x0) at /projects/bro/src/Sessions.cc:249 #8 0x083c55ad in NetSessions::DispatchPacket (this=0x8f8fc28, t=1174679695.036, hdr=0x8f7f5a8, pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent- Le\aA\324\005", hdr_size=14, src_ps=0x8f7f570, pkt_elem=0x0) at /projects/bro/src/Sessions.cc:186 #9 0x08374b68 in net_packet_dispatch (t=1174679695.036, hdr=0x8f7f5a8, pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent- Le\aA\324\005", hdr_size=14, src_ps=0x8f7f570, pkt_elem=0x0) at /projects/bro/src/Net.cc:353 #10 0x08374da2 in net_packet_arrival (t=1174679695.036, hdr=0x8f7f5a8, pkt=0x8f7fc20 "\377MT\r\nETag: \"5eb1cb30fc6fc41:146a\"\r\nContent- Le\aA\324\005", hdr_size=14, src_ps=0x8f7f570) at /projects/bro/src/Net.cc:416 #11 0x083893dd in PktSrc::Process (this=0x8f7f570) at /projects/bro/src/PktSrc.cc:303 #12 0x08374ed8 in net_run () at /projects/bro/src/Net.cc:447 #13 0x08289236 in main (argc=4, argv=0xbffff2c4) at /projects/bro/src/main.cc:1077 }}} '''The Problem''' The problem is a roll over at Sessions.cc:226 when hdr_size > hdr->caplen. The next line doesn't catch the roll over since caplen in unsigned. '''The Fix''' Add an additional check to make sure that hdr_line < hdr->cap_len -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Sun Mar 10 22:16:29 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 11 Mar 2013 05:16:29 -0000 Subject: [Bro-Dev] #946: Async scriptland functions stack explosion In-Reply-To: <042.f001e605e283dc0f4db60ff8122a5147@tracker.bro.org> References: <042.f001e605e283dc0f4db60ff8122a5147@tracker.bro.org> Message-ID: <057.3db27d623f05895ec25910a870c858f6@tracker.bro.org> #946: Async scriptland functions stack explosion ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Comment (by amannb): In [changeset:df96e2703dc123df0542f401521afefc92bbcff6/bro]: {{{ #!CommitTicketReference repository="bro" revision="df96e2703dc123df0542f401521afefc92bbcff6" Fix three bugs with 'when' and 'return when' statements. Addresses #946 - 'when' statements were problematic when used in a function/event/hook that had local variables with an assigned function value. This was because 'when' blocks operate on a clone of the frame and the cloning process serializes locals and the serialization of functions had an infinite cycle in it (ID -> BroFunc -> ID -> BroFunc ...). The ID was only used for the function name and type information, so refactoring Func and subclasses to depend on those two things instead fixes the issue. - 'return when' blocks, specifically, didn't work whenever execution of the containing function's body does another function call before reaching the 'return when' block, because of an assertion. This was was due to logic in CallExpr::Eval always clearing the CallExpr associated with the Frame after doing the call, instead of restoring any previous CallExpr, which the code in Trigger::Eval expected to have available. - An assert could be reached when the condition of a 'when' statement depended on checking the value of global state variables. The assert in Trigger::QueueTrigger that checks that the Trigger isn't disabled would get hit because Trigger::Eval/Timeout disable themselves after running, but don't unregister themselves from the NotifierRegistry, which keeps calling QueueTrigger for every state access of the global. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Sun Mar 10 22:16:29 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 11 Mar 2013 05:16:29 -0000 Subject: [Bro-Dev] #946: Async scriptland functions stack explosion In-Reply-To: <042.f001e605e283dc0f4db60ff8122a5147@tracker.bro.org> References: <042.f001e605e283dc0f4db60ff8122a5147@tracker.bro.org> Message-ID: <057.928f4f71ccb0b9658cbd52119b5f1fdc@tracker.bro.org> #946: Async scriptland functions stack explosion ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: closed Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Comment (by amannb): In [changeset:2e26b586d3e189040cd49e3fab3b3cadd9b7a7de/bro]: {{{ #!CommitTicketReference repository="bro" revision="2e26b586d3e189040cd49e3fab3b3cadd9b7a7de" Fix memory leaks resulting from 'when' and 'return when' statements. Addresses #946. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Sun Mar 10 22:16:29 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 11 Mar 2013 05:16:29 -0000 Subject: [Bro-Dev] #958: Mismatched New [] / Delete in RE.cc In-Reply-To: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> References: <045.50d049209b8a94782acd58bfb5a3f4c0@tracker.bro.org> Message-ID: <060.7a05487f61d04c318bb553e50b008124@tracker.bro.org> #958: Mismatched New [] / Delete in RE.cc -----------------------------+------------------------ Reporter: jbaines | Owner: Type: Patch | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Comment (by amannb): In [changeset:f0ddb48e0f5a32125787cc41e3305157537f65d6/bro]: {{{ #!CommitTicketReference repository="bro" revision="f0ddb48e0f5a32125787cc41e3305157537f65d6" Fix new[]/delete mismatch in RE.cc reported by jbaines, addresses #958. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Sun Mar 10 22:16:30 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 11 Mar 2013 05:16:30 -0000 Subject: [Bro-Dev] #957: Argument names must match when passing a function by value In-Reply-To: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> References: <046.5e53576e521ba2d2046f479dc2175b0c@tracker.bro.org> Message-ID: <061.ecff007df35c14bb126e65dd6990af09@tracker.bro.org> #957: Argument names must match when passing a function by value ----------------------------+------------------------ Reporter: srunnels | Owner: robin Type: Merge Request | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Comment (by amannb): In [changeset:af58e3e51bf03c965e6c80bd28fa4d1c225920bc/bro]: {{{ #!CommitTicketReference repository="bro" revision="af58e3e51bf03c965e6c80bd28fa4d1c225920bc" Fix function type-equivalence requiring same param names, addresses #957 }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Sun Mar 10 22:16:29 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 11 Mar 2013 05:16:29 -0000 Subject: [Bro-Dev] #934: GPRS Tunneling Protocol (GTP) Analyzer In-Reply-To: <049.1635000582f288d8b4fe141e36aa37ab@tracker.bro.org> References: <049.1635000582f288d8b4fe141e36aa37ab@tracker.bro.org> Message-ID: <064.060866cdbeb01d11a2c70d299379c527@tracker.bro.org> #934: GPRS Tunneling Protocol (GTP) Analyzer -----------------------------+----------------------------------------- Reporter: liamrandall | Owner: Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: GTP GPRS Tunneling Protocol -----------------------------+----------------------------------------- Comment (by amannb): In [changeset:d6609e8c859af3ab8cd1bdb2dd97b96214a56b7d/bro]: {{{ #!CommitTicketReference repository="bro" revision="d6609e8c859af3ab8cd1bdb2dd97b96214a56b7d" Add parsing for GTPv1 extension headers and control messages. Added a generic gtpv1_message event generated for any GTP message type. Added specific events for the create/update/delete PDP context request/response messages. Addresses #934. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro.org Mon Mar 11 00:00:03 2013 From: noreply at bro.org (Merge Tracker) Date: Mon, 11 Mar 2013 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303110700.r2B703X7006017@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 960 [1] | dnthayer | | Low | topic/dnthayer/cleanup [2] [1] #960: http://tracker.bro.org/bro/ticket/960 [2] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From bro at tracker.bro.org Mon Mar 11 09:00:13 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 11 Mar 2013 16:00:13 -0000 Subject: [Bro-Dev] #961: Large Memory Allocation In-Reply-To: <045.0bd9017d66493b6fcbeda3d7ff367577@tracker.bro.org> References: <045.0bd9017d66493b6fcbeda3d7ff367577@tracker.bro.org> Message-ID: <060.828b93720c9103c5755c565f6bb280e1@tracker.bro.org> #961: Large Memory Allocation ----------------------+------------------------ Reporter: jbaines | Owner: Type: Problem | Status: new Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [changeset:8d5434ef2dd8f9f5e5538a171d73434632fa012d/bro]: {{{ #!CommitTicketReference repository="bro" revision="8d5434ef2dd8f9f5e5538a171d73434632fa012d" Fix large memory allocation in IP fragment reassembly. Addresses #961. Patch by jbaines modified slightly to return earlier so that the problem packet can't cause any state change in the FragReassembler. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 11 10:04:58 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 11 Mar 2013 17:04:58 -0000 Subject: [Bro-Dev] #962: Internal Error: IPv6_HdrChain In-Reply-To: <045.aeac58108d1ded52b83d832304e7a1a1@tracker.bro.org> References: <045.aeac58108d1ded52b83d832304e7a1a1@tracker.bro.org> Message-ID: <060.a635727139d200c4febf64395b812e71@tracker.bro.org> #962: Internal Error: IPv6_HdrChain ----------------------+------------------------ Reporter: jbaines | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by jsiwek): In [changeset:90ca2b87c4b21611a0c7ef37c0e1c465c36f270f/bro]: {{{ #!CommitTicketReference repository="bro" revision="90ca2b87c4b21611a0c7ef37c0e1c465c36f270f" Add check for truncated link frames. Addresses #962. Patch provided by jbaines, modified with a more descriptive Weird name. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 11 18:21:29 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 12 Mar 2013 01:21:29 -0000 Subject: [Bro-Dev] #963: bro-cut fails with gawk < 3.1.6 Message-ID: <045.2276b74f99f6226f06eb7e2b2dc02174@tracker.bro.org> #963: bro-cut fails with gawk < 3.1.6 ------------------------+--------------------- Reporter: ckanich | Type: Patch Status: new | Priority: Low Milestone: | Component: bro-aux Version: git/master | Keywords: ------------------------+--------------------- Was working on a trace machine with a very old awk and bro-cut would error out because of the call to strftime(). Here's a patch, tested with ancient gawk and recent gawk. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro.org Tue Mar 12 00:00:02 2013 From: noreply at bro.org (Merge Tracker) Date: Tue, 12 Mar 2013 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303120700.r2C7025j019859@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ BroControl | 960 [1] | dnthayer | | Low | topic/dnthayer/cleanup [2] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 90ca2b8 | Jon Siwek | 2013-03-11 | Add check for truncated link frames. Addresses #962. [3] bro | 8d5434e | Jon Siwek | 2013-03-11 | Fix large memory allocation in IP fragment reassembly. Addresses #961. [4] [1] #960: http://tracker.bro.org/bro/ticket/960 [2] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup [3] fastpath: http://tracker.bro.org/bro/changeset/90ca2b87c4b21611a0c7ef37c0e1c465c36f270f/bro [4] fastpath: http://tracker.bro.org/bro/changeset/8d5434ef2dd8f9f5e5538a171d73434632fa012d/bro From bro at tracker.bro.org Tue Mar 12 09:28:13 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 12 Mar 2013 16:28:13 -0000 Subject: [Bro-Dev] #964: Memory issues resulting from missing DNS resolution Message-ID: <042.569c7a66425ffe022880ac216a4cfea6@tracker.bro.org> #964: Memory issues resulting from missing DNS resolution ---------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------+------------------------ If a box running Bro doesn't have correctly configured DNS it causes a backup of DNS resolution requests. It looks like the requests aren't timing out quickly enough. We probably need to deal with this one way or another since a failing DNS server should not result in Bro crashing. Maybe we could move more control of Bro's DNS resolution into scriptland? If we had a boolean value that we could flip on or off to enable/disable DNS resolution? Right now we only have the environment variable which is not flexible enough to deal with situations like this. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 12 09:38:01 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 12 Mar 2013 16:38:01 -0000 Subject: [Bro-Dev] #158: Compiling issue on FreeBSD In-Reply-To: <042.0e4f30d210bf2c81f30f39f5e6f22588@tracker.bro.org> References: <042.0e4f30d210bf2c81f30f39f5e6f22588@tracker.bro.org> Message-ID: <057.61ad1fd036b84f0a9d1bb2a595b53a26@tracker.bro.org> #158: Compiling issue on FreeBSD ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: 1.5.2 Resolution: Invalid | Keywords: ----------------------+-------------------- Changes (by amannb): * status: seen => closed * resolution: => Invalid * milestone: => Bro2.2 Comment: FreeBSD 7 has been EOL'd a while ago (and I suspect this has been fixed ages ago). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 12 09:40:19 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 12 Mar 2013 16:40:19 -0000 Subject: [Bro-Dev] #965: merge topic/bernhard/base64 Message-ID: <044.f57d920c9872f79449e6ae9c13ce43b7@tracker.bro.org> #965: merge topic/bernhard/base64 ---------------------------+------------------------ Reporter: amannb | Owner: Type: Merge Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | ---------------------------+------------------------ topic/bernhard/base64 adds base64 encoding functionality to bro. The branch also changes a policy scripts and replaces a call to the openssl command-line client with a bif-call. -- Ticket URL: Bro Tracker Bro Issue Tracker From jlay at slave-tothe-box.net Tue Mar 12 10:29:13 2013 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 12 Mar 2013 11:29:13 -0600 Subject: [Bro-Dev] Newb needs help Message-ID: Hello! Topic says it...newb that's just starting out with Bro-IDS. I'm looking at the below links: http://www.bro.org/documentation/quickstart.html http://www.bro.org/documentation/logging.html First, how do I disable some of the whole modules? I don't need the communication.log or ssl.log, so I'd like to nuke those. Second, how do I enable multiple interfaces (if possible)? Lastly, is there a more readable format for the log files? Say changing the timestamps to something a little more human readable? Thank you for anything you can assist with. James From noreply at bro.org Wed Mar 13 00:00:05 2013 From: noreply at bro.org (Merge Tracker) Date: Wed, 13 Mar 2013 00:00:05 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303130700.r2D705UV014832@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 965 [1] | amannb | | Low | merge topic/bernhard/base64 [2] BroControl | 960 [3] | dnthayer | | Low | topic/dnthayer/cleanup [4] > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 90ca2b8 | Jon Siwek | 2013-03-11 | Add check for truncated link frames. Addresses #962. [5] bro | 8d5434e | Jon Siwek | 2013-03-11 | Fix large memory allocation in IP fragment reassembly. Addresses #961. [6] [1] #965: http://tracker.bro.org/bro/ticket/965 [2] base64: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/base64 [3] #960: http://tracker.bro.org/bro/ticket/960 [4] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup [5] fastpath: http://tracker.bro.org/bro/changeset/90ca2b87c4b21611a0c7ef37c0e1c465c36f270f/bro [6] fastpath: http://tracker.bro.org/bro/changeset/8d5434ef2dd8f9f5e5538a171d73434632fa012d/bro From bro at tracker.bro.org Wed Mar 13 07:33:01 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Wed, 13 Mar 2013 14:33:01 -0000 Subject: [Bro-Dev] #961: Large Memory Allocation In-Reply-To: <045.0bd9017d66493b6fcbeda3d7ff367577@tracker.bro.org> References: <045.0bd9017d66493b6fcbeda3d7ff367577@tracker.bro.org> Message-ID: <060.ac5e414e144c979724555ce4dc92f706@tracker.bro.org> #961: Large Memory Allocation ----------------------+------------------------ Reporter: jbaines | Owner: Type: Problem | Status: new Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): In [changeset:b4824f4207e43b3cbcc34742f29e2c587bc9f86a/bro]: {{{ #!CommitTicketReference repository="bro" revision="b4824f4207e43b3cbcc34742f29e2c587bc9f86a" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Add check for truncated link frames. Addresses #962. Fix large memory allocation in IP fragment reassembly. Addresses #961. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 13 07:33:01 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Wed, 13 Mar 2013 14:33:01 -0000 Subject: [Bro-Dev] #962: Internal Error: IPv6_HdrChain In-Reply-To: <045.aeac58108d1ded52b83d832304e7a1a1@tracker.bro.org> References: <045.aeac58108d1ded52b83d832304e7a1a1@tracker.bro.org> Message-ID: <060.29812bdf7f19413d98ed1b39e84221c2@tracker.bro.org> #962: Internal Error: IPv6_HdrChain ----------------------+------------------------ Reporter: jbaines | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by robin): In [changeset:b4824f4207e43b3cbcc34742f29e2c587bc9f86a/bro]: {{{ #!CommitTicketReference repository="bro" revision="b4824f4207e43b3cbcc34742f29e2c587bc9f86a" Merge remote-tracking branch 'origin/fastpath' * origin/fastpath: Add check for truncated link frames. Addresses #962. Fix large memory allocation in IP fragment reassembly. Addresses #961. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 13 07:34:30 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Wed, 13 Mar 2013 14:34:30 -0000 Subject: [Bro-Dev] #962: Internal Error: IPv6_HdrChain In-Reply-To: <045.aeac58108d1ded52b83d832304e7a1a1@tracker.bro.org> References: <045.aeac58108d1ded52b83d832304e7a1a1@tracker.bro.org> Message-ID: <060.7053df7aafc99e58ef1e2d23069e4515@tracker.bro.org> #962: Internal Error: IPv6_HdrChain -----------------------------+------------------------ Reporter: jbaines | Owner: Type: Patch | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 13 07:34:42 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Wed, 13 Mar 2013 14:34:42 -0000 Subject: [Bro-Dev] #961: Large Memory Allocation In-Reply-To: <045.0bd9017d66493b6fcbeda3d7ff367577@tracker.bro.org> References: <045.0bd9017d66493b6fcbeda3d7ff367577@tracker.bro.org> Message-ID: <060.66a42e36177dfbd3bb2581a3df9daeb5@tracker.bro.org> #961: Large Memory Allocation -----------------------------+------------------------ Reporter: jbaines | Owner: Type: Problem | Status: closed Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by robin): * status: new => closed * resolution: => Solved/Applied -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Wed Mar 13 11:45:03 2013 From: seth at icir.org (Seth Hall) Date: Wed, 13 Mar 2013 14:45:03 -0400 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/exec-module: Added Exec, Dir, and ActiveHTTP modules. (0f99956) In-Reply-To: <201303131837.r2DIbXI7021765@bro-ids.icir.org> References: <201303131837.r2DIbXI7021765@bro-ids.icir.org> Message-ID: <5752D85A-03A4-4BBE-81C7-18E38B2D91C8@icir.org> On Mar 13, 2013, at 2:37 PM, Seth Hall wrote: > Added Exec, Dir, and ActiveHTTP modules. FYI, these aren't appropriate for "real world" use yet due to an outstanding issue with thread cleanup. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From vallentin at icir.org Wed Mar 13 12:10:29 2013 From: vallentin at icir.org (Matthias Vallentin) Date: Wed, 13 Mar 2013 12:10:29 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/exec-module: Added Exec, Dir, and ActiveHTTP modules. (0f99956) In-Reply-To: <5752D85A-03A4-4BBE-81C7-18E38B2D91C8@icir.org> References: <201303131837.r2DIbXI7021765@bro-ids.icir.org> <5752D85A-03A4-4BBE-81C7-18E38B2D91C8@icir.org> Message-ID: >> Added Exec, Dir, and ActiveHTTP modules. Why is this called ActiveHTTP as opposed to just HTTP? Matthias From seth at icir.org Wed Mar 13 12:31:27 2013 From: seth at icir.org (Seth Hall) Date: Wed, 13 Mar 2013 15:31:27 -0400 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/exec-module: Added Exec, Dir, and ActiveHTTP modules. (0f99956) In-Reply-To: References: <201303131837.r2DIbXI7021765@bro-ids.icir.org> <5752D85A-03A4-4BBE-81C7-18E38B2D91C8@icir.org> Message-ID: On Mar 13, 2013, at 3:10 PM, Matthias Vallentin wrote: >>> Added Exec, Dir, and ActiveHTTP modules. > > Why is this called ActiveHTTP as opposed to just HTTP? HTTP as a module name is already taken. ;) .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ From bernhard at ICSI.Berkeley.EDU Wed Mar 13 12:38:21 2013 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Wed, 13 Mar 2013 12:38:21 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/seth/exec-module: Added Exec, Dir, and ActiveHTTP modules. (0f99956) In-Reply-To: References: <201303131837.r2DIbXI7021765@bro-ids.icir.org> <5752D85A-03A4-4BBE-81C7-18E38B2D91C8@icir.org> Message-ID: <13778B0E-997C-4498-BF00-A18C89B94FA8@icsi.berkeley.edu> On Mar 13, 2013, at 12:10 PM, Matthias Vallentin wrote: >>> Added Exec, Dir, and ActiveHTTP modules. > > Why is this called ActiveHTTP as opposed to just HTTP? Probably because it makes http requests and does not monitor :) Bernhard From noreply at bro.org Thu Mar 14 00:00:02 2013 From: noreply at bro.org (Merge Tracker) Date: Thu, 14 Mar 2013 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303140700.r2E7024R029516@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 965 [1] | amannb | | Low | merge topic/bernhard/base64 [2] BroControl | 960 [3] | dnthayer | | Low | topic/dnthayer/cleanup [4] [1] #965: http://tracker.bro.org/bro/ticket/965 [2] base64: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/base64 [3] #960: http://tracker.bro.org/bro/ticket/960 [4] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From bro at tracker.bro.org Thu Mar 14 07:08:57 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 14 Mar 2013 14:08:57 -0000 Subject: [Bro-Dev] #938: topic/seth/software-version-updates2 Updates to vulnerable software checking. In-Reply-To: <043.ee64833d89326a8046080165a43a4c4e@tracker.bro.org> References: <043.ee64833d89326a8046080165a43a4c4e@tracker.bro.org> Message-ID: <058.d8db57e81190a0b735cbaea69ebe7d98@tracker.bro.org> #938: topic/seth/software-version-updates2 Updates to vulnerable software checking. ---------------------+------------------------ Reporter: robin | Owner: robin Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ---------------------+------------------------ Changes (by seth): * owner: seth => robin Comment: Tests all pass now, ready to merge. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 14 07:09:10 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 14 Mar 2013 14:09:10 -0000 Subject: [Bro-Dev] #938: topic/seth/software-version-updates2 Updates to vulnerable software checking. In-Reply-To: <043.ee64833d89326a8046080165a43a4c4e@tracker.bro.org> References: <043.ee64833d89326a8046080165a43a4c4e@tracker.bro.org> Message-ID: <058.5918e64b6f63113dbbde5095647451ae@tracker.bro.org> #938: topic/seth/software-version-updates2 Updates to vulnerable software checking. ----------------------------+------------------------ Reporter: robin | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by seth): * type: Task => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Mar 14 09:44:41 2013 From: robin at icir.org (Robin Sommer) Date: Thu, 14 Mar 2013 09:44:41 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/experimental-faf: FileAnalysis: buffer input that can't get unique file handle immediately (637fe69) In-Reply-To: <201303141602.r2EG2oTp023383@bro-ids.icir.org> References: <201303141602.r2EG2oTp023383@bro-ids.icir.org> Message-ID: <20130314164441.GB83606@icir.org> On Thu, Mar 14, 2013 at 09:02 -0700, Jonathan Siwek wrote: > FileAnalysis: buffer input that can't get unique file handle immediately Once you have the basic infrastructure in place, can you add logging to prof.log that records stats on the current state of the file analysis (things like current # handles, total number # handles so far, data buffered vs non-buffered, data in reassembler (once that's there) etc.; maybe break it down by analyzer as well). That'll be helpful for both understanding performance and potentially debugging if something goes wrong. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro.org Fri Mar 15 00:00:02 2013 From: noreply at bro.org (Merge Tracker) Date: Fri, 15 Mar 2013 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303150700.r2F702R8007293@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 938 [1] | robin | robin | Normal | topic/seth/software-version-updates2 Updates to vulnerable software checking. [2] Bro | 965 [3] | amannb | | Low | merge topic/bernhard/base64 [4] BroControl | 960 [5] | dnthayer | | Low | topic/dnthayer/cleanup [6] [1] #938: http://tracker.bro.org/bro/ticket/938 [2] software-version-updates2: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates2 [3] #965: http://tracker.bro.org/bro/ticket/965 [4] base64: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/base64 [5] #960: http://tracker.bro.org/bro/ticket/960 [6] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From bro at tracker.bro.org Fri Mar 15 16:52:51 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Fri, 15 Mar 2013 23:52:51 -0000 Subject: [Bro-Dev] #966: logging and input framework config maps do not support values containing \0 Message-ID: <044.fbe99dbe0eaf8124c6c9b31d519eebeb@tracker.bro.org> #966: logging and input framework config maps do not support values containing \0 -----------------------+------------------------ Reporter: amannb | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: threading | -----------------------+------------------------ The config maps in the input and logging frameworks are defined as map, thus allowing no \0 in values, where they could arguably be useful. This is due to the fact that we do not have a thread- safe string class available at the moment. -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro.org Sat Mar 16 00:00:02 2013 From: noreply at bro.org (Merge Tracker) Date: Sat, 16 Mar 2013 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303160700.r2G702j6031394@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 938 [1] | robin | robin | Normal | topic/seth/software-version-updates2 Updates to vulnerable software checking. [2] Bro | 965 [3] | amannb | | Low | merge topic/bernhard/base64 [4] BroControl | 960 [5] | dnthayer | | Low | topic/dnthayer/cleanup [6] [1] #938: http://tracker.bro.org/bro/ticket/938 [2] software-version-updates2: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates2 [3] #965: http://tracker.bro.org/bro/ticket/965 [4] base64: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/base64 [5] #960: http://tracker.bro.org/bro/ticket/960 [6] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From bro at tracker.bro.org Sat Mar 16 09:34:32 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Sat, 16 Mar 2013 16:34:32 -0000 Subject: [Bro-Dev] #967: Fix for possible memleak in nb_dns Message-ID: <048.53ffb64a7bb1950d5e58b34080b2c351@tracker.bro.org> #967: Fix for possible memleak in nb_dns ------------------------+--------------------- Reporter: grigorescu | Type: Problem Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- I'm not entirely sure if this codepath can even be reached at the moment, but a possible memleak exists in nb_dns. Fix is: {{{ diff --git a/src/nb_dns.c b/src/nb_dns.c index e8595e6..33a0083 100644 --- a/src/nb_dns.c +++ b/src/nb_dns.c @@ -265,6 +265,7 @@ _nb_dns_mkquery(register struct nb_dns_info *nd, register const char *name, default: snprintf(errstr, NB_DNS_ERRSIZE, "_nb_dns_mkquery: bad family %d", atype); + free(ne); return (-1); } }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Sat Mar 16 10:02:12 2013 From: robin at icir.org (Robin Sommer) Date: Sat, 16 Mar 2013 10:02:12 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/input-update: make reading from stdout and stderr simultaneously work. (6fef99e) In-Reply-To: <201303161656.r2GGu904024934@bro-ids.icir.org> References: <201303161656.r2GGu904024934@bro-ids.icir.org> Message-ID: <20130316170212.GA14614@icir.org> On Sat, Mar 16, 2013 at 09:56 -0700, Bernhard Amann wrote: > make reading from stdout and stderr simultaneously work. Very cool! Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro.org Sun Mar 17 00:00:07 2013 From: noreply at bro.org (Merge Tracker) Date: Sun, 17 Mar 2013 00:00:07 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303170700.r2H707ON014372@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 938 [1] | robin | robin | Normal | topic/seth/software-version-updates2 Updates to vulnerable software checking. [2] Bro | 965 [3] | amannb | | Low | merge topic/bernhard/base64 [4] BroControl | 960 [5] | dnthayer | | Low | topic/dnthayer/cleanup [6] [1] #938: http://tracker.bro.org/bro/ticket/938 [2] software-version-updates2: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates2 [3] #965: http://tracker.bro.org/bro/ticket/965 [4] base64: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/base64 [5] #960: http://tracker.bro.org/bro/ticket/960 [6] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From robin at icir.org Sun Mar 17 22:35:28 2013 From: robin at icir.org (Robin Sommer) Date: Sun, 17 Mar 2013 22:35:28 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/base64: fix compiler warning (hopefully) (c3dd399) In-Reply-To: <201303172315.r2HNFveV031440@bro-ids.icir.org> References: <201303172315.r2HNFveV031440@bro-ids.icir.org> Message-ID: <20130318053528.GJ49192@icir.org> On Sun, Mar 17, 2013 at 16:15 -0700, Bernhard Amann wrote: > fix compiler warning (hopefully) I'm still getting it: warning: operation on ?i? may be undefined [-Wsequence-point] Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From noreply at bro.org Mon Mar 18 00:00:02 2013 From: noreply at bro.org (Merge Tracker) Date: Mon, 18 Mar 2013 00:00:02 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303180700.r2I702qu006260@bro-ids.icir.org> > Open Merge Requests for Bro2.2 > ============================== Component | Id | Reporter | Owner | Prio | Summary ------------------------------------------------------------------------------------------------------------------ Bro | 938 [1] | robin | robin | Normal | topic/seth/software-version-updates2 Updates to vulnerable software checking. [2] Bro | 965 [3] | amannb | | Low | merge topic/bernhard/base64 [4] BroControl | 960 [5] | dnthayer | | Low | topic/dnthayer/cleanup [6] [1] #938: http://tracker.bro.org/bro/ticket/938 [2] software-version-updates2: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/seth/software-version-updates2 [3] #965: http://tracker.bro.org/bro/ticket/965 [4] base64: http://tracker.bro.org/bro/changeset?old_path=%2Fbro&old=master&new_path=%2Fbro&new=topic/bernhard/base64 [5] #960: http://tracker.bro.org/bro/ticket/960 [6] cleanup: http://tracker.bro.org/bro/changeset?old_path=%2Fbrocontrol&old=master&new_path=%2Fbrocontrol&new=topic/dnthayer/cleanup From bro at tracker.bro.org Mon Mar 18 05:56:26 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 12:56:26 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions Message-ID: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions ------------------------+------------------------ Reporter: yun | Type: Patch Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: bytestring ------------------------+------------------------ Attached is a patch to add the following functions to bro.bif: * bytestring_to_uint16 * bytestring_to_uint32 * bytestring_to_uint64 Tests are also included. The patch is based on #908 -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 06:03:02 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 13:03:02 -0000 Subject: [Bro-Dev] #969: Add reverse function to strings.bif Message-ID: <041.0e5390fd3c94e434a4a9fdb46342dff0@tracker.bro.org> #969: Add reverse function to strings.bif ------------------------+------------------- Reporter: yun | Type: Patch Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+------------------- Attached is a patch to have a "reverse" function so you can reverse a (byte)string. Tests are also included. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 06:10:22 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 13:10:22 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.27d8a14da6d13f03b6f70d2504b45532@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > * bytestring_to_uint16 > * bytestring_to_uint32 > * bytestring_to_uint64 Could you explain how these functions satisfy some use case that the existing to_count does not? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 06:48:06 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 13:48:06 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.672b3923048e176c5249575ccf8a9d9c@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by yun): Replying to [comment:2 seth]: > > * bytestring_to_uint16 > > * bytestring_to_uint32 > > * bytestring_to_uint64 > > > Could you explain how these functions satisfy some use case that the existing to_count does not? Consider the following example struct which is transfered over the network: {{{ struct { short flags; // 1 = hostname, 2=whatever uint32 length; // length of the following string byte payload[*]; // hostname, size is specified in length } my_message }}} I can then read it with the following bro code: {{{ flags = bytestream_to_uint16(sub_bytes(data, 0, 2) if (flags == 1) { length = bytestream_to_uint32(sub_bytes(data, 2, 4) payload = sub_bytes(data, 6, length) } }}} With to_count() I would first need to have a string representation of the value to get the actual integer value. So in short, to_count("\x00\x01") is different than bytestring_to_uint16("\x00\x01"). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 07:15:59 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 14:15:59 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.5ad61f452e276b4ca162e2eae029dcce@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > So in short, to_count("\x00\x01") is different than > bytestring_to_uint16("\x00\x01"). Ah, good point. I totally missed that. Is there some reason that you have differentiated on different bit lengths? That's what I was mostly focusing on with my comment earlier. It seems like you should have only implemented bytestring_to_count. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 07:54:04 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 14:54:04 -0000 Subject: [Bro-Dev] #967: Fix for possible memleak in nb_dns In-Reply-To: <048.53ffb64a7bb1950d5e58b34080b2c351@tracker.bro.org> References: <048.53ffb64a7bb1950d5e58b34080b2c351@tracker.bro.org> Message-ID: <063.32087f3a70f54dc22df3d4c416eabf1a@tracker.bro.org> #967: Fix for possible memleak in nb_dns -------------------------+------------------------ Reporter: grigorescu | Owner: robin Type: Problem | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: -------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:c39223e226235e42acdb6411b1cfc19858939e8b/bro]: {{{ #!CommitTicketReference repository="bro" revision="c39223e226235e42acdb6411b1cfc19858939e8b" Fixing potential leak in DNS error case. From Vlad. Closes #967. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 07:54:04 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 14:54:04 -0000 Subject: [Bro-Dev] #965: merge topic/bernhard/base64 In-Reply-To: <044.f57d920c9872f79449e6ae9c13ce43b7@tracker.bro.org> References: <044.f57d920c9872f79449e6ae9c13ce43b7@tracker.bro.org> Message-ID: <059.38de242f51677d4927671829998f21df@tracker.bro.org> #965: merge topic/bernhard/base64 ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: closed Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:d58a02aa01f0a1d2aed4b46b65e2534122e1acd6/bro]: {{{ #!CommitTicketReference repository="bro" revision="d58a02aa01f0a1d2aed4b46b65e2534122e1acd6" Merge remote-tracking branch 'origin/topic/bernhard/base64' * origin/topic/bernhard/base64: and re-enable caching of extracted certs and add bae64 bif tests. re-unify classes and modernize script. add base64-encode functionality and bif. Closes #965. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 07:54:04 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 14:54:04 -0000 Subject: [Bro-Dev] #938: topic/seth/software-version-updates2 Updates to vulnerable software checking. In-Reply-To: <043.ee64833d89326a8046080165a43a4c4e@tracker.bro.org> References: <043.ee64833d89326a8046080165a43a4c4e@tracker.bro.org> Message-ID: <058.1b1afcd638a23d9a5afb7f665bb5664e@tracker.bro.org> #938: topic/seth/software-version-updates2 Updates to vulnerable software checking. ----------------------------+------------------------ Reporter: robin | Owner: robin Type: Merge Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * status: assigned => closed * resolution: => fixed Comment: In [changeset:788c0d547db1f0560cbcee647b8f06e9027386c2/bro]: {{{ #!CommitTicketReference repository="bro" revision="788c0d547db1f0560cbcee647b8f06e9027386c2" Merge remote-tracking branch 'origin/topic/seth/software-version-updates2' * origin/topic/seth/software-version-updates2: Correctly handle DNS lookups for software version ranges. Improvements to vulnerable software detection. Update software version parsing and comparison to account for a third numeric subversion. Closes #938. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 07:54:23 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 14:54:23 -0000 Subject: [Bro-Dev] #960: topic/dnthayer/cleanup In-Reply-To: <046.863b76dbfffce94f920d191492d36a13@tracker.bro.org> References: <046.863b76dbfffce94f920d191492d36a13@tracker.bro.org> Message-ID: <061.52e66a711c0e0d344e9429e6e5c77a49@tracker.bro.org> #960: topic/dnthayer/cleanup ----------------------------+------------------------ Reporter: dnthayer | Owner: robin Type: Merge Request | Status: closed Priority: Low | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: fixed | Keywords: ----------------------------+------------------------ Changes (by robin): * owner: => robin * status: new => closed * resolution: => fixed Comment: In [changeset:3e3ada3c2efebeda1278b8897859dd7c7d61e671/broctl]: {{{ #!CommitTicketReference repository="broctl" revision="3e3ada3c2efebeda1278b8897859dd7c7d61e671" Merge remote-tracking branch 'origin/topic/dnthayer/cleanup' * origin/topic/dnthayer/cleanup: (27 commits) Check for plugins with same prefix Prevent capstats from being run with invalid args Fix plugin inconsistency for certain broctl commands Document the broctl user option KeepLogs Add a note in documentation about editing crontab Fix broctl plugin option names to be case-insensitive Remove reserved word "cluster" from node args Fix documentation of broctl commands Add calls to plugin cmd_restart_pre/post methods Fix instructions for adding plugin directories Fix the broctl check command to report results Fix handling of cmd_diag_pre for diag command Changed return value of plugin API "execute" method Add return value to some cmd__pre methods Add a check for state variables in broctl.cfg Changed "hosts" method to return list of hosts Call "done" method from plugin API Call hostStatusChanged with correct arg type Fix the parseNodes method in plugin API Fix the "error" method in broctl plugin API ... Closes #960. }}} -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Mon Mar 18 08:37:31 2013 From: robin at icir.org (Robin Sommer) Date: Mon, 18 Mar 2013 08:37:31 -0700 Subject: [Bro-Dev] broctl restart Message-ID: <20130318153731.GE66013@icir.org> Daniel, I've a question/task regarding broctl' "restart". Before merging #960, there was this code: if clean: # Can't delete the tmp here because log archival might still be # going on there in the background. util.output("cleaning up ...") self.do_cleanup("--keep-tmp " + args) self.postcmd(False, "--keep-tmp " + args) You removed the --keep-tmp option, which makes sense because it didn't do anything. However, I'm concerned that that might have been there for a reason, per the comment (which I've removed now too because without the --keep-tmp, it doesn't apply anymore). Is is possible that we still have a problem there that if somebody does "restart --clean", logs might get deleted before they're completely archived? I'm wondering if the --keep-tmp code might have just gotten lost at some point accidentally. Also, maybe related or not, we got a report that "broctl restart" (without --clean) apparently *does* delete logs occasionally before they get archived. So independent of --keep-tmp, I'm wondering if we have some a similar problem elsewhere. Can you take a closer look at these and see if you find something? I'll also open a ticket. Thanks, Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro.org Mon Mar 18 10:10:57 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 17:10:57 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.133fbb295490e8ad1f876b11f1e1ec7f@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by yun): Replying to [comment:6 seth]: > Is there some reason that you have differentiated on different bit lengths? That's what I was mostly focusing on with my comment earlier. It seems like you should have only implemented bytestring_to_count. I initially only needed to read a 32bit unsigned integer, so implemented that.. after that I had an use case for reading a 16bit unsigned short. Then I added the 64bit to make the patch more complete. I'm up for a more generic bytetring_to_count() but in most cases you would be reading the basic data types from the network, which are 16bit, 32bit, 64bit. Maybe we can model it after the struct.unpack() like in Python? It uses the first parameter that indicates what datatype you are actually unpacking. See here: http://docs.python.org/2/library/struct.html#format-characters -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 11:03:00 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 18:03:00 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.0634c2924462fe08856e66d788099ab2@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > Maybe we can model it after the struct.unpack() like in Python? It uses > the first parameter that indicates what datatype you are actually > unpacking. You should be doing very minimal data structure parsing in script land. What's the use case that's driving you to do so much parsing in Bro scripts? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 12:57:08 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 19:57:08 -0000 Subject: [Bro-Dev] #970: broctl restart eating logs? Message-ID: <043.5d6412f7ce4509d8495a47e06660809a@tracker.bro.org> #970: broctl restart eating logs? ------------------------+----------------------------- Reporter: robin | Type: Problem Status: new | Priority: Low Milestone: Bro2.2 | Component: Bro Version: git/master | Resolution: Solved/Applied ------------------------+----------------------------- It looks like "broctl restart" sometimes deletes logs before they get archived. We need to investigate what might be going on there. This may or may not be related to the missing support for the old "--keep-tmp" option. However, it seems to happen without --clear as well. Aashish can provide details / help test fixes. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 12:59:58 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 19:59:58 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.95d9a56d145980f03ae5e15225d5a2df@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by yun): Replying to [comment:8 seth]: > You should be doing very minimal data structure parsing in script land. What's the use case that's driving you to do so much parsing in Bro scripts? I needed it for some specific detection policies that I cannot share here. But it's not much parsing, just doing some comparing and extraction of values for logging purposes. One example that resembles my use case: Parse a specific HTTP header that is Base64 encoded and decodes to a specific struct. So decode it, extract the values that i'm interested in, and log some of the decoded information if it's interesting. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 13:05:05 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 20:05:05 -0000 Subject: [Bro-Dev] #970: broctl restart eating logs? In-Reply-To: <043.5d6412f7ce4509d8495a47e06660809a@tracker.bro.org> References: <043.5d6412f7ce4509d8495a47e06660809a@tracker.bro.org> Message-ID: <058.25cfcc4161e75767a096bba710b7f337@tracker.bro.org> #970: broctl restart eating logs? -----------------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by robin): * priority: Low => High -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 13:16:57 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 20:16:57 -0000 Subject: [Bro-Dev] #920: Have broctl return useful exit codes In-Reply-To: <048.810250bf9909bb4bfc0a6a9683024571@tracker.bro.org> References: <048.810250bf9909bb4bfc0a6a9683024571@tracker.bro.org> Message-ID: <063.45358aac7aef8b22b6f389813b20678d@tracker.bro.org> #920: Have broctl return useful exit codes -------------------------+------------------------ Reporter: grigorescu | Owner: dnthayer Type: Patch | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: -------------------------+------------------------ Changes (by robin): * owner: => dnthayer * status: new => assigned Comment: Daniel, can you take a look at this? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Mon Mar 18 13:17:28 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Mon, 18 Mar 2013 20:17:28 -0000 Subject: [Bro-Dev] #950: Add client/server random to SSL hello events In-Reply-To: <043.088379f15456e676d3bb0febf8d58934@tracker.bro.org> References: <043.088379f15456e676d3bb0febf8d58934@tracker.bro.org> Message-ID: <058.786dc21604780f00e8acd62ddd1993dd@tracker.bro.org> #950: Add client/server random to SSL hello events --------------------+------------------------ Reporter: ewust | Owner: bernhard Type: Patch | Status: assigned Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: --------------------+------------------------ Changes (by robin): * owner: => bernhard * status: new => assigned Comment: Bernhard, mind taking a look? -- Ticket URL: Bro Tracker Bro Issue Tracker From noreply at bro.org Tue Mar 19 00:00:03 2013 From: noreply at bro.org (Merge Tracker) Date: Tue, 19 Mar 2013 00:00:03 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201303190700.r2J7032A030224@bro-ids.icir.org> > Unmerged Fastpath Commits > ========================= Component | Revision | Committer | Date | Summary ------------------------------------------------------------------------------------------------------------------ bro | 4aab992 | Bernhard Amann | 2013-03-18 | fix gcc compile warning in Benchmark reader [1] bro | 873d054 | Bernhard Amann | 2013-03-18 | fix gcc compile warning in base64 encoder [2] [1] fastpath: http://tracker.bro.org/bro/changeset/4aab9921be3e5cfb7370beb4ce22e96eadd6f0ec/bro [2] fastpath: http://tracker.bro.org/bro/changeset/873d0549bf99f86d591a903361bee31b684cbc98/bro From bro at tracker.bro.org Tue Mar 19 07:51:04 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 14:51:04 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.c03f0195a52ec3c06ccf94b72d0e6c04@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > One example that resembles my use case: Parse a specific HTTP header that > is Base64 encoded and decodes to a specific struct. So decode it, extract > the values that i'm interested in, and log some of the decoded information > if it's interesting. Ah, seems reasonable. I still think that for now we'd like to stick to only one function named bytestring_to_count. Adding something akin to unpack doesn't fit the longer term model we're putting in place and I'd like to avoid the various bit length uint functions since in Bro all integers are 64bit. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 08:08:30 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 15:08:30 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.0ceef1c0b0e9c01aef1308883215437c@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by yun): Replying to [comment:10 seth]: > > Ah, seems reasonable. I still think that for now we'd like to stick to only one function named bytestring_to_count. Adding something akin to unpack doesn't fit the longer term model we're putting in place and I'd like to avoid the various bit length uint functions since in Bro all integers are 64bit. Fair enough, i'm not very happy with the amount different methods either but was at least something to accomodate my needs. I thought it might be useful to have it upstream. How about I change the function to bytestream_to_count(), and based on the length convert it to 8bit, 16bit, 32bit or 64 bit integers? So basically: {{{ print bytestream_to_count("\x11") #17 print bytestream_to_count("\x11\x22") #4386 print bytestream_to_count("\x11\x22\x33\x44") #287454020 print bytestream_to_count("\x11\x22\x33\x44\x55\x66\x77\x88") #1234605616436508552 }}} I'm open for suggestions to implement this differently. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 08:17:36 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 15:17:36 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.70690f57c641200555234b9a5cbed1e2@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > How about I change the function to bytestream_to_count(), and based on the > length convert it to 8bit, 16bit, 32bit or 64 bit integers? So basically: That was my thought, just make it do the conversion based on the number of characters in the string. I wouldn't even complain if you felt like adding a bytestring_to_int function. :) -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 09:59:19 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 16:59:19 -0000 Subject: [Bro-Dev] #971: SMB Modules crashing bro consistently Message-ID: <041.1a38264d99d1c8bd616c9721564f0499@tracker.bro.org> #971: SMB Modules crashing bro consistently ------------------------+--------------------- Reporter: dni | Type: Problem Status: new | Priority: Medium Milestone: Bro2.2 | Component: Bro Version: git/master | Keywords: ------------------------+--------------------- Hello crew, Just wanted to submit the latest bugs we've been getting using the smb- work2 module. bro: /home/bbomar/work/bro/bro/build/src/smb_pac.cc:1920: int binpac::SMB::SMB_unicode_string::Parse(const binpac::uint8*, const binpac::uint8*): Assertion `t_dataptr_after_s <= t_end_of_data' failed. /usr/local/sis/share/broctl/scripts/run-bro: line 60: 29266 Aborted (core dumped) nohup $mybro $@ All my 4 workers are crashing with the above error. [BroControl] > status Name Type Host Status Pid Peers Started worker-1 worker 172.29.128.65 crashed worker-2 worker 172.29.128.65 crashed worker-3 worker 172.29.128.65 crashed worker-4 worker 172.29.128.65 crashed manager manager 172.29.128.65 running 27803 ??? 19 Mar 10:43:04 proxy-1 proxy 172.29.128.65 running 28998 ??? 19 Mar 10:43:11 Any advice you could provide would be greatly appreciated. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 10:15:38 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 17:15:38 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.9fdb3ecae6a18cd3fb3f0ed6925b4bf7@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by yun): Attached a new patch that implements bytestring_to_count() and some tests. Please review :) You cannot read more than 8 bytes (64bit) and will give an error and return 0, and everything else will just be padded to 64bit and return the value as you expect it would be. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 10:41:44 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 17:41:44 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.7df95eaf8aedcdcb554f223090a91d36@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > Attached a new patch that implements bytestring_to_count() and some tests. > Please review :) Robin and I just talked about this and wondered if you could add an argument to provide endian-ness of the data to the bytestring_to_count function? Thanks. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 10:45:20 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 17:45:20 -0000 Subject: [Bro-Dev] #971: SMB Modules crashing bro consistently In-Reply-To: <041.1a38264d99d1c8bd616c9721564f0499@tracker.bro.org> References: <041.1a38264d99d1c8bd616c9721564f0499@tracker.bro.org> Message-ID: <056.b1df7e83b23bfc75f8ff346fb62aa427@tracker.bro.org> #971: SMB Modules crashing bro consistently -----------------------+------------------------ Reporter: dni | Owner: Type: Problem | Status: closed Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Rejected | Keywords: -----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Rejected Comment: We don't currently accept tickets for topic branches. Crashes in topic branches should be coordinated with the developer(s) directly. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 11:41:46 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 18:41:46 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.a6ee7f251b3c79335c6bcf9eda3cf16a@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by yun): Replying to [comment:17 seth]: > Robin and I just talked about this and wondered if you could add an argument to provide endian-ness of the data to the bytestring_to_count function? Thanks. That's why I also added another patch for reversing a (byte)string, see #969. With that patch you can do this: {{{ print bytestring_to_count(reverse("\x30\x39")); # 12345 print bytestring_to_count(reverse("\x39\x30")); # 12345 }}} Do you think that will solve the problem? Also, does bro function support "optional" arguments? I personally think that it's annoying to specify the endianness for every call if it cannot be optional. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 12:44:15 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 19:44:15 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.6dca122bd7b371a62c30f95ce06191b1@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > That's why I also added another patch for reversing a (byte)string, see > #969. I wondered if that was why. I'll let Robin or Vern (or someone else) comment on what they think about that approach. > Do you think that will solve the problem? Also, does bro function support > "optional" arguments? I personally think that it's annoying to specify the > endianness for every call if it cannot be optional. We literally just talked about that a little bit ago. There has been discussion about adding optional arguments for quite a while. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Tue Mar 19 15:29:27 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 22:29:27 -0000 Subject: [Bro-Dev] #972: Default arguments for functions Message-ID: <043.3f85826ab1ca109bbc1befbb9cd76ee4@tracker.bro.org> #972: Default arguments for functions -----------------------------+------------------------ Reporter: robin | Owner: Type: Feature Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Keywords: | -----------------------------+------------------------ it would be very convenient to support default arguments for functions, including for BiFs. -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Tue Mar 19 16:05:59 2013 From: robin at icir.org (Robin Sommer) Date: Tue, 19 Mar 2013 16:05:59 -0700 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <056.a6ee7f251b3c79335c6bcf9eda3cf16a@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> <056.a6ee7f251b3c79335c6bcf9eda3cf16a@tracker.bro.org> Message-ID: <20130319230559.GK7731@icir.org> On Tue, Mar 19, 2013 at 18:41 -0000, you wrote: > With that patch you can do this: > {{{ > print bytestring_to_count(reverse("\x30\x39")); # 12345 > print bytestring_to_count(reverse("\x39\x30")); # 12345 > }}} > > Do you think that will solve the problem? Also, does bro function support > "optional" arguments? I personally think that it's annoying to specify the > endianness for every call if it cannot be optional. I can see the reverse() function for strings generally be useful but I don't think it's a nice solution for converting endianess with bytestring_to_count(). A default/optional argument would indeed be the best approach I think. We've been kicking that idea around a few times already, and I've now openened a ticket for that. For the time being, I'd indeed go with the explicit endianess argument and then switch over to an optional argument once we have that. -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro.org Tue Mar 19 16:06:45 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Tue, 19 Mar 2013 23:06:45 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.0db5ea971641a1f086f00fb1b6766a10@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by robin): On Tue, Mar 19, 2013 at 18:41 -0000, you wrote: > With that patch you can do this: > {{{ > print bytestring_to_count(reverse("\x30\x39")); # 12345 > print bytestring_to_count(reverse("\x39\x30")); # 12345 > }}} > > Do you think that will solve the problem? Also, does bro function support > "optional" arguments? I personally think that it's annoying to specify the > endianness for every call if it cannot be optional. I can see the reverse() function for strings generally be useful but I don't think it's a nice solution for converting endianess with bytestring_to_count(). A default/optional argument would indeed be the best approach I think. We've been kicking that idea around a few times already, and I've now openened a ticket for that. For the time being, I'd indeed go with the explicit endianess argument and then switch over to an optional argument once we have that. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 20 04:50:52 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Wed, 20 Mar 2013 11:50:52 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.49c408a8e7bdc04a567e12d6b3d6ee7c@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by yun): Replying to [comment:21 robin]: > I can see the reverse() function for strings generally be useful but I > don't think it's a nice solution for converting endianess with > bytestring_to_count(). A default/optional argument would indeed be the > best approach I think. We've been kicking that idea around a few times > already, and I've now openened a ticket for that. For the time being, > I'd indeed go with the explicit endianess argument and then switch > over to an optional argument once we have that. Ok before I go start implementing stuff, maybe we can agree on the function prototype. :) I was thinking of this: {{{ function bytestring_to_count%(s: string, is_le: bool%): count }}} Where is_le=1 is little endian, and is_le=0 is big endian. then we can later decide what the default should be. Also, most languages only support reading the 8, 16, 32, 64 bit variants and use special (optimized) functions for the endianess byte swapping. Do we still want to support arbitrary byte lengths? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Wed Mar 20 06:06:02 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Wed, 20 Mar 2013 13:06:02 -0000 Subject: [Bro-Dev] #968: Add bytestring_to_uint16, uint32, uint64 functions In-Reply-To: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> References: <041.91bbf7ca939f2dab16b849fee5136a33@tracker.bro.org> Message-ID: <056.b7f58054b760f8438c1302ff30f6e635@tracker.bro.org> #968: Add bytestring_to_uint16, uint32, uint64 functions --------------------+------------------------ Reporter: yun | Owner: Type: Patch | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: bytestring --------------------+------------------------ Comment (by seth): > Ok before I go start implementing stuff, maybe we can agree on the > function prototype. :) Great idea. :) > function bytestring_to_count%(s: string, is_le: bool%): count Looks good to me. > Also, most languages only support reading the 8, 16, 32, 64 bit variants > and use special (optimized) functions for the endianess byte swapping. > Do we still want to support arbitrary byte lengths? I think that's fine for now if it fits your use case. -- Ticket URL: Bro Tracker Bro Issue Tracker From dnthayer at illinois.edu Wed Mar 20 09:46:02 2013 From: dnthayer at illinois.edu (Daniel Thayer) Date: Wed, 20 Mar 2013 11:46:02 -0500 Subject: [Bro-Dev] broctl restart In-Reply-To: <20130318153731.GE66013@icir.org> References: <20130318153731.GE66013@icir.org> Message-ID: <5149E7CA.8020604@illinois.edu> On 03/18/2013 10:37 AM, Robin Sommer wrote: > Daniel, > > I've a question/task regarding broctl' "restart". Before merging #960, > there was this code: > > if clean: > # Can't delete the tmp here because log archival might still be > # going on there in the background. > util.output("cleaning up ...") > self.do_cleanup("--keep-tmp " + args) > self.postcmd(False, "--keep-tmp " + args) > > You removed the --keep-tmp option, which makes sense because it didn't > do anything. However, I'm concerned that that might have been there > for a reason, per the comment (which I've removed now too because > without the --keep-tmp, it doesn't apply anymore). > > Is is possible that we still have a problem there that if somebody > does "restart --clean", logs might get deleted before they're > completely archived? I'm wondering if the --keep-tmp code might have > just gotten lost at some point accidentally. I'm guessing the do_cleanup() code previously deleted tmp unless the "--keep-tmp" option was specified. Currently, that code does not delete tmp unless the "--all" option is given (which cannot happen when the user runs the "restart" command, even if the user erroneously tries to use the "--all" option with the "restart" command). So, I don't see any problem here. > Also, maybe related or not, we got a report that "broctl restart" > (without --clean) apparently *does* delete logs occasionally before > they get archived. So independent of --keep-tmp, I'm wondering if we > have some a similar problem elsewhere. I've found a race condition that occurs when the "stop" command is issued which can result in log files being deleted before they're archived into the "logs/" directory (since "restart" first does a "stop", I don't see any problem with the "restart" command itself). In my testing, I've seen only the conn.log being deleted before it is archived, because it takes longer to archive conn.log due to the summarize-connections postprocessor that gets run by the archive-log script (as a quick test, I tried skipping the connection summary processing by setting tracesummary="" in broctl.cfg, and this resulted in conn.log being reliably archived with each "broctl stop"). I will post more details to ticket #970 in the tracker. From bro at tracker.bro.org Wed Mar 20 12:41:13 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Wed, 20 Mar 2013 19:41:13 -0000 Subject: [Bro-Dev] #970: broctl stop/restart eating logs? (was: broctl restart eating logs?) In-Reply-To: <043.5d6412f7ce4509d8495a47e06660809a@tracker.bro.org> References: <043.5d6412f7ce4509d8495a47e06660809a@tracker.bro.org> Message-ID: <058.9a831abdaf7eb33405cfe3e002de9eae@tracker.bro.org> #970: broctl stop/restart eating logs? -----------------------------+------------------------ Reporter: robin | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Comment (by dnthayer): I've identified a race condition in the "stop" command that can cause log files to be deleted before they are archived. When a "broctl stop" is issued, before bro terminates it will first run the archive-log script in the background (i.e., bro does not wait for it to finish) for each log. Then, when broctl is satisfied that bro has terminated successfully, it runs the post-terminate script. The post-terminate script moves the "spool/" directory into tmp, creates a new "spool/" directory, and then deletes the one that was moved into tmp. At that point, if there are still any archive-log processes running in the background, they likely won't be able to archive their log file because the file has already been deleted by the post-terminate script. I've been able to reproduce this problem only for the conn.log (the problem is much more likely for conn.log because the connection summary processing takes considerably more time to finish than anything else that archive-log does). -- Ticket URL: Bro Tracker Bro Issue Tracker From robin at icir.org Thu Mar 21 04:34:05 2013 From: robin at icir.org (Robin Sommer) Date: Thu, 21 Mar 2013 04:34:05 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/broctl] topic/dnthayer/cleanup2: Ignore stdout.log and stderr.log in post-terminate (a2a3b0d) In-Reply-To: <201303202145.r2KLj0dK029660@bro-ids.icir.org> References: <201303202145.r2KLj0dK029660@bro-ids.icir.org> Message-ID: <20130321113405.GF48845@icir.org> On Wed, Mar 20, 2013 at 14:45 -0700, you wrote: > Ignore stdout.log and stderr.log in post-terminate The idea here was to archive them just as other logs as sometimes they can include helpful information. What do others think, is that something to keep? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org From bro at tracker.bro.org Thu Mar 21 06:33:47 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:33:47 -0000 Subject: [Bro-Dev] #963: bro-cut fails with gawk < 3.1.6 In-Reply-To: <045.2276b74f99f6226f06eb7e2b2dc02174@tracker.bro.org> References: <045.2276b74f99f6226f06eb7e2b2dc02174@tracker.bro.org> Message-ID: <060.9e6320e2f53660dce9151e4f7526b1dd@tracker.bro.org> #963: bro-cut fails with gawk < 3.1.6 ----------------------------+------------------------ Reporter: ckanich | Owner: robin Type: Merge Request | Status: assigned Priority: Low | Milestone: Bro2.2 Component: bro-aux | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by seth): * owner: => robin * status: new => assigned * type: Patch => Merge Request * milestone: => Bro2.2 Comment: This patch looks ok. I moved it into git under the topic branch topic/seth/ticket-963. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:35:12 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:35:12 -0000 Subject: [Bro-Dev] #943: PF_Ring plugin to support load balancing while sniffing multiple interfaces In-Reply-To: <042.7b1cf3e72e5824853933bb4b823c68ca@tracker.bro.org> References: <042.7b1cf3e72e5824853933bb4b823c68ca@tracker.bro.org> Message-ID: <057.d68063d07c80ff9be41b8c4664a242e6@tracker.bro.org> #943: PF_Ring plugin to support load balancing while sniffing multiple interfaces -------------------------+------------------------ Reporter: seth | Owner: dnthayer Type: Problem | Status: new Priority: High | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: -------------------------+------------------------ Changes (by seth): * priority: Medium => High Comment: Daniel, is there any progress on this? It needs to be fixed for the 2.2 release. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:36:27 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:36:27 -0000 Subject: [Bro-Dev] #949: High CPU from polling loop on low traffic links In-Reply-To: <049.af1107c445a23ec0b142b80b447f96e6@tracker.bro.org> References: <049.af1107c445a23ec0b142b80b447f96e6@tracker.bro.org> Message-ID: <064.a5d37566517ef9de029d6c643b4092a3@tracker.bro.org> #949: High CPU from polling loop on low traffic links --------------------------+------------------------ Reporter: liamrandall | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.3 Component: Bro | Version: git/master Resolution: | Keywords: --------------------------+------------------------ Changes (by seth): * milestone: Bro2.2 => Bro2.3 Comment: Pushing this back to the 2.3 release. We will probably be revisiting the communication code for 2.3 and this may be addressed at that point. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:37:16 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:37:16 -0000 Subject: [Bro-Dev] #948: add bif for URI -> binary decoding In-Reply-To: <047.c6024f01bb6ff791d93bf4e0a7d3022f@tracker.bro.org> References: <047.c6024f01bb6ff791d93bf4e0a7d3022f@tracker.bro.org> Message-ID: <062.93c3640b99418da7a18564a5368011b4@tracker.bro.org> #948: add bif for URI -> binary decoding ------------------------------+------------------------ Reporter: scampbell | Owner: Type: Feature Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Comment (by seth): Scott, did you end up implementing this? I think you said that you did, right? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:37:51 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:37:51 -0000 Subject: [Bro-Dev] #945: Fix Cluster Notice::Policy Delegation In-Reply-To: <048.b8f021e3adc9c2b5fa78265de728c816@tracker.bro.org> References: <048.b8f021e3adc9c2b5fa78265de728c816@tracker.bro.org> Message-ID: <063.9a2f64a55a3f0ca0f2dd990b0ed0f704@tracker.bro.org> #945: Fix Cluster Notice::Policy Delegation -----------------------------+------------------------ Reporter: grigorescu | Owner: Type: Problem | Status: closed Priority: Medium | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Solved/Applied Comment: Fixed with the recent notice framework updates that went into master. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:41:17 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:41:17 -0000 Subject: [Bro-Dev] #900: reference versions of startup scripts In-Reply-To: <047.c96a77583f17d0acb9f4f947f35d0fdd@tracker.bro.org> References: <047.c96a77583f17d0acb9f4f947f35d0fdd@tracker.bro.org> Message-ID: <062.e3a655d1534edb6330a31d20b90a4bdc@tracker.bro.org> #900: reference versions of startup scripts ------------------------+------------------------ Reporter: scampbell | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.2 Component: bro-aux | Version: git/master Resolution: Rejected | Keywords: ------------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Rejected Comment: I'm going to close this ticket because I don't expect it will cause anyone to take action on the task. I agree that having those scripts would be handy though. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:43:25 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:43:25 -0000 Subject: [Bro-Dev] #845: PF_RING+DNA In-Reply-To: <046.fd6f0f04e887db155402c1572d02fff0@tracker.bro.org> References: <046.fd6f0f04e887db155402c1572d02fff0@tracker.bro.org> Message-ID: <061.b4645af75927b44739ee237aa6c0d105@tracker.bro.org> #845: PF_RING+DNA ------------------------------+------------------------ Reporter: dnthayer | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Changes (by seth): * milestone: => Bro2.2 Comment: Daniel, any movement on this ticket? This would be another *very* nice feature for 2.1 so that people could finally use PF_Ring to do DMA with packets using standard NICs. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:45:05 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:45:05 -0000 Subject: [Bro-Dev] #940: manager crash if can't send mail In-Reply-To: <045.eb75e41f03f2c7429e7eb381504c6d83@tracker.bro.org> References: <045.eb75e41f03f2c7429e7eb381504c6d83@tracker.bro.org> Message-ID: <060.9018c44596ea74c4db6992b5218b65c9@tracker.bro.org> #940: manager crash if can't send mail -------------------------------+------------------------ Reporter: drmckay | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Feedback Missing | Keywords: -------------------------------+------------------------ Changes (by seth): * status: needs information => closed * resolution: => Feedback Missing -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:48:12 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:48:12 -0000 Subject: [Bro-Dev] #837: broctl load order incorrect In-Reply-To: <042.4282d1ceba136f3606e58c3926000648@tracker.bro.org> References: <042.4282d1ceba136f3606e58c3926000648@tracker.bro.org> Message-ID: <057.9dd1097b643b371f5e4a065b7083613d@tracker.bro.org> #837: broctl load order incorrect -------------------------+------------------------ Reporter: seth | Owner: dnthayer Type: Problem | Status: new Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: -------------------------+------------------------ Comment (by seth): I've lost track of this ticket, has it been addressed? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:50:44 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:50:44 -0000 Subject: [Bro-Dev] #641: Multiple nested VLAN tags don't work In-Reply-To: <042.b8b04f1559bc144e23e505038ca63568@tracker.bro.org> References: <042.b8b04f1559bc144e23e505038ca63568@tracker.bro.org> Message-ID: <057.2bb03a54bdd71eff3439cf0791687a82@tracker.bro.org> #641: Multiple nested VLAN tags don't work ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): I've been promised Q-in-Q traffic (vlan in vlan) by a couple of people but none has materialized yet. Still waiting.... Anyone? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:51:32 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:51:32 -0000 Subject: [Bro-Dev] #678: Fix and test Bro's debugger In-Reply-To: <042.f35aeaf86c6673bfb351f9137e53caa6@tracker.bro.org> References: <042.f35aeaf86c6673bfb351f9137e53caa6@tracker.bro.org> Message-ID: <057.50cbfb06481bcc56877921562fa2b2ef@tracker.bro.org> #678: Fix and test Bro's debugger ----------------------+-------------------- Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.3 Component: Bro | Version: Resolution: | Keywords: ----------------------+-------------------- Changes (by seth): * milestone: Bro2.2 => Bro2.3 Comment: We need to get 2.2 done so let's bump this back again. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 06:59:53 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 13:59:53 -0000 Subject: [Bro-Dev] #788: Good analysis of unidirectional DNS flows In-Reply-To: <051.01bc5147139118acc0e1adc8b5f30c2b@tracker.bro.org> References: <051.01bc5147139118acc0e1adc8b5f30c2b@tracker.bro.org> Message-ID: <066.703ce7bd4eef7ee1cbf258f3e2980d42@tracker.bro.org> #788: Good analysis of unidirectional DNS flows ----------------------------+------------------------ Reporter: JulienSentier | Owner: Type: Patch | Status: new Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------------+------------------------ Changes (by seth): * milestone: => Bro2.2 Comment: I think this patch seems reasonable. Anyone else? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:02:46 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:02:46 -0000 Subject: [Bro-Dev] #640: BiFs to enable or disable events. In-Reply-To: <042.96e5146380f59d70b57503809493a195@tracker.bro.org> References: <042.96e5146380f59d70b57503809493a195@tracker.bro.org> Message-ID: <057.1d4b07ca4542d0b5a1f7983e71e5deab@tracker.bro.org> #640: BiFs to enable or disable events. ------------------------------+---------------------- Reporter: seth | Owner: Type: Feature Request | Status: closed Priority: High | Milestone: Bro2.2 Component: Bro | Version: Resolution: Rejected | Keywords: language ------------------------------+---------------------- Changes (by seth): * status: new => closed * resolution: => Rejected Comment: I'm closing this ticket, it wasn't a great idea. We just need runtime scriptland suport for enabling/disabling analyzers and there is already another ticket focused on that. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:05:22 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:05:22 -0000 Subject: [Bro-Dev] #660: Initializing a table with a record as an index does not work In-Reply-To: <044.ca9a6dd1891fb705a8a50ee326e2e7b4@tracker.bro.org> References: <044.ca9a6dd1891fb705a8a50ee326e2e7b4@tracker.bro.org> Message-ID: <059.cd42dbac8bc1268eb3c0f2b0c657afa1@tracker.bro.org> #660: Initializing a table with a record as an index does not work ----------------------------+------------------------ Reporter: amannb | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: language ----------------------------+------------------------ Changes (by seth): * owner: => robin * status: new => assigned * version: => git/master * milestone: => Bro2.2 Comment: Weird, we haven't been seeing this in the nightly merge request emails. Anyway, maybe it's because it didn't have anyone assigned to it and it wasn't assigned to a milestone which are now fixed. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:13:23 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:13:23 -0000 Subject: [Bro-Dev] #591: Time to finish collecting stats In-Reply-To: <042.4bcdd27f6ebd7b6e12d754d7e46b08cc@tracker.bro.org> References: <042.4bcdd27f6ebd7b6e12d754d7e46b08cc@tracker.bro.org> Message-ID: <057.35b4a5674650e73535ace7064db6ff00@tracker.bro.org> #591: Time to finish collecting stats -------------------------+------------------------ Reporter: seth | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: beta -------------------------+------------------------ Changes (by seth): * owner: => robin * status: new => assigned * version: => git/master * milestone: => Bro2.2 Comment: I think I found the problem with this. This line in the update-stats script: {{{ cp ${statsdir}/meta.dat ${statsdir}/www }}} If the www directory doesn't already exist that line will copy the meta.dat to a file named www. The script that runs right after that line is a python script that tries to open a file in that directory and it hangs if it's a file instead of a directory. One easy hack is to add a slash on the end of the line so that it looks like this: {{{ cp ${statsdir}/meta.dat ${statsdir}/www/ }}} I went ahead and committed the fix in topic/seth/ticket-591 I'm not sure if this completely addresses the problem or not though, but I think it's worthwhile closing this ticket and we'll reopen it or open a new one if the problem reappears (we may need to tell people to delete the www file if they've ended up with that). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:13:28 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:13:28 -0000 Subject: [Bro-Dev] #948: add bif for URI -> binary decoding In-Reply-To: <047.c6024f01bb6ff791d93bf4e0a7d3022f@tracker.bro.org> References: <047.c6024f01bb6ff791d93bf4e0a7d3022f@tracker.bro.org> Message-ID: <062.6b1eef1a82fcf7e381fc0abf7847fe0a@tracker.bro.org> #948: add bif for URI -> binary decoding ------------------------------+------------------------ Reporter: scampbell | Owner: Type: Feature Request | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Comment (by scampbell): -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3/21/13 8:37 AM, Bro Tracker wrote: > #948: add bif for URI -> binary decoding > ------------------------------+------------------------ Reporter: > scampbell | Owner: Type: Feature Request | > Status: new Priority: Low | Milestone: Bro2.2 > Component: Bro | Version: git/master Resolution: > | Keywords: > ------------------------------+------------------------ > > Comment (by seth): > > Scott, did you end up implementing this? I think you said that you > did, right? > Yup - it is something of an abomination, but can be found here: http://code.google.com/p/auditing- sshd/source/browse/trunk/bro_policy_2.0/bifmodd thanks! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFRSxVYK2Plq8B7ZBwRAkLWAJ9pz984F2Hss0uFlkL/bFZ7gmU77gCgj69B SDV0gNnQeOzTzk6Fs8X3Z5c= =qIny -----END PGP SIGNATURE----- -- Ticket URL: Bro Tracker Bro Issue Tracker From scampbell at lbl.gov Thu Mar 21 07:12:40 2013 From: scampbell at lbl.gov (Scott Campbell) Date: Thu, 21 Mar 2013 09:12:40 -0500 Subject: [Bro-Dev] #948: add bif for URI -> binary decoding In-Reply-To: <062.93c3640b99418da7a18564a5368011b4@tracker.bro.org> References: <047.c6024f01bb6ff791d93bf4e0a7d3022f@tracker.bro.org> <062.93c3640b99418da7a18564a5368011b4@tracker.bro.org> Message-ID: <514B1558.4010202@lbl.gov> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3/21/13 8:37 AM, Bro Tracker wrote: > #948: add bif for URI -> binary decoding > ------------------------------+------------------------ Reporter: > scampbell | Owner: Type: Feature Request | > Status: new Priority: Low | Milestone: Bro2.2 > Component: Bro | Version: git/master Resolution: > | Keywords: > ------------------------------+------------------------ > > Comment (by seth): > > Scott, did you end up implementing this? I think you said that you > did, right? > Yup - it is something of an abomination, but can be found here: http://code.google.com/p/auditing-sshd/source/browse/trunk/bro_policy_2.0/bifmodd thanks! scott -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFRSxVYK2Plq8B7ZBwRAkLWAJ9pz984F2Hss0uFlkL/bFZ7gmU77gCgj69B SDV0gNnQeOzTzk6Fs8X3Z5c= =qIny -----END PGP SIGNATURE----- From bro at tracker.bro.org Thu Mar 21 07:13:46 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:13:46 -0000 Subject: [Bro-Dev] #591: Time to finish collecting stats In-Reply-To: <042.4bcdd27f6ebd7b6e12d754d7e46b08cc@tracker.bro.org> References: <042.4bcdd27f6ebd7b6e12d754d7e46b08cc@tracker.bro.org> Message-ID: <057.0e7fc86909a3a1d6bd504ef2c153168f@tracker.bro.org> #591: Time to finish collecting stats ----------------------------+------------------------ Reporter: seth | Owner: robin Type: Merge Request | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: beta ----------------------------+------------------------ Changes (by seth): * type: Problem => Merge Request -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:16:28 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:16:28 -0000 Subject: [Bro-Dev] #579: "Raw" logging writer In-Reply-To: <042.8e0b793c4b92745613478223cb859d43@tracker.bro.org> References: <042.8e0b793c4b92745613478223cb859d43@tracker.bro.org> Message-ID: <057.6212db61a2118e338bc1244c6836ba41@tracker.bro.org> #579: "Raw" logging writer ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: High | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Comment (by seth): Anyone want to pick this up for the 2.2 release? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:18:41 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:18:41 -0000 Subject: [Bro-Dev] #521: Bro's secondary path does not handle IPv6) (only v4 In-Reply-To: <044.496a0aa915106c8c91058a7c00929c44@tracker.bro.org> References: <044.496a0aa915106c8c91058a7c00929c44@tracker.bro.org> Message-ID: <059.85e16e28ad0e922e74c31fb9c8c4b506@tracker.bro.org> #521: Bro's secondary path does not handle IPv6) (only v4 ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: | Keywords: IPv6 ----------------------+------------------------ Comment (by seth): It looks like this still only handles IPv4. Did we ever make a determination regarding if secondary path is sticking around or not? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:20:38 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:20:38 -0000 Subject: [Bro-Dev] #286: Script level varargs In-Reply-To: <042.1063a6eb972aeeebfb585a3ce6e8cf1f@tracker.bro.org> References: <042.1063a6eb972aeeebfb585a3ce6e8cf1f@tracker.bro.org> Message-ID: <057.1a68002c8dbbe2fa076016d50479f3fe@tracker.bro.org> #286: Script level varargs ------------------------------+---------------------- Reporter: seth | Owner: Type: Feature Request | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: 1.5.2 Resolution: Rejected | Keywords: language ------------------------------+---------------------- Changes (by seth): * status: new => closed * resolution: => Rejected * milestone: => Bro2.2 Comment: I'm just going to close this ticket. We'll see if it bubbles up again. I haven't felt any gaping holes in my life by not having it. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:21:53 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:21:53 -0000 Subject: [Bro-Dev] #266: broctl cron hangs with dead hosts In-Reply-To: <045.ceace7e246f099b8686550356f017fd9@tracker.bro.org> References: <045.ceace7e246f099b8686550356f017fd9@tracker.bro.org> Message-ID: <060.fa942a90b86cda449647b459a34c3b61@tracker.bro.org> #266: broctl cron hangs with dead hosts -------------------------+------------------------ Reporter: solomon | Owner: dnthayer Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: -------------------------+------------------------ Changes (by seth): * owner: robin => dnthayer * status: new => assigned * version: 1.5.2 => git/master * milestone: => Bro2.2 Comment: Daniel, this would be good to verify and if it's an actual problem it would make for a good test I think. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:22:19 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:22:19 -0000 Subject: [Bro-Dev] #524: Bro fuzz testing In-Reply-To: <044.f678fe8e3aaf187f3b148696eb1465ad@tracker.bro.org> References: <044.f678fe8e3aaf187f3b148696eb1465ad@tracker.bro.org> Message-ID: <059.d3ec284340759fae17b66811ebc429d3@tracker.bro.org> #524: Bro fuzz testing ----------------------+------------------------ Reporter: gregor | Owner: Type: Task | Status: closed Priority: Normal | Milestone: Component: Bro | Version: git/master Resolution: Invalid | Keywords: ----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Invalid Comment: Too vague. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:23:35 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:23:35 -0000 Subject: [Bro-Dev] #320: Check for counters, length fields, etc. that can overflow and change to 64 bit In-Reply-To: <044.85020b23392c80d50f3af4855312009c@tracker.bro.org> References: <044.85020b23392c80d50f3af4855312009c@tracker.bro.org> Message-ID: <059.486a8103b47dab3baad14643f2b2cc68@tracker.bro.org> #320: Check for counters, length fields, etc. that can overflow and change to 64 bit -----------------------+------------------------ Reporter: gregor | Owner: Type: Task | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Rejected | Keywords: inttypes -----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Rejected Comment: I don't think this is ever going to be done as a single task. It's better addressed as problems are discovered. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:24:38 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:24:38 -0000 Subject: [Bro-Dev] #309: Work with Endace to get their code back in In-Reply-To: <043.951792f3bebfdaa9b11d93921ba8edba@tracker.bro.org> References: <043.951792f3bebfdaa9b11d93921ba8edba@tracker.bro.org> Message-ID: <058.ce2cc46108c9e6262b922f5a4cf1fc1e@tracker.bro.org> #309: Work with Endace to get their code back in ----------------------+------------------------ Reporter: robin | Owner: Type: Task | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Invalid | Keywords: ----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Invalid Comment: I'm just going to close this. When we revamp the packet acquisition mechanism it will be an obvious feature. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:25:07 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:25:07 -0000 Subject: [Bro-Dev] #259: Commented out example in policy/scan.bro In-Reply-To: <048.b4f68ec42f7072ebfb84f5324bbc8944@tracker.bro.org> References: <048.b4f68ec42f7072ebfb84f5324bbc8944@tracker.bro.org> Message-ID: <063.e486616e1b52573f778e3a6e9488e6ab@tracker.bro.org> #259: Commented out example in policy/scan.bro -------------------------+-------------------- Reporter: brosenberg | Owner: Type: Patch | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: 1.5.2 Resolution: Invalid | Keywords: -------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Invalid * milestone: => Bro2.2 Comment: 2.2 has a new scan.bro -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:37:13 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:37:13 -0000 Subject: [Bro-Dev] #560: Child analyzer Init() problem In-Reply-To: <044.cbd4cfc0b3afd54bd891fdadffce0e18@tracker.bro.org> References: <044.cbd4cfc0b3afd54bd891fdadffce0e18@tracker.bro.org> Message-ID: <059.be52eb8ba1697ad00e1ea3de226c016b@tracker.bro.org> #560: Child analyzer Init() problem ----------------------+------------------------ Reporter: gregor | Owner: robin Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by seth): * owner: => robin * status: new => assigned Comment: Robin, is this a ticket we want to leave open? I don't understand it enough right now to comment on it. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:38:38 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:38:38 -0000 Subject: [Bro-Dev] #306: Write a new user manual In-Reply-To: <042.74628c14b8da56d4cc5a6f502016588c@tracker.bro.org> References: <042.74628c14b8da56d4cc5a6f502016588c@tracker.bro.org> Message-ID: <057.4ac4b5c361c360f8ad494e4a81df9b73@tracker.bro.org> #306: Write a new user manual -----------------------------+-------------------- Reporter: seth | Owner: Type: Task | Status: closed Priority: High | Milestone: Bro2.2 Component: Bro | Version: Resolution: Solved/Applied | Keywords: -----------------------------+-------------------- Changes (by seth): * status: new => closed * resolution: => Solved/Applied Comment: This is in progress by Scott and doesn't need to be tracked as a ticket anymore. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:40:43 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:40:43 -0000 Subject: [Bro-Dev] #959: Issue with HTTP POST file extraction In-Reply-To: <053.73b1f09c914ba29a5a03087f31031eae@tracker.bro.org> References: <053.73b1f09c914ba29a5a03087f31031eae@tracker.bro.org> Message-ID: <068.b0c36b03bc51b517a19f0fb2bd52b9f5@tracker.bro.org> #959: Issue with HTTP POST file extraction ------------------------------+-------------------- Reporter: gregoire.moreau | Owner: Type: Problem | Status: new Priority: Low | Milestone: Bro2.2 Component: Bro | Version: 2.1 Resolution: | Keywords: ------------------------------+-------------------- Comment (by seth): Is this ticket related to #244? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:47:22 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:47:22 -0000 Subject: [Bro-Dev] #845: PF_RING+DNA In-Reply-To: <046.fd6f0f04e887db155402c1572d02fff0@tracker.bro.org> References: <046.fd6f0f04e887db155402c1572d02fff0@tracker.bro.org> Message-ID: <061.92cb608dd0c63c95a7c4aaba5854f6e1@tracker.bro.org> #845: PF_RING+DNA ------------------------------+------------------------ Reporter: dnthayer | Owner: dnthayer Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: git/master Resolution: | Keywords: ------------------------------+------------------------ Changes (by seth): * owner: => dnthayer * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:48:26 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:48:26 -0000 Subject: [Bro-Dev] #603: Checking correctness of logs In-Reply-To: <043.78364c4f17c2681d8c0c624e80eab624@tracker.bro.org> References: <043.78364c4f17c2681d8c0c624e80eab624@tracker.bro.org> Message-ID: <058.c7c388f959cc59ce927c529b51efdcf0@tracker.bro.org> #603: Checking correctness of logs -----------------------------+------------------------ Reporter: robin | Owner: seth Type: Task | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Solved/Applied | Keywords: -----------------------------+------------------------ Changes (by seth): * status: assigned => closed * resolution: => Solved/Applied Comment: Been too long. I don't remember the minor issues anymore although I'm sure some of them have been addressed. I'm just going to close the ticket. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:49:28 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:49:28 -0000 Subject: [Bro-Dev] #329: Optimizing detect-protocols-http.bro In-Reply-To: <042.0bb522e94de160b1f89a38851cac7764@tracker.bro.org> References: <042.0bb522e94de160b1f89a38851cac7764@tracker.bro.org> Message-ID: <057.9bb3f017bfbb84c4b70e7114383fb811@tracker.bro.org> #329: Optimizing detect-protocols-http.bro ---------------------+------------------------ Reporter: seth | Owner: Type: Task | Status: assigned Priority: Normal | Milestone: Bro2.3 Component: Bro | Version: git/master Resolution: | Keywords: ---------------------+------------------------ Changes (by seth): * keywords: sprint => * version: => git/master * milestone: Bro2.2 => Bro2.3 Comment: Bumping again. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:49:57 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:49:57 -0000 Subject: [Bro-Dev] #253: Can't bind to port 47760, Address already in use In-Reply-To: <052.82331f96cd8860a1844321dc8b936726@tracker.bro.org> References: <052.82331f96cd8860a1844321dc8b936726@tracker.bro.org> Message-ID: <067.06af49681f4e3a5ebc5fca01a149baa0@tracker.bro.org> #253: Can't bind to port 47760, Address already in use ------------------------------+---------------------- Reporter: Tyler.Schoenke | Owner: dnthayer Type: Feature Request | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: BroControl | Version: 1.5.2 Resolution: | Keywords: ------------------------------+---------------------- Changes (by seth): * owner: robin => dnthayer * status: new => assigned Comment: Daniel, what do you think about this one? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:50:32 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:50:32 -0000 Subject: [Bro-Dev] #465: Fix up the MIME analyzer In-Reply-To: <042.c6de6b84e16e6e3765c7cce13770a4e2@tracker.bro.org> References: <042.c6de6b84e16e6e3765c7cce13770a4e2@tracker.bro.org> Message-ID: <057.406a901202944760d0bd6f5f03c53d63@tracker.bro.org> #465: Fix up the MIME analyzer ----------------------+------------------------ Reporter: seth | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.3 Component: Bro | Version: git/master Resolution: | Keywords: analyzer ----------------------+------------------------ Changes (by seth): * milestone: Bro2.2 => Bro2.3 Comment: This isn't going to happen again. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:51:39 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:51:39 -0000 Subject: [Bro-Dev] #897: File extraction oddities In-Reply-To: <044.5ab8039bbabeccc472a9802496a430dc@tracker.bro.org> References: <044.5ab8039bbabeccc472a9802496a430dc@tracker.bro.org> Message-ID: <059.5ddb60c1c4520163a78297daecae14b3@tracker.bro.org> #897: File extraction oddities ----------------------+------------------------ Reporter: sconzo | Owner: Type: Problem | Status: closed Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: Invalid | Keywords: ----------------------+------------------------ Changes (by seth): * status: new => closed * resolution: => Invalid Comment: I'm closing this ticket because this is all being overhauled right now. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:53:54 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:53:54 -0000 Subject: [Bro-Dev] #898: Confusion over the accept_input field in communication code In-Reply-To: <042.342ce83d62bf80f8e841c0a46bd864e5@tracker.bro.org> References: <042.342ce83d62bf80f8e841c0a46bd864e5@tracker.bro.org> Message-ID: <057.7d7855d1a1d0c5d2768ac458992cc991@tracker.bro.org> #898: Confusion over the accept_input field in communication code ----------------------+------------------------ Reporter: seth | Owner: seth Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by seth): * owner: => seth * status: new => assigned -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:56:50 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:56:50 -0000 Subject: [Bro-Dev] #334: Portmapper.bro documentation and script interaction In-Reply-To: <044.1924c8d46549f09ac36d5d65a73474f4@tracker.bro.org> References: <044.1924c8d46549f09ac36d5d65a73474f4@tracker.bro.org> Message-ID: <059.543b96cae3f9f47ca44497bed0975e4a@tracker.bro.org> #334: Portmapper.bro documentation and script interaction ----------------------+------------------------ Reporter: gregor | Owner: Type: Problem | Status: new Priority: Normal | Milestone: Bro2.3 Component: Bro | Version: git/master Resolution: | Keywords: ----------------------+------------------------ Changes (by seth): * milestone: Bro2.2 => Bro2.3 Comment: still not coming back (darn it). -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:57:35 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:57:35 -0000 Subject: [Bro-Dev] #434: Fix secondary path In-Reply-To: <043.e6f4e0b50efe45ae516a0782f470b1c5@tracker.bro.org> References: <043.e6f4e0b50efe45ae516a0782f470b1c5@tracker.bro.org> Message-ID: <058.0010875d455308f21b2c40664e267e40@tracker.bro.org> #434: Fix secondary path ---------------------+------------------------ Reporter: robin | Owner: Type: Task | Status: new Priority: Normal | Milestone: Bro2.3 Component: Bro | Version: git/master Resolution: | Keywords: ---------------------+------------------------ Changes (by seth): * version: => git/master * milestone: Bro2.2 => Bro2.3 Comment: This isn't going to be touched for 2.2. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 07:58:05 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 14:58:05 -0000 Subject: [Bro-Dev] #410: Extension to init time pattern construction In-Reply-To: <042.fff44e5fe56b9508cd3662c085f4f686@tracker.bro.org> References: <042.fff44e5fe56b9508cd3662c085f4f686@tracker.bro.org> Message-ID: <057.c4a3fdbbf4ed8598179c82d8007c47b4@tracker.bro.org> #410: Extension to init time pattern construction ------------------------------+------------------------ Reporter: seth | Owner: Type: Feature Request | Status: new Priority: Normal | Milestone: Bro2.3 Component: Bro | Version: git/master Resolution: | Keywords: language ------------------------------+------------------------ Changes (by seth): * version: => git/master * milestone: Bro2.2 => Bro2.3 Comment: Bumping again. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 08:01:48 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 15:01:48 -0000 Subject: [Bro-Dev] #700: PacketSorter In-Reply-To: <044.6219f96751123dbc2c4ddc0f80c22916@tracker.bro.org> References: <044.6219f96751123dbc2c4ddc0f80c22916@tracker.bro.org> Message-ID: <059.cd9cbaeee05398daf3c14c8122f6be3b@tracker.bro.org> #700: PacketSorter ----------------------+------------------------- Reporter: gregor | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: | Keywords: BroV6, IPv6 ----------------------+------------------------- Changes (by seth): * owner: => jsiwek * status: new => assigned Comment: Jon, did you touch this with the IPv6 work? -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 08:22:35 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 15:22:35 -0000 Subject: [Bro-Dev] #700: PacketSorter In-Reply-To: <044.6219f96751123dbc2c4ddc0f80c22916@tracker.bro.org> References: <044.6219f96751123dbc2c4ddc0f80c22916@tracker.bro.org> Message-ID: <059.9cfbbbcf470c1f4a65b35bba37418b64@tracker.bro.org> #700: PacketSorter ----------------------+------------------------- Reporter: gregor | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.2 Component: Bro | Version: Resolution: | Keywords: BroV6, IPv6 ----------------------+------------------------- Comment (by jsiwek): Replying to [comment:3 seth]: > Jon, did you touch this with the IPv6 work? I think I touched the PacketSorter as part of that, but I didn't "change" anything (I had to make equivalence refactors since some of the IP_Hdr interface changed) and didn't do any extensive testing or address any of the questions in this ticket. -- Ticket URL: Bro Tracker Bro Issue Tracker From bro at tracker.bro.org Thu Mar 21 08:37:17 2013 From: bro at tracker.bro.org (Bro Tracker) Date: Thu, 21 Mar 2013 15:37:17 -0000 Subject: [Bro-Dev] #700: PacketSorter In-Reply-To: <044.6219f96751123dbc2c4ddc0f80c22916@tracker.bro.org> References: <044.6219f96751123dbc2c4ddc0f80c22916@tracker.bro.org> Message-ID: <059.6de1319ea46c445ea1d7d6dc9ff4f2ad@tracker.bro.org> #700: PacketSorter ----------------------+------------------------- Reporter: gregor | Owner: jsiwek Type: Problem | Status: assigned Priority: Normal | Milestone: Bro2.3 Component: Bro | Version: Resolution: | Keywords: BroV6, IPv6 ----------------------+------------------------- Changes (by seth): * milestone: Bro2.2 => Bro2.3 Comment: Ok, we'll bump this back one more release then. -- Ticket URL: Bro Tracker Bro Issue Tracker From seth at icir.org Thu Mar 21 08:54:23 2013 From: seth at icir.org (Seth Hall) Date: Thu, 21 Mar 2013 11:54:23 -0400 Subject: [Bro-Dev] Meta-programming Message-ID: <858C5B50-FCEA-4309-B059-51F463DB186E@icir.org> Let me start by saying that I have an actual use case for this in the measurement framework and I'm not just messing around. :) function add_x(x: count): function(a: count): count { local tmp = function(a: count): count { # The 'x' variable ends up receiving the value of the same arity as my inner # defined function instead of the value of the outer scope where 'x' is. return a+x; }; return tmp; } event bro_init() { local my_adder = add_x(5); print my_adder(1); # hopefully would print 6, but it prints 2 local your_adder = add_x(100); print your_adder(2); # hopefully would print 102, but it prints 4 } Would this functionality working like I wish it did be difficult? It would make a very nice usability feature for the measurement framework when setting thresholds. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130321/a0b05f5a/attachment.bin From dnthayer at illinois.edu Thu Mar 21 10:54:22 2013 From: dnthayer at illinois.edu (Daniel Thayer) Date: Thu, 21 Mar 2013 12:54:22 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/broctl] topic/dnthayer/cleanup2: Ignore stdout.log and stderr.log in post-terminate (a2a3b0d) In-Reply-To: <20130321113405.GF48845@icir.org> References: <201303202145.r2KLj0dK029660@bro-ids.icir.org> <20130321113405.GF48845@icir.org> Message-ID: <514B494E.1020505@illinois.edu> On 03/21/2013 06:34 AM, Robin Sommer wrote: > > > On Wed, Mar 20, 2013 at 14:45 -0700, you wrote: > >> Ignore stdout.log and stderr.log in post-terminate > > The idea here was to archive them just as other logs as sometimes they > can include helpful information. What do others think, is that > something to keep? > > Robin > That's true, but in those cases a crash report is sent (which includes the contents of both of those files, plus others), and those files are also left in the /post-terminate--