From noreply at bro.org Thu May 1 00:00:21 2014 From: noreply at bro.org (Merge Tracker) Date: Thu, 1 May 2014 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405010700.s4170LDj014505@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- -------------- ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1189 [1] Bro Bernhard Amann - 2014-04-27 2.3 Normal merge topic/bernhard/ec-curve BIT-1185 [2] BroControl Daniel Thayer - 2014-04-25 2.3 Normal topic/dnthayer/broctld-work [3] BIT-1177 [4] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-1150 [5] Bro Robin Sommer Bernhard Amann 2014-04-25 2.3 Normal X509 updates BIT-1141 [6] Bro Robin Sommer Jon Siwek 2014-04-28 2.3 Normal Investigate further improvements to file analysis performance BIT-348 [7] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open Fastpath Commits ====================== Commit Component Author Date Summary ------------ ----------- -------------- ---------- ------------------------------------------------------------ 636262d [8] bro Bernhard Amann 2014-04-30 Correct a notice for heartbleed. The notice is thrown correc d7d5497 [9] bro Jon Siwek 2014-04-29 Improve/standardize some malloc/realloc return val checks. 4b059ea [10] bro Jon Siwek 2014-04-29 Improve file analysis manager shutdown/cleanup. Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- ---------------------------------------------------------------------------- #4 [11] time-machine mareq [12] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [13] #3 [14] time-machine mareq [15] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [16] #2 [17] time-machine mareq [18] 2014-04-09 Query interval start/end is now taken into account. [19] #1 [20] time-machine mareq [21] 2014-03-19 TM-16: Really skip VLAN header for indexing. [22] [1] BIT-1189 https://bro-tracker.atlassian.net/browse/BIT-1189 [2] BIT-1185 https://bro-tracker.atlassian.net/browse/BIT-1185 [3] broctld-work https://github.com/bro/brocontrol/tree/topic/dnthayer/broctld-work [4] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [5] BIT-1150 https://bro-tracker.atlassian.net/browse/BIT-1150 [6] BIT-1141 https://bro-tracker.atlassian.net/browse/BIT-1141 [7] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [8] 636262d https://github.com/bro/bro/commit/636262d86591251e08110074074b04331854bef9 [9] d7d5497 https://github.com/bro/bro/commit/d7d5497436f8b3bf6101adca4e1d2aa2c1113aa0 [10] 4b059ea https://github.com/bro/bro/commit/4b059ea15ac6bba0c5189532bc1c749ec066b1c6 [11] Pull Request #4 https://github.com/bro/time-machine/pull/4 [12] mareq https://github.com/mareq [13] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [14] Pull Request #3 https://github.com/bro/time-machine/pull/3 [15] mareq https://github.com/mareq [16] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [17] Pull Request #2 https://github.com/bro/time-machine/pull/2 [18] mareq https://github.com/mareq [19] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [20] Pull Request #1 https://github.com/bro/time-machine/pull/1 [21] mareq https://github.com/mareq [22] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jsiwek at illinois.edu Thu May 1 12:02:27 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 1 May 2014 19:02:27 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Change X509 extension value parsing to not abort on malloc failures. (385438d) In-Reply-To: <201405011819.s41IJrTF032733@bro-ids.icir.org> References: <201405011819.s41IJrTF032733@bro-ids.icir.org> Message-ID: > + // TODO: see about using regular malloc here, there were unknown problems > + // using anything other than OPENSSL_malloc that need investigation. > + char* buffer = (char*) OPENSSL_malloc(length); Bernhard, do you know any more details of what was wrong w/ regular malloc() here? I think it makes sense to get away from using OpenSSL?s malloc wrapper if it?s possible. If I change it, running the test suites on OS X don?t show a problem. Is triggering the problem more subtle than the test suites will pick up on? - Jon From bernhard at ICSI.Berkeley.EDU Thu May 1 12:15:34 2014 From: bernhard at ICSI.Berkeley.EDU (Bernhard Amann) Date: Thu, 1 May 2014 12:15:34 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Change X509 extension value parsing to not abort on malloc failures. (385438d) In-Reply-To: References: <201405011819.s41IJrTF032733@bro-ids.icir.org> Message-ID: On May 1, 2014, at 12:02 PM, Siwek, Jonathan Luke wrote: > >> + // TODO: see about using regular malloc here, there were unknown problems >> + // using anything other than OPENSSL_malloc that need investigation. >> + char* buffer = (char*) OPENSSL_malloc(length); > > Bernhard, do you know any more details of what was wrong w/ regular malloc() here? I think it makes sense to get away from using OpenSSL?s malloc wrapper if it?s possible. > > If I change it, running the test suites on OS X don?t show a problem. Is triggering the problem more subtle than the test suites will pick up on? Nah, it was fairly obvious. I might just have done something else wrong and blamed it on that - if everything still works, that should be good enough :) Bernhard From jsiwek at illinois.edu Thu May 1 12:55:57 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Thu, 1 May 2014 19:55:57 +0000 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Change X509 extension value parsing to not abort on malloc failures. (385438d) In-Reply-To: References: <201405011819.s41IJrTF032733@bro-ids.icir.org> Message-ID: On May 1, 2014, at 2:15 PM, Bernhard Amann wrote: > > On May 1, 2014, at 12:02 PM, Siwek, Jonathan Luke wrote: > >> >>> + // TODO: see about using regular malloc here, there were unknown problems >>> + // using anything other than OPENSSL_malloc that need investigation. >>> + char* buffer = (char*) OPENSSL_malloc(length); >> >> Bernhard, do you know any more details of what was wrong w/ regular malloc() here? I think it makes sense to get away from using OpenSSL?s malloc wrapper if it?s possible. >> >> If I change it, running the test suites on OS X don?t show a problem. Is triggering the problem more subtle than the test suites will pick up on? > > Nah, it was fairly obvious. I might just have done something else wrong and blamed it on that - if everything still works, that should be good enough :) Thanks, I?ll make the change after this one gets reviewed/promoted. - Jon From jira at bro-tracker.atlassian.net Thu May 1 14:05:08 2014 From: jira at bro-tracker.atlassian.net (Adam Slagell (JIRA)) Date: Thu, 1 May 2014 16:05:08 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1142) SNMP Analysis In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Adam Slagell reassigned BIT-1142: --------------------------------- Assignee: Jon Siwek (was: Seth Hall) > SNMP Analysis > ------------- > > Key: BIT-1142 > URL: https://bro-tracker.atlassian.net/browse/BIT-1142 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BinPAC, Bro > Affects Versions: git/master > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.3 > > > /topic/jsiwek/snmp in bro, binpac, and bro-testing-private adds support for parsing SNMP datagrams. It's only absent a snmp.log. > Seth, do you mind taking a look at what might make sense for a default snmp.log? I'm guessing it might look similar in concept to dns.log. A difference is I'm not sure how meaningful raw OID to value mappings will be. > The code is in a merge-able state as it is in the branch/repos I mentioned, and IMO, has value even without a default snmp.log. So if you just want to flip to a merge request and postpone thinking up an snmp.log for later, I think that's fine, too. -- This message was sent by Atlassian JIRA (v6.3-OD-03-012#6321) From jira at bro-tracker.atlassian.net Thu May 1 20:34:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 May 2014 22:34:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1141) Investigate further improvements to file analysis performance In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1141: ------------------------------ Status: Closed (was: Merge Request) Sounds good, thanks. > Investigate further improvements to file analysis performance > ------------------------------------------------------------- > > Key: BIT-1141 > URL: https://bro-tracker.atlassian.net/browse/BIT-1141 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Assignee: Jon Siwek > Fix For: 2.3 > > > Some further ideas for measuring and improving the performance of maintaining the handles were floating around. -- This message was sent by Atlassian JIRA (v6.3-OD-03-012#6321) From jira at bro-tracker.atlassian.net Thu May 1 21:35:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 May 2014 23:35:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1185) topic/dnthayer/broctld-work In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1185?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1185: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > topic/dnthayer/broctld-work > --------------------------- > > Key: BIT-1185 > URL: https://bro-tracker.atlassian.net/browse/BIT-1185 > Project: Bro Issue Tracker > Issue Type: Problem > Components: BroControl > Reporter: Daniel Thayer > Fix For: 2.3 > > > This branch contains some code cleanup and also fixes or improves the > following issues: > The df, exec, and top commands now run only once per host. > Avoid reporting same disk check error msg multiple times for same host. > Improve output column formatting. > Added warning to do a "broctl install" if broctl or node config changes. > Don't email about "$total" pseudo-node not receiving any packets. > Remove unused "home" broctl option. > Changed plugin API hosts() function to be more useful. -- This message was sent by Atlassian JIRA (v6.3-OD-03-012#6321) From jira at bro-tracker.atlassian.net Thu May 1 21:36:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 May 2014 23:36:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1150) X509 updates In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1150: ------------------------------ Status: Closed (was: Merge Request) > X509 updates > ------------ > > Key: BIT-1150 > URL: https://bro-tracker.atlassian.net/browse/BIT-1150 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: signature.asc > > -- This message was sent by Atlassian JIRA (v6.3-OD-03-012#6321) From jira at bro-tracker.atlassian.net Thu May 1 21:36:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 1 May 2014 23:36:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1189) merge topic/bernhard/ec-curve In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1189: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > merge topic/bernhard/ec-curve > ----------------------------- > > Key: BIT-1189 > URL: https://bro-tracker.atlassian.net/browse/BIT-1189 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Fix For: 2.3 > > > topic/bernhard/ec-curve adds support for recognizing which curve was chosen in a connection using ECDH/ECDHE as well as returning the DH parameters for DHE/DH-Anon. > Furthermore, it adds a small policy script that warns on weak certificate keys or DH-parameters. > Github diff link: https://github.com/bro/bro/compare/topic;bernhard;ec-curve -- This message was sent by Atlassian JIRA (v6.3-OD-03-012#6321) From noreply at bro.org Fri May 2 00:00:12 2014 From: noreply at bro.org (Merge Tracker) Date: Fri, 2 May 2014 00:00:12 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405020700.s4270CkF031117@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-348 [2] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #4 https://github.com/bro/time-machine/pull/4 [4] mareq https://github.com/mareq [5] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [6] Pull Request #3 https://github.com/bro/time-machine/pull/3 [7] mareq https://github.com/mareq [8] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [9] Pull Request #2 https://github.com/bro/time-machine/pull/2 [10] mareq https://github.com/mareq [11] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [12] Pull Request #1 https://github.com/bro/time-machine/pull/1 [13] mareq https://github.com/mareq [14] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Fri May 2 10:56:08 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 2 May 2014 12:56:08 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1142) SNMP Analysis In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1142: --------------------------- Status: Merge Request (was: Open) > SNMP Analysis > ------------- > > Key: BIT-1142 > URL: https://bro-tracker.atlassian.net/browse/BIT-1142 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BinPAC, Bro > Affects Versions: git/master > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.3 > > > /topic/jsiwek/snmp in bro, binpac, and bro-testing-private adds support for parsing SNMP datagrams. It's only absent a snmp.log. > Seth, do you mind taking a look at what might make sense for a default snmp.log? I'm guessing it might look similar in concept to dns.log. A difference is I'm not sure how meaningful raw OID to value mappings will be. > The code is in a merge-able state as it is in the branch/repos I mentioned, and IMO, has value even without a default snmp.log. So if you just want to flip to a merge request and postpone thinking up an snmp.log for later, I think that's fine, too. -- This message was sent by Atlassian JIRA (v6.3-OD-03-012#6321) From jira at bro-tracker.atlassian.net Fri May 2 10:57:09 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 2 May 2014 12:57:09 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1142) SNMP Analysis In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1142: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > SNMP Analysis > ------------- > > Key: BIT-1142 > URL: https://bro-tracker.atlassian.net/browse/BIT-1142 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BinPAC, Bro > Affects Versions: git/master > Reporter: Jon Siwek > Assignee: Jon Siwek > Fix For: 2.3 > > > /topic/jsiwek/snmp in bro, binpac, and bro-testing-private adds support for parsing SNMP datagrams. It's only absent a snmp.log. > Seth, do you mind taking a look at what might make sense for a default snmp.log? I'm guessing it might look similar in concept to dns.log. A difference is I'm not sure how meaningful raw OID to value mappings will be. > The code is in a merge-able state as it is in the branch/repos I mentioned, and IMO, has value even without a default snmp.log. So if you just want to flip to a merge request and postpone thinking up an snmp.log for later, I think that's fine, too. -- This message was sent by Atlassian JIRA (v6.3-OD-03-012#6321) From noreply at bro.org Sat May 3 00:00:17 2014 From: noreply at bro.org (Merge Tracker) Date: Sat, 3 May 2014 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405030700.s4370HPX016290@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-348 [2] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #4 https://github.com/bro/time-machine/pull/4 [4] mareq https://github.com/mareq [5] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [6] Pull Request #3 https://github.com/bro/time-machine/pull/3 [7] mareq https://github.com/mareq [8] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [9] Pull Request #2 https://github.com/bro/time-machine/pull/2 [10] mareq https://github.com/mareq [11] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [12] Pull Request #1 https://github.com/bro/time-machine/pull/1 [13] mareq https://github.com/mareq [14] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Sun May 4 00:00:15 2014 From: noreply at bro.org (Merge Tracker) Date: Sun, 4 May 2014 00:00:15 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405040700.s4470FhX026201@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-348 [2] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #4 https://github.com/bro/time-machine/pull/4 [4] mareq https://github.com/mareq [5] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [6] Pull Request #3 https://github.com/bro/time-machine/pull/3 [7] mareq https://github.com/mareq [8] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [9] Pull Request #2 https://github.com/bro/time-machine/pull/2 [10] mareq https://github.com/mareq [11] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [12] Pull Request #1 https://github.com/bro/time-machine/pull/1 [13] mareq https://github.com/mareq [14] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Mon May 5 00:00:21 2014 From: noreply at bro.org (Merge Tracker) Date: Mon, 5 May 2014 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405050700.s4570L2N002958@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-348 [2] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #4 https://github.com/bro/time-machine/pull/4 [4] mareq https://github.com/mareq [5] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [6] Pull Request #3 https://github.com/bro/time-machine/pull/3 [7] mareq https://github.com/mareq [8] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [9] Pull Request #2 https://github.com/bro/time-machine/pull/2 [10] mareq https://github.com/mareq [11] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [12] Pull Request #1 https://github.com/bro/time-machine/pull/1 [13] mareq https://github.com/mareq [14] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Tue May 6 00:00:14 2014 From: noreply at bro.org (Merge Tracker) Date: Tue, 6 May 2014 00:00:14 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405060700.s4670E8u023846@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-348 [2] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #4 https://github.com/bro/time-machine/pull/4 [4] mareq https://github.com/mareq [5] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [6] Pull Request #3 https://github.com/bro/time-machine/pull/3 [7] mareq https://github.com/mareq [8] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [9] Pull Request #2 https://github.com/bro/time-machine/pull/2 [10] mareq https://github.com/mareq [11] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [12] Pull Request #1 https://github.com/bro/time-machine/pull/1 [13] mareq https://github.com/mareq [14] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Wed May 7 00:00:15 2014 From: noreply at bro.org (Merge Tracker) Date: Wed, 7 May 2014 00:00:15 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405070700.s4770FqX012781@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-348 [2] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #4 https://github.com/bro/time-machine/pull/4 [4] mareq https://github.com/mareq [5] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [6] Pull Request #3 https://github.com/bro/time-machine/pull/3 [7] mareq https://github.com/mareq [8] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [9] Pull Request #2 https://github.com/bro/time-machine/pull/2 [10] mareq https://github.com/mareq [11] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [12] Pull Request #1 https://github.com/bro/time-machine/pull/1 [13] mareq https://github.com/mareq [14] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jsiwek at illinois.edu Wed May 7 09:36:38 2014 From: jsiwek at illinois.edu (Siwek, Jonathan Luke) Date: Wed, 7 May 2014 16:36:38 +0000 Subject: [Bro-Dev] AddressSanitizer In-Reply-To: <201405071614.s47GE0I4020015@bro-ids.icir.org> References: <201405071614.s47GE0I4020015@bro-ids.icir.org> Message-ID: <539CCAE6-1063-41FE-BBB8-E8D53F71A09A@illinois.edu> The problems below were detected by the AddressSanitizer [1] feature of LLVM which new-ish clang and gcc versions have a flag to enable. It?s basically like valgrind, but not an external tool and also faster. This should make it easy to integrate in to the existing automated test suites for Bro (though I?ll probably have to increase timeouts for time-sensitive tests by 2x). It also comes with a LeakSanitizer feature to detect memory leaks, but it?s labeled experimental and only supported on x86_64 Linux at the moment. Worked well for me, though, and the performance claims are interesting: no additional slowdown when used w/ ASan, and minimal performance cost if linked in independently. - Jon [1] http://clang.llvm.org/docs/AddressSanitizer.html On May 7, 2014, at 11:14 AM, Jonathan Siwek wrote: > Repository : ssh://git at bro-ids.icir.org/bro > > On branch : master > Link : https://github.com/bro/bro/commit/012156e9f1eba5bed5f1aa853ae6db7809654dca > >> --------------------------------------------------------------- > > commit 012156e9f1eba5bed5f1aa853ae6db7809654dca > Merge: b15bbf4 4ea8a4e > Author: Jon Siwek > Date: Wed May 7 10:59:22 2014 -0500 > > Merge branch 'topic/jsiwek/asan-fixes' > > > >> --------------------------------------------------------------- > > 012156e9f1eba5bed5f1aa853ae6db7809654dca > CHANGES | 18 +++++++++ > VERSION | 2 +- > src/Base64.cc | 2 +- > src/IPAddr.cc | 58 +++++++++++++-------------- > src/file_analysis/Manager.cc | 3 +- > src/file_analysis/analyzer/x509/X509.cc | 11 +++++ > src/file_analysis/analyzer/x509/functions.bif | 24 +++++++---- > src/input/readers/Raw.cc | 9 ++--- > 8 files changed, 80 insertions(+), 47 deletions(-) > > diff --cc CHANGES > index 9bb4bf6,9bb4bf6..1853abf > --- a/CHANGES > +++ b/CHANGES > @@@ -1,4 -1,4 +1,22 @@@ > > ++2.2-417 | 2014-05-07 10:59:22 -0500 > ++ > ++ * Change handling of atypical OpenSSL error case in x509 verification. (Jon Siwek) > ++ > ++ * Fix memory leaks in X509 certificate parsing/verification. (Jon Siwek) > ++ > ++ * Fix new []/delete mismatch in input::reader::Raw::DoClose(). (Jon Siwek) > ++ > ++ * Fix buffer over-reads in file_analysis::Manager::Terminate() (Jon Siwek) > ++ > ++ * Fix buffer overlows in IP address masking logic. (Jon Siwek) > ++ > ++ That could occur either in taking a zero-length mask on an IPv6 address > ++ (e.g. [fe80::]/0) or a reverse mask of length 128 on any address (e.g. > ++ via the remask_addr BuiltIn Function). > ++ > ++ * Fix new []/delete mismatch in ~Base64Converter. (Jon Siwek) > ++ > 2.2-410 | 2014-05-02 12:49:53 -0500 > > * Replace an unneeded OPENSSL_malloc call. (Jon Siwek) > diff --cc VERSION > index 861e918,861e918..cc5bc3b > --- a/VERSION > +++ b/VERSION > @@@ -1,1 -1,1 +1,1 @@@ > --2.2-410 > ++2.2-417 > > _______________________________________________ > bro-commits mailing list > bro-commits at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits > From noreply at bro.org Thu May 8 00:00:16 2014 From: noreply at bro.org (Merge Tracker) Date: Thu, 8 May 2014 00:00:16 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405080700.s4870Gvt005932@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ------------ ---------- ------------- ---------- ----------------------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-04-21 2.3 Normal SumStats dynamic updates do not work in cluster mode BIT-348 [2] Bro gregor Robin Sommer 2014-04-30 2.3 High Reassembler integer overflow issues. Data not delivered after 2GB Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] BIT-348 https://bro-tracker.atlassian.net/browse/BIT-348 [3] Pull Request #4 https://github.com/bro/time-machine/pull/4 [4] mareq https://github.com/mareq [5] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [6] Pull Request #3 https://github.com/bro/time-machine/pull/3 [7] mareq https://github.com/mareq [8] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [9] Pull Request #2 https://github.com/bro/time-machine/pull/2 [10] mareq https://github.com/mareq [11] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [12] Pull Request #1 https://github.com/bro/time-machine/pull/1 [13] mareq https://github.com/mareq [14] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From robin at icir.org Thu May 8 07:31:12 2014 From: robin at icir.org (Robin Sommer) Date: Thu, 8 May 2014 07:31:12 -0700 Subject: [Bro-Dev] AddressSanitizer In-Reply-To: <539CCAE6-1063-41FE-BBB8-E8D53F71A09A@illinois.edu> References: <201405071614.s47GE0I4020015@bro-ids.icir.org> <539CCAE6-1063-41FE-BBB8-E8D53F71A09A@illinois.edu> Message-ID: <20140508143112.GB8341@icir.org> On Wed, May 07, 2014 at 16:36 +0000, you wrote: > faster. This should make it easy to integrate in to the existing > automated test suites for Bro (though I?ll probably have to increase > timeouts for time-sensitive tests by 2x). That would be cool. I've played with AddressSanitizer a bit before, it's nice indeed. Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From robin at icir.org Thu May 8 12:01:51 2014 From: robin at icir.org (Robin Sommer) Date: Thu, 8 May 2014 12:01:51 -0700 Subject: [Bro-Dev] Merging updates In-Reply-To: <201405081907.s48J74qE005805@bro-ids.icir.org> References: <201405081907.s48J74qE005805@bro-ids.icir.org> Message-ID: <20140508190151.GA54618@icir.org> Two updates regarding merges: - Jon Siwek is joining the ranks of the Bro Merge Masters(TM). So it's now Jon, Seth, and myself doing merges of topic branches into master across the bro.org repositories. - I've updated our "Development Process" page with some notes on how we generally merges and generally commits to master: http://www.bro.org/development/howtos/process.html#committing-to-master http://www.bro.org/development/howtos/process.html#merging-a-topic-branch Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From jira at bro-tracker.atlassian.net Thu May 8 16:37:08 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 8 May 2014 18:37:08 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-348) Reassembler integer overflow issues. Data not delivered after 2GB In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16400#comment-16400 ] Robin Sommer commented on BIT-348: ---------------------------------- thanks for tracking this done, sounds reasonable. I looked at few more cases where things differ slightly (durations, and sometimes the history field), but all those also look somewhat ill-defined to begin with, and it's really just a tiny number. Merging, good job on this. > Reassembler integer overflow issues. Data not delivered after 2GB > ----------------------------------------------------------------- > > Key: BIT-348 > URL: https://bro-tracker.atlassian.net/browse/BIT-348 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: gregor > Assignee: Robin Sommer > Priority: High > Labels: inttypes > Fix For: 2.3 > > > {noformat} > #!rst > The TCP Reassembler does not deliver any data to analyzers after the first 2GB due to signed integer overflow (Actually it will deliver again between 4--6GB, etc.) This happens silently, i.e., without content_gap events or Undelivered calls. > This report superseded BIT-315, BIT-137 > The TCP Reassembler (and Reassem) base class use ``int`` to keep track of sequence numbers and ``seq_delta`` to check for differences. If a connection exceeds 2GB, the relative sequence numbers (int) used by the Reassembler become negative. While many parts of the Reassembler still work (because seq_delta still reports the correct difference) some parts do not. In particular ``seq_to_skip`` is broken (and fails silently). There might well be other parts of the Reassembler that fail > silently as well, that I haven't found yet. > See Comments in TCP_Reassembler.cc for more details. > The Reassembler should use int64. However this will require deep changes to the Reassembler and the TCP Analyzer and TCP_Endpoint classes (since we also store sequence numbers there). Also, the analyzer framework will need tweaks as well (e.g., Undelivered uses ``int`` for sequence numbers, also has to go to 64 bit) > As a hotfix that seems to work I disabled the ``seq_to_skip`` features. It wasn't used by any analyzer or policy script (Note, that seq_to_skip is different from skip_deliveries). Hotfix is in > topic/gregor/reassembler-hotfix > {noformat} -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From robin at icir.org Thu May 8 16:49:49 2014 From: robin at icir.org (Robin Sommer) Date: Thu, 8 May 2014 16:49:49 -0700 Subject: [Bro-Dev] Pending TM patches (Re: [Auto] Merge Status) In-Reply-To: <201405080700.s4870Gvt005932@bro-ids.icir.org> References: <201405080700.s4870Gvt005932@bro-ids.icir.org> Message-ID: <20140508234949.GA1656@icir.org> On Thu, May 08, 2014 at 00:00 -0700, you wrote: > #4 [3] time-machine mareq [4] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [5] > #3 [6] time-machine mareq [7] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [8] > #2 [9] time-machine mareq [10] 2014-04-09 Query interval start/end is now taken into account. [11] > #1 [12] time-machine mareq [13] 2014-03-19 TM-16: Really skip VLAN header for indexing. [14] Is there anybody here who would be interested in taking on reviewing TM patches? I appreciate the contributions but I'm not at all familar with the TM code base myself. Otherwise I'd be inclinded to remove the TM from the Merge Status mails for the time being, and also from the Pending Merge Requests section on the Bro tracker dashboard, until we find somebody. Any other ideas? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From jira at bro-tracker.atlassian.net Thu May 8 17:04:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 8 May 2014 19:04:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1177) SumStats dynamic updates do not work in cluster mode In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16401#comment-16401 ] Robin Sommer commented on BIT-1177: ----------------------------------- Seth, are you going to merge this? > SumStats dynamic updates do not work in cluster mode > ---------------------------------------------------- > > Key: BIT-1177 > URL: https://bro-tracker.atlassian.net/browse/BIT-1177 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Seth Hall > Fix For: 2.3 > > > In cluster mode, dynamic updates via the request_key function do not work. > The reason is, that, at the moment, in cluster mode the function is defined only on the manager. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 8 17:10:08 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 8 May 2014 19:10:08 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-348) Reassembler integer overflow issues. Data not delivered after 2GB In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-348: ----------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Reassembler integer overflow issues. Data not delivered after 2GB > ----------------------------------------------------------------- > > Key: BIT-348 > URL: https://bro-tracker.atlassian.net/browse/BIT-348 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: gregor > Assignee: Robin Sommer > Priority: High > Labels: inttypes > Fix For: 2.3 > > > {noformat} > #!rst > The TCP Reassembler does not deliver any data to analyzers after the first 2GB due to signed integer overflow (Actually it will deliver again between 4--6GB, etc.) This happens silently, i.e., without content_gap events or Undelivered calls. > This report superseded BIT-315, BIT-137 > The TCP Reassembler (and Reassem) base class use ``int`` to keep track of sequence numbers and ``seq_delta`` to check for differences. If a connection exceeds 2GB, the relative sequence numbers (int) used by the Reassembler become negative. While many parts of the Reassembler still work (because seq_delta still reports the correct difference) some parts do not. In particular ``seq_to_skip`` is broken (and fails silently). There might well be other parts of the Reassembler that fail > silently as well, that I haven't found yet. > See Comments in TCP_Reassembler.cc for more details. > The Reassembler should use int64. However this will require deep changes to the Reassembler and the TCP Analyzer and TCP_Endpoint classes (since we also store sequence numbers there). Also, the analyzer framework will need tweaks as well (e.g., Undelivered uses ``int`` for sequence numbers, also has to go to 64 bit) > As a hotfix that seems to work I disabled the ``seq_to_skip`` features. It wasn't used by any analyzer or policy script (Note, that seq_to_skip is different from skip_deliveries). Hotfix is in > topic/gregor/reassembler-hotfix > {noformat} -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From noreply at bro.org Fri May 9 00:00:12 2014 From: noreply at bro.org (Merge Tracker) Date: Fri, 9 May 2014 00:00:12 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405090700.s4970CR9028676@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ---------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-05-08 2.3 Normal SumStats dynamic updates do not work in cluster mode Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Fri May 9 08:09:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 9 May 2014 10:09:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1129) RADIUS Protocol Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16402#comment-16402 ] Robin Sommer commented on BIT-1129: ----------------------------------- Ping. > RADIUS Protocol Analyzer > ------------------------ > > Key: BIT-1129 > URL: https://bro-tracker.atlassian.net/browse/BIT-1129 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Assignee: Vlad Grigorescu > Fix For: 2.3 > > > topic/vladg/radius is ready to be merged. It's been running at CMU for a few months with no issues. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From robin at icir.org Fri May 9 08:10:06 2014 From: robin at icir.org (Robin Sommer) Date: Fri, 9 May 2014 08:10:06 -0700 Subject: [Bro-Dev] Leak state? Message-ID: <20140509151006.GB32778@icir.org> I've lost tracked if we still believe having a memory leak somewhere, or are things running stable for people now? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From jira at bro-tracker.atlassian.net Fri May 9 08:14:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 9 May 2014 10:14:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1186) Improve cluster configuration documentation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1186: ------------------------------ Assignee: Daniel Thayer > Improve cluster configuration documentation > ------------------------------------------- > > Key: BIT-1186 > URL: https://bro-tracker.atlassian.net/browse/BIT-1186 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, BroControl > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.3 > > > To make it easier to find "how-to" documentation for configuring a cluster, > the plan is to create a new section in the Bro manual after the > Quick Start Guide which will contain a step-by-step example of how > to configure a Bro cluster (most of this content will be moved from > the existing broctl manual) using broctl and optionally a load balancing > method such as PF_RING. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From robin at icir.org Fri May 9 08:17:11 2014 From: robin at icir.org (Robin Sommer) Date: Fri, 9 May 2014 08:17:11 -0700 Subject: [Bro-Dev] 2.3 TODOs; close to beta? Message-ID: <20140509151711.GC32778@icir.org> Other than potential leaks, looks like there's not much left: One merge for Seth: BIT-1177 SumStats dynamic updates do not work in cluster mode One cleanup for Seth (or anybody else I guess) BIT-1171 misc/app-stats/main.bro broken for a few sites One fix for Matthias: BIT-1140 Bloomfilter hashing problem Test cases missing for Vlad: BIT-1129 RADIUS Protocol Analyzer Two documentation tickets for Daniel: BIT-1186 Improve cluster configuration documentation BIT-845 PF_RING+DNA 0 If anybody else is still planing something for 2.3, please open a ticket (hi Bernhard :-) Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From jira at bro-tracker.atlassian.net Fri May 9 08:31:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 9 May 2014 10:31:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: Bernhard Amann created BIT-1190: ----------------------------------- Summary: Even more SSL fixes Key: BIT-1190 URL: https://bro-tracker.atlassian.net/browse/BIT-1190 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Bernhard Amann Fix For: 2.3 There are sill a few small things that I plan to fix for 2.3 * detect tls protocol failures even earlier (done, just not committed) * better heartbleed detection (done, but I need to clean it up) * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 9 08:32:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 9 May 2014 10:32:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann reassigned BIT-1190: ----------------------------------- Assignee: Bernhard Amann > Even more SSL fixes > ------------------- > > Key: BIT-1190 > URL: https://bro-tracker.atlassian.net/browse/BIT-1190 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Bernhard Amann > Fix For: 2.3 > > > There are sill a few small things that I plan to fix for 2.3 > * detect tls protocol failures even earlier (done, just not committed) > * better heartbleed detection (done, but I need to clean it up) > * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) > * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From noreply at bro.org Sat May 10 00:00:24 2014 From: noreply at bro.org (Merge Tracker) Date: Sat, 10 May 2014 00:00:24 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405100700.s4A70Oe7032009@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ---------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-05-08 2.3 Normal SumStats dynamic updates do not work in cluster mode Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Sun May 11 00:00:21 2014 From: noreply at bro.org (Merge Tracker) Date: Sun, 11 May 2014 00:00:21 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405110700.s4B70LmR027388@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ---------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-05-08 2.3 Normal SumStats dynamic updates do not work in cluster mode Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Mon May 12 00:00:23 2014 From: noreply at bro.org (Merge Tracker) Date: Mon, 12 May 2014 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405120700.s4C70NI9009527@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ---------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-05-08 2.3 Normal SumStats dynamic updates do not work in cluster mode Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Tue May 13 00:00:26 2014 From: noreply at bro.org (Merge Tracker) Date: Tue, 13 May 2014 00:00:26 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405130700.s4D70Q9O024665@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ---------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-05-08 2.3 Normal SumStats dynamic updates do not work in cluster mode Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From seth at icir.org Tue May 13 07:35:57 2014 From: seth at icir.org (Seth Hall) Date: Tue, 13 May 2014 10:35:57 -0400 Subject: [Bro-Dev] Leak state? In-Reply-To: <20140509151006.GB32778@icir.org> References: <20140509151006.GB32778@icir.org> Message-ID: <781894EE-A6A9-46A7-85A7-1C2BD8DDAB9F@icir.org> On May 9, 2014, at 11:10 AM, Robin Sommer wrote: > I've lost tracked if we still believe having a memory leak somewhere, > or are things running stable for people now? I was already planning on pinging a couple of people about this today. I think we're at the point where we have urban legends of a smallish memory growth issue on master. Might not be a problem though. .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140513/bac35634/attachment.bin From seth at icir.org Tue May 13 07:38:29 2014 From: seth at icir.org (Seth Hall) Date: Tue, 13 May 2014 10:38:29 -0400 Subject: [Bro-Dev] Merging updates In-Reply-To: <20140508190151.GA54618@icir.org> References: <201405081907.s48J74qE005805@bro-ids.icir.org> <20140508190151.GA54618@icir.org> Message-ID: <349447DC-B999-44D4-B070-7BC64A371E97@icir.org> On May 8, 2014, at 3:01 PM, Robin Sommer wrote: > - Jon Siwek is joining the ranks of the Bro Merge Masters(TM). Thanks Jon! > - I've updated our "Development Process" page with some notes on > how we generally merges and generally commits to master: Ooh, unexpectedly thanks Robin! .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140513/31ffdd6f/attachment.bin From noreply at bro.org Wed May 14 00:00:17 2014 From: noreply at bro.org (Merge Tracker) Date: Wed, 14 May 2014 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405140700.s4E70Hta026180@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ---------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-05-08 2.3 Normal SumStats dynamic updates do not work in cluster mode Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Thu May 15 00:00:23 2014 From: noreply at bro.org (Merge Tracker) Date: Thu, 15 May 2014 00:00:23 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405150700.s4F70NIJ023073@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- -------------- ---------- ---------- ------------- ---------- ---------------------------------------------------- BIT-1177 [1] Bro Bernhard Amann Seth Hall 2014-05-08 2.3 Normal SumStats dynamic updates do not work in cluster mode Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] BIT-1177 https://bro-tracker.atlassian.net/browse/BIT-1177 [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Thu May 15 07:46:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 15 May 2014 09:46:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1177) SumStats dynamic updates do not work in cluster mode In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1177?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16500#comment-16500 ] Robin Sommer commented on BIT-1177: ----------------------------------- Ping. > SumStats dynamic updates do not work in cluster mode > ---------------------------------------------------- > > Key: BIT-1177 > URL: https://bro-tracker.atlassian.net/browse/BIT-1177 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Seth Hall > Fix For: 2.3 > > > In cluster mode, dynamic updates via the request_key function do not work. > The reason is, that, at the moment, in cluster mode the function is defined only on the manager. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 09:21:07 2014 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 15 May 2014 11:21:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1129) RADIUS Protocol Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] grigorescu updated BIT-1129: ---------------------------- Status: Merge Request (was: Open) > RADIUS Protocol Analyzer > ------------------------ > > Key: BIT-1129 > URL: https://bro-tracker.atlassian.net/browse/BIT-1129 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Assignee: Vlad Grigorescu > Fix For: 2.3 > > > topic/vladg/radius is ready to be merged. It's been running at CMU for a few months with no issues. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 09:22:07 2014 From: jira at bro-tracker.atlassian.net (grigorescu (JIRA)) Date: Thu, 15 May 2014 11:22:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1129) RADIUS Protocol Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16501#comment-16501 ] grigorescu commented on BIT-1129: --------------------------------- Sorry for the delay... - expiration logic fixed - baselines updated - functional and memleak btests added It's good to go. > RADIUS Protocol Analyzer > ------------------------ > > Key: BIT-1129 > URL: https://bro-tracker.atlassian.net/browse/BIT-1129 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Assignee: Vlad Grigorescu > Fix For: 2.3 > > > topic/vladg/radius is ready to be merged. It's been running at CMU for a few months with no issues. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 10:20:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Thu, 15 May 2014 12:20:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-533) Support STARTTLS in various other protocols In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16502#comment-16502 ] Bernhard Amann commented on BIT-533: ------------------------------------ will be solved with BIT-1190 for protocols supported by Bro. I don't think we need the ticket for those we don't support yet. > Support STARTTLS in various other protocols > ------------------------------------------- > > Key: BIT-533 > URL: https://bro-tracker.atlassian.net/browse/BIT-533 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Seth Hall > Fix For: 2.4 > > > Now that master has a functional and (apparently) stable SSL/TLS analyzer we need to add support for other protocols to pass traffic into it once they upgrade to SSL. Protocols I would like to see support this.. > SMTP > POP3 > XMPP \\- http://xmpp.org/rfcs/rfc3920.html#tls (once we have an XMPP analyzer) -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 10:20:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Thu, 15 May 2014 12:20:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-533) Support STARTTLS in various other protocols In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-533: ------------------------------- Resolution: Fixed Status: Closed (was: Open) > Support STARTTLS in various other protocols > ------------------------------------------- > > Key: BIT-533 > URL: https://bro-tracker.atlassian.net/browse/BIT-533 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Reporter: Seth Hall > Fix For: 2.4 > > > Now that master has a functional and (apparently) stable SSL/TLS analyzer we need to add support for other protocols to pass traffic into it once they upgrade to SSL. Protocols I would like to see support this.. > SMTP > POP3 > XMPP \\- http://xmpp.org/rfcs/rfc3920.html#tls (once we have an XMPP analyzer) -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 10:31:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Thu, 15 May 2014 12:31:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-1190: -------------------------------- Description: There are still a few small things that I plan to fix for 2.3 * detect tls protocol failures even earlier (done, just not committed) * better heartbleed detection (done, but I need to clean it up) * add starttls support to smtp/pop3 * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) * perhaps: allow OCSP validation with data from stapling was: There are sill a few small things that I plan to fix for 2.3 * detect tls protocol failures even earlier (done, just not committed) * better heartbleed detection (done, but I need to clean it up) * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) * perhaps: allow OCSP validation with data from stapling > Even more SSL fixes > ------------------- > > Key: BIT-1190 > URL: https://bro-tracker.atlassian.net/browse/BIT-1190 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Bernhard Amann > Fix For: 2.3 > > > There are still a few small things that I plan to fix for 2.3 > * detect tls protocol failures even earlier (done, just not committed) > * better heartbleed detection (done, but I need to clean it up) > * add starttls support to smtp/pop3 > * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) > * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 10:49:07 2014 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 15 May 2014 12:49:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1191) Update libgeoip support for new API version In-Reply-To: References: Message-ID: Seth Hall created BIT-1191: ------------------------------ Summary: Update libgeoip support for new API version Key: BIT-1191 URL: https://bro-tracker.atlassian.net/browse/BIT-1191 Project: Bro Issue Tracker Issue Type: Task Components: Bro Affects Versions: 2.4 Reporter: Seth Hall MaxMind has released a new version of the GeoIP api and we should update to support the old and new APIs. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 11:08:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 15 May 2014 13:08:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1129) RADIUS Protocol Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1129: --------------------------------- Assignee: Robin Sommer (was: Vlad Grigorescu) > RADIUS Protocol Analyzer > ------------------------ > > Key: BIT-1129 > URL: https://bro-tracker.atlassian.net/browse/BIT-1129 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Assignee: Robin Sommer > Fix For: 2.3 > > > topic/vladg/radius is ready to be merged. It's been running at CMU for a few months with no issues. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 11:49:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Thu, 15 May 2014 13:49:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1129) RADIUS Protocol Analyzer In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1129: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > RADIUS Protocol Analyzer > ------------------------ > > Key: BIT-1129 > URL: https://bro-tracker.atlassian.net/browse/BIT-1129 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: Bro > Affects Versions: git/master > Reporter: grigorescu > Assignee: Robin Sommer > Fix For: 2.3 > > > topic/vladg/radius is ready to be merged. It's been running at CMU for a few months with no issues. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Thu May 15 19:02:07 2014 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Thu, 15 May 2014 21:02:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1177) SumStats dynamic updates do not work in cluster mode In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Seth Hall updated BIT-1177: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > SumStats dynamic updates do not work in cluster mode > ---------------------------------------------------- > > Key: BIT-1177 > URL: https://bro-tracker.atlassian.net/browse/BIT-1177 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Seth Hall > Fix For: 2.3 > > > In cluster mode, dynamic updates via the request_key function do not work. > The reason is, that, at the moment, in cluster mode the function is defined only on the manager. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From noreply at bro.org Fri May 16 00:00:15 2014 From: noreply at bro.org (Merge Tracker) Date: Fri, 16 May 2014 00:00:15 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405160700.s4G70Fp7031304@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [1] bro Mraoul [2] 2014-05-08 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #8 https://github.com/bro/bro/pull/8 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Fri May 16 11:40:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 16 May 2014 13:40:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1171) misc/app-stats/main.bro broken for a few sites In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1171: ------------------------------ Assignee: Jon Siwek (was: Seth Hall) > misc/app-stats/main.bro broken for a few sites > ---------------------------------------------- > > Key: BIT-1171 > URL: https://bro-tracker.atlassian.net/browse/BIT-1171 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Jon Siwek > Fix For: 2.3 > > > Currently the reporting of misc/app-stats/main.bro seems to be quite wrong for some of the sites it monitors. > At the very least the numbers for youtube and netflix are completely off, gmail also seems slightly unbelievable. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 11:41:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 16 May 2014 13:41:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16504#comment-16504 ] Bernhard Amann commented on BIT-1190: ------------------------------------- Updates are in branch topic/bernhard/even-more-ssl-changes in bro and testing. > Even more SSL fixes > ------------------- > > Key: BIT-1190 > URL: https://bro-tracker.atlassian.net/browse/BIT-1190 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Bernhard Amann > Fix For: 2.3 > > > There are still a few small things that I plan to fix for 2.3 > * detect tls protocol failures even earlier (done, just not committed) > * better heartbleed detection (done, but I need to clean it up) > * add starttls support to smtp/pop3 > * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) > * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 11:41:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 16 May 2014 13:41:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16503#comment-16503 ] Bernhard Amann commented on BIT-1190: ------------------------------------- Everything besides cleaning up date extraction is done. And that will take a bit. > Even more SSL fixes > ------------------- > > Key: BIT-1190 > URL: https://bro-tracker.atlassian.net/browse/BIT-1190 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Bernhard Amann > Fix For: 2.3 > > > There are still a few small things that I plan to fix for 2.3 > * detect tls protocol failures even earlier (done, just not committed) > * better heartbleed detection (done, but I need to clean it up) > * add starttls support to smtp/pop3 > * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) > * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 11:41:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 16 May 2014 13:41:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-1190: -------------------------------- Status: Merge Request (was: Open) > Even more SSL fixes > ------------------- > > Key: BIT-1190 > URL: https://bro-tracker.atlassian.net/browse/BIT-1190 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Bernhard Amann > Fix For: 2.3 > > > There are still a few small things that I plan to fix for 2.3 > * detect tls protocol failures even earlier (done, just not committed) > * better heartbleed detection (done, but I need to clean it up) > * add starttls support to smtp/pop3 > * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) > * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 11:42:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 16 May 2014 13:42:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-1190: -------------------------------- Assignee: Robin Sommer (was: Bernhard Amann) > Even more SSL fixes > ------------------- > > Key: BIT-1190 > URL: https://bro-tracker.atlassian.net/browse/BIT-1190 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Robin Sommer > Fix For: 2.3 > > > There are still a few small things that I plan to fix for 2.3 > * detect tls protocol failures even earlier (done, just not committed) > * better heartbleed detection (done, but I need to clean it up) > * add starttls support to smtp/pop3 > * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) > * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 12:22:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 16 May 2014 14:22:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1171) misc/app-stats/main.bro broken for a few sites In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16505#comment-16505 ] Jon Siwek commented on BIT-1171: -------------------------------- For now, I commented out all plugins except for Facebook from loading by default w/ the {{misc/app-stats}} "package". Someone can maybe look more in to the broken plugins for next release. > misc/app-stats/main.bro broken for a few sites > ---------------------------------------------- > > Key: BIT-1171 > URL: https://bro-tracker.atlassian.net/browse/BIT-1171 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Jon Siwek > Fix For: 2.4 > > > Currently the reporting of misc/app-stats/main.bro seems to be quite wrong for some of the sites it monitors. > At the very least the numbers for youtube and netflix are completely off, gmail also seems slightly unbelievable. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 12:22:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Fri, 16 May 2014 14:22:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1171) misc/app-stats/main.bro broken for a few sites In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1171: --------------------------- Fix Version/s: (was: 2.3) 2.4 > misc/app-stats/main.bro broken for a few sites > ---------------------------------------------- > > Key: BIT-1171 > URL: https://bro-tracker.atlassian.net/browse/BIT-1171 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Jon Siwek > Fix For: 2.4 > > > Currently the reporting of misc/app-stats/main.bro seems to be quite wrong for some of the sites it monitors. > At the very least the numbers for youtube and netflix are completely off, gmail also seems slightly unbelievable. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 14:32:07 2014 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 16 May 2014 16:32:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1186) Improve cluster configuration documentation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16506#comment-16506 ] Daniel Thayer commented on BIT-1186: ------------------------------------ Branch topic/dnthayer/ticket1186 in the bro and broctl repos addresses this issue. > Improve cluster configuration documentation > ------------------------------------------- > > Key: BIT-1186 > URL: https://bro-tracker.atlassian.net/browse/BIT-1186 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, BroControl > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.3 > > > To make it easier to find "how-to" documentation for configuring a cluster, > the plan is to create a new section in the Bro manual after the > Quick Start Guide which will contain a step-by-step example of how > to configure a Bro cluster (most of this content will be moved from > the existing broctl manual) using broctl and optionally a load balancing > method such as PF_RING. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 14:32:07 2014 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 16 May 2014 16:32:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1186) Improve cluster configuration documentation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daniel Thayer updated BIT-1186: ------------------------------- Status: Merge Request (was: Open) > Improve cluster configuration documentation > ------------------------------------------- > > Key: BIT-1186 > URL: https://bro-tracker.atlassian.net/browse/BIT-1186 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, BroControl > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.3 > > > To make it easier to find "how-to" documentation for configuring a cluster, > the plan is to create a new section in the Bro manual after the > Quick Start Guide which will contain a step-by-step example of how > to configure a Bro cluster (most of this content will be moved from > the existing broctl manual) using broctl and optionally a load balancing > method such as PF_RING. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 14:34:07 2014 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Fri, 16 May 2014 16:34:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-845) PF_RING+DNA In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507#comment-16507 ] Daniel Thayer commented on BIT-845: ----------------------------------- The documentation for this issue is addressed by BIT-1186. > PF_RING+DNA > ----------- > > Key: BIT-845 > URL: https://bro-tracker.atlassian.net/browse/BIT-845 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.3 > > Attachments: lb_pf_ring_dna.py > > > This is a feature that didn't make it into 2.1-beta. > The idea is to have a broctl plugin that has a pre-start > hook to automatically run this on each worker host: > pfdnacluster_master \-i dna0 \-c 21 \-n > A worker entry in node.cfg would look something like this: > [worker-1] > type=worker > host=host1 > interface=dna0 > lb_procs=4 > lb_method=pf_ring_dna -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From robin at icir.org Fri May 16 14:45:42 2014 From: robin at icir.org (Robin Sommer) Date: Fri, 16 May 2014 14:45:42 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/bro] fastpath: Fix a doc build warning (d230eed) In-Reply-To: <201405162119.s4GLJnaw009731@bro-ids.icir.org> References: <201405162119.s4GLJnaw009731@bro-ids.icir.org> Message-ID: <20140516214542.GF49468@icir.org> I'm merging the current fastpath commits. Robin On Fri, May 16, 2014 at 14:19 -0700, Daniel Thayer wrote: > Repository : ssh://git at bro-ids.icir.org/bro > > On branch : fastpath > Link : https://github.com/bro/bro/commit/d230eed7f83173fa6acf805871a8453074f3de99 > > >--------------------------------------------------------------- > > commit d230eed7f83173fa6acf805871a8453074f3de99 > Author: Daniel Thayer > Date: Fri May 16 16:05:03 2014 -0500 > > Fix a doc build warning > > > >--------------------------------------------------------------- > > d230eed7f83173fa6acf805871a8453074f3de99 > scripts/base/utils/addrs.bro | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/scripts/base/utils/addrs.bro b/scripts/base/utils/addrs.bro > index 9ebd35b..9e33e6d 100644 > --- a/scripts/base/utils/addrs.bro > +++ b/scripts/base/utils/addrs.bro > @@ -120,11 +120,11 @@ function addr_to_uri(a: addr): string > return fmt("[%s]", a); > } > > -## Given a string, extracts the hex digits and returns a MAC address in the > -## format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex digits, > -## an empty string is returned. > +## Given a string, extracts the hex digits and returns a MAC address in > +## the format: 00:a0:32:d7:81:8f. If the string doesn't contain 12 or 16 hex > +## digits, an empty string is returned. > ## > -## a: the string to normalize > +## a: the string to normalize. > ## > ## Returns: a normalized MAC address, or an empty string in the case of an error. > function normalize_mac(a: string): string > > _______________________________________________ > bro-commits mailing list > bro-commits at bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-commits > -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From robin at icir.org Fri May 16 14:48:26 2014 From: robin at icir.org (Robin Sommer) Date: Fri, 16 May 2014 14:48:26 -0700 Subject: [Bro-Dev] [Bro-Commits] [git/broctl] fastpath: Rename the broctl option pfringdnafirstappinstance (1b78449) In-Reply-To: <201405161948.s4GJmMCt026616@bro-ids.icir.org> References: <201405161948.s4GJmMCt026616@bro-ids.icir.org> Message-ID: <20140516214826.GA63011@icir.org> On Fri, May 16, 2014 at 12:48 -0700, Daniel Thayer wrote: > + Option("PFRINGFirstAppInstance", "0", "int", Option.USER, False, > + "The first application instance for a PF_RING dnacluster interface to use. Broctl will start at this application instance number and increment for each new process running on that DNA cluster. Bro must be linked with PF_RING's libpcap wrapper and PFRINGClusterID must be non-zero for this option to work."), Just checking: The description still says "dna", is that intentional? Robin -- Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin From jira at bro-tracker.atlassian.net Fri May 16 14:50:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 16 May 2014 16:50:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1186) Improve cluster configuration documentation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1186: --------------------------------- Assignee: Robin Sommer (was: Daniel Thayer) > Improve cluster configuration documentation > ------------------------------------------- > > Key: BIT-1186 > URL: https://bro-tracker.atlassian.net/browse/BIT-1186 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, BroControl > Reporter: Daniel Thayer > Assignee: Robin Sommer > Fix For: 2.3 > > > To make it easier to find "how-to" documentation for configuring a cluster, > the plan is to create a new section in the Bro manual after the > Quick Start Guide which will contain a step-by-step example of how > to configure a Bro cluster (most of this content will be moved from > the existing broctl manual) using broctl and optionally a load balancing > method such as PF_RING. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 15:06:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 16 May 2014 17:06:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1186) Improve cluster configuration documentation In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1186: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Improve cluster configuration documentation > ------------------------------------------- > > Key: BIT-1186 > URL: https://bro-tracker.atlassian.net/browse/BIT-1186 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro, BroControl > Reporter: Daniel Thayer > Assignee: Robin Sommer > Fix For: 2.3 > > > To make it easier to find "how-to" documentation for configuring a cluster, > the plan is to create a new section in the Bro manual after the > Quick Start Guide which will contain a step-by-step example of how > to configure a Bro cluster (most of this content will be moved from > the existing broctl manual) using broctl and optionally a load balancing > method such as PF_RING. -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From jira at bro-tracker.atlassian.net Fri May 16 15:08:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 16 May 2014 17:08:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1190) Even more SSL fixes In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1190: ------------------------------ Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Even more SSL fixes > ------------------- > > Key: BIT-1190 > URL: https://bro-tracker.atlassian.net/browse/BIT-1190 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Robin Sommer > Fix For: 2.3 > > > There are still a few small things that I plan to fix for 2.3 > * detect tls protocol failures even earlier (done, just not committed) > * better heartbleed detection (done, but I need to clean it up) > * add starttls support to smtp/pop3 > * clean up the way dates are extracted from certs (found a different nicer API to use in OpenSSL, have to implement it) > * perhaps: allow OCSP validation with data from stapling -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From dnthayer at illinois.edu Fri May 16 14:49:54 2014 From: dnthayer at illinois.edu (Daniel Thayer) Date: Fri, 16 May 2014 16:49:54 -0500 Subject: [Bro-Dev] [Bro-Commits] [git/broctl] fastpath: Rename the broctl option pfringdnafirstappinstance (1b78449) In-Reply-To: <20140516214826.GA63011@icir.org> References: <201405161948.s4GJmMCt026616@bro-ids.icir.org> <20140516214826.GA63011@icir.org> Message-ID: <53768802.5060901@illinois.edu> On 05/16/2014 04:48 PM, Robin Sommer wrote: > > > On Fri, May 16, 2014 at 12:48 -0700, Daniel Thayer wrote: > >> + Option("PFRINGFirstAppInstance", "0", "int", Option.USER, False, >> + "The first application instance for a PF_RING dnacluster interface to use. Broctl will start at this application instance number and increment for each new process running on that DNA cluster. Bro must be linked with PF_RING's libpcap wrapper and PFRINGClusterID must be non-zero for this option to work."), > > Just checking: The description still says "dna", is that intentional? > > Robin > Yes. From jira at bro-tracker.atlassian.net Fri May 16 15:35:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Fri, 16 May 2014 17:35:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-845) PF_RING+DNA In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-845?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-845: ----------------------------- Resolution: Merged Status: Closed (was: Open) > PF_RING+DNA > ----------- > > Key: BIT-845 > URL: https://bro-tracker.atlassian.net/browse/BIT-845 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Daniel Thayer > Assignee: Daniel Thayer > Fix For: 2.3 > > Attachments: lb_pf_ring_dna.py > > > This is a feature that didn't make it into 2.1-beta. > The idea is to have a broctl plugin that has a pre-start > hook to automatically run this on each worker host: > pfdnacluster_master \-i dna0 \-c 21 \-n > A worker entry in node.cfg would look something like this: > [worker-1] > type=worker > host=host1 > interface=dna0 > lb_procs=4 > lb_method=pf_ring_dna -- This message was sent by Atlassian JIRA (v6.3-OD-04-018#6322) From noreply at bro.org Sat May 17 00:00:13 2014 From: noreply at bro.org (Merge Tracker) Date: Sat, 17 May 2014 00:00:13 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405170700.s4H70DvQ001839@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------------------- 792ae1e [1] broctl Daniel Thayer 2014-05-16 Update broctl.rst with "make doc" (no other changes) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] 792ae1e https://github.com/bro/broctl/commit/792ae1e4f629105fe625614815b756e67c3f2d9d [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Sun May 18 00:00:14 2014 From: noreply at bro.org (Merge Tracker) Date: Sun, 18 May 2014 00:00:14 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405180700.s4I70E6w008804@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ---------------------------------------------------- 792ae1e [1] broctl Daniel Thayer 2014-05-16 Update broctl.rst with "make doc" (no other changes) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [2] bro Mraoul [3] 2014-05-08 New Logging Writers based on librabbitmq [4] #4 [5] time-machine mareq [6] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [7] #3 [8] time-machine mareq [9] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [10] #2 [11] time-machine mareq [12] 2014-04-09 Query interval start/end is now taken into account. [13] #1 [14] time-machine mareq [15] 2014-03-19 TM-16: Really skip VLAN header for indexing. [16] [1] 792ae1e https://github.com/bro/broctl/commit/792ae1e4f629105fe625614815b756e67c3f2d9d [2] Pull Request #8 https://github.com/bro/bro/pull/8 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [5] Pull Request #4 https://github.com/bro/time-machine/pull/4 [6] mareq https://github.com/mareq [7] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [8] Pull Request #3 https://github.com/bro/time-machine/pull/3 [9] mareq https://github.com/mareq [10] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [11] Pull Request #2 https://github.com/bro/time-machine/pull/2 [12] mareq https://github.com/mareq [13] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [14] Pull Request #1 https://github.com/bro/time-machine/pull/1 [15] mareq https://github.com/mareq [16] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Mon May 19 00:00:13 2014 From: noreply at bro.org (Merge Tracker) Date: Mon, 19 May 2014 00:00:13 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405190700.s4J70DbA018690@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------------------ 0e8184d [1] broctl Daniel Thayer 2014-05-18 Improve documentation of PFRINGFirstAppInstance option 792ae1e [2] broctl Daniel Thayer 2014-05-16 Update broctl.rst with "make doc" (no other changes) Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #8 [3] bro Mraoul [4] 2014-05-08 New Logging Writers based on librabbitmq [5] #4 [6] time-machine mareq [7] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [8] #3 [9] time-machine mareq [10] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [11] #2 [12] time-machine mareq [13] 2014-04-09 Query interval start/end is now taken into account. [14] #1 [15] time-machine mareq [16] 2014-03-19 TM-16: Really skip VLAN header for indexing. [17] [1] 0e8184d https://github.com/bro/broctl/commit/0e8184d98d472f995cbb86a0af40e622a75e20f1 [2] 792ae1e https://github.com/bro/broctl/commit/792ae1e4f629105fe625614815b756e67c3f2d9d [3] Pull Request #8 https://github.com/bro/bro/pull/8 [4] Mraoul https://github.com/Mraoul [5] Merge Pull Request #8 with git pull https://github.com/MITRECND/bro.git master [6] Pull Request #4 https://github.com/bro/time-machine/pull/4 [7] mareq https://github.com/mareq [8] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [9] Pull Request #3 https://github.com/bro/time-machine/pull/3 [10] mareq https://github.com/mareq [11] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [12] Pull Request #2 https://github.com/bro/time-machine/pull/2 [13] mareq https://github.com/mareq [14] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [15] Pull Request #1 https://github.com/bro/time-machine/pull/1 [16] mareq https://github.com/mareq [17] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Mon May 19 11:29:07 2014 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 19 May 2014 13:29:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: Justin Azoff created BIT-1192: --------------------------------- Summary: record initialization weirdness Key: BIT-1192 URL: https://bro-tracker.atlassian.net/browse/BIT-1192 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Justin Azoff Priority: Low If you redundantly define a record as in cmd_bad: {code} event bro_init() { local strcmd = "echo hi"; print "inline", [$cmd=strcmd]; local cmd_ok = Exec::Command($cmd=strcmd); print "ok", cmd_ok; local cmd_bad = Exec::Command([$cmd=strcmd]); print "bad", cmd_bad; } {code} You get this: {code} inline, [cmd=echo hi] ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 11:53:08 2014 From: jira at bro-tracker.atlassian.net (Seth Hall (JIRA)) Date: Mon, 19 May 2014 13:53:08 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16600#comment-16600 ] Seth Hall commented on BIT-1192: -------------------------------- You defined that last one incorrectly... local cmd_bad = Exec::Command([$cmd=strcmd]); The square brackets create a record and then you're doing the named ctor thing, so it's a record in a record. Am I misunderstanding something? > record initialization weirdness > ------------------------------- > > Key: BIT-1192 > URL: https://bro-tracker.atlassian.net/browse/BIT-1192 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Priority: Low > Labels: language > > If you redundantly define a record as in cmd_bad: > {code} > event bro_init() > { > local strcmd = "echo hi"; > print "inline", [$cmd=strcmd]; > local cmd_ok = Exec::Command($cmd=strcmd); > print "ok", cmd_ok; > local cmd_bad = Exec::Command([$cmd=strcmd]); > print "bad", cmd_bad; > } > {code} > You get this: > {code} > inline, [cmd=echo hi] > ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] > bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] > {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 12:01:07 2014 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 19 May 2014 14:01:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16601#comment-16601 ] Justin Azoff edited comment on BIT-1192 at 5/19/14 2:01 PM: ------------------------------------------------------------ Oh, yes, I know it's wrong. I was helping someone on IRC and they made that mistake. The issue is how is that not a syntax error and how does it somehow set cmd to "[cmd=echo hi]"? was (Author: jazoff): Oh, yes, I know it's wrong. I was helping someone on IRC and they made that mistake. The issue is how is that not a syntax error and how does it somehow set cmd to "cmd=echo hi"? > record initialization weirdness > ------------------------------- > > Key: BIT-1192 > URL: https://bro-tracker.atlassian.net/browse/BIT-1192 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Priority: Low > Labels: language > > If you redundantly define a record as in cmd_bad: > {code} > event bro_init() > { > local strcmd = "echo hi"; > print "inline", [$cmd=strcmd]; > local cmd_ok = Exec::Command($cmd=strcmd); > print "ok", cmd_ok; > local cmd_bad = Exec::Command([$cmd=strcmd]); > print "bad", cmd_bad; > } > {code} > You get this: > {code} > inline, [cmd=echo hi] > ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] > bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] > {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 12:01:07 2014 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Mon, 19 May 2014 14:01:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16601#comment-16601 ] Justin Azoff commented on BIT-1192: ----------------------------------- Oh, yes, I know it's wrong. I was helping someone on IRC and they made that mistake. The issue is how is that not a syntax error and how does it somehow set cmd to "cmd=echo hi"? > record initialization weirdness > ------------------------------- > > Key: BIT-1192 > URL: https://bro-tracker.atlassian.net/browse/BIT-1192 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Priority: Low > Labels: language > > If you redundantly define a record as in cmd_bad: > {code} > event bro_init() > { > local strcmd = "echo hi"; > print "inline", [$cmd=strcmd]; > local cmd_ok = Exec::Command($cmd=strcmd); > print "ok", cmd_ok; > local cmd_bad = Exec::Command([$cmd=strcmd]); > print "bad", cmd_bad; > } > {code} > You get this: > {code} > inline, [cmd=echo hi] > ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] > bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] > {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 12:06:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 19 May 2014 14:06:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16602#comment-16602 ] Jon Siwek commented on BIT-1192: -------------------------------- It's coercing the record in to a string (the type of the first field) where I would expect there might be some type check that could emit an error instead. I'll see if it's an easy fix to do during beta. > record initialization weirdness > ------------------------------- > > Key: BIT-1192 > URL: https://bro-tracker.atlassian.net/browse/BIT-1192 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Priority: Low > Labels: language > Fix For: 2.3 > > > If you redundantly define a record as in cmd_bad: > {code} > event bro_init() > { > local strcmd = "echo hi"; > print "inline", [$cmd=strcmd]; > local cmd_ok = Exec::Command($cmd=strcmd); > print "ok", cmd_ok; > local cmd_bad = Exec::Command([$cmd=strcmd]); > print "bad", cmd_bad; > } > {code} > You get this: > {code} > inline, [cmd=echo hi] > ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] > bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] > {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 12:06:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 19 May 2014 14:06:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1192?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1192: --------------------------- Fix Version/s: 2.3 > record initialization weirdness > ------------------------------- > > Key: BIT-1192 > URL: https://bro-tracker.atlassian.net/browse/BIT-1192 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Priority: Low > Labels: language > Fix For: 2.3 > > > If you redundantly define a record as in cmd_bad: > {code} > event bro_init() > { > local strcmd = "echo hi"; > print "inline", [$cmd=strcmd]; > local cmd_ok = Exec::Command($cmd=strcmd); > print "ok", cmd_ok; > local cmd_bad = Exec::Command([$cmd=strcmd]); > print "bad", cmd_bad; > } > {code} > You get this: > {code} > inline, [cmd=echo hi] > ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] > bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] > {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 13:23:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 19 May 2014 15:23:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1192?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16603#comment-16603 ] Jon Siwek commented on BIT-1192: -------------------------------- The expression list given to a record ctor may currently be comprised of record-field-assignment expressions or any expressions that evaluate in to a record. For all the expressions in the later case, their record fields will get incorporated in to the type of the outer record ctor. Or at least that's what supposed to happen, except the code currently doesn't work if there's more than one such expression. In light of that, I'm going to change record ctor's expression list to only allow record-field-assignments (which fixes the issue in this ticket). No default scripts rely on the other functionality, which appears to be a relict, and I don't see the use of a record ctor that takes a single expression which evaluates in to a record (you can just use that expression instead of the ctor). > record initialization weirdness > ------------------------------- > > Key: BIT-1192 > URL: https://bro-tracker.atlassian.net/browse/BIT-1192 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Priority: Low > Labels: language > Fix For: 2.3 > > > If you redundantly define a record as in cmd_bad: > {code} > event bro_init() > { > local strcmd = "echo hi"; > print "inline", [$cmd=strcmd]; > local cmd_ok = Exec::Command($cmd=strcmd); > print "ok", cmd_ok; > local cmd_bad = Exec::Command([$cmd=strcmd]); > print "bad", cmd_bad; > } > {code} > You get this: > {code} > inline, [cmd=echo hi] > ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] > bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] > {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 14:42:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Mon, 19 May 2014 16:42:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1193) Please merge topic/bernhard/x509-memory In-Reply-To: References: Message-ID: Bernhard Amann created BIT-1193: ----------------------------------- Summary: Please merge topic/bernhard/x509-memory Key: BIT-1193 URL: https://bro-tracker.atlassian.net/browse/BIT-1193 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Bernhard Amann Fix For: 2.3 topic/bernhard/x509-memory contains a few fixes for the new ocsp verification features. Please merge :) -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 14:42:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Mon, 19 May 2014 16:42:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1193) Please merge topic/bernhard/x509-memory In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-1193: -------------------------------- Status: Merge Request (was: Open) > Please merge topic/bernhard/x509-memory > --------------------------------------- > > Key: BIT-1193 > URL: https://bro-tracker.atlassian.net/browse/BIT-1193 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Fix For: 2.3 > > > topic/bernhard/x509-memory contains a few fixes for the new ocsp verification features. Please merge :) -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 15:02:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 19 May 2014 17:02:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1192) record initialization weirdness In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1192?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1192: --------------------------- Resolution: Fixed Status: Closed (was: Open) > record initialization weirdness > ------------------------------- > > Key: BIT-1192 > URL: https://bro-tracker.atlassian.net/browse/BIT-1192 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Justin Azoff > Priority: Low > Labels: language > Fix For: 2.3 > > > If you redundantly define a record as in cmd_bad: > {code} > event bro_init() > { > local strcmd = "echo hi"; > print "inline", [$cmd=strcmd]; > local cmd_ok = Exec::Command($cmd=strcmd); > print "ok", cmd_ok; > local cmd_bad = Exec::Command([$cmd=strcmd]); > print "bad", cmd_bad; > } > {code} > You get this: > {code} > inline, [cmd=echo hi] > ok, [cmd=echo hi, stdin=, read_files=, uid=BHMrHdIapni] > bad, [cmd=[cmd=echo hi], stdin=, read_files=, uid=NsfjD555BY1] > {code} -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 16:00:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 19 May 2014 18:00:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1193) Please merge topic/bernhard/x509-memory In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1193: --------------------------- Assignee: Jon Siwek > Please merge topic/bernhard/x509-memory > --------------------------------------- > > Key: BIT-1193 > URL: https://bro-tracker.atlassian.net/browse/BIT-1193 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Jon Siwek > Fix For: 2.3 > > > topic/bernhard/x509-memory contains a few fixes for the new ocsp verification features. Please merge :) -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Mon May 19 16:28:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Mon, 19 May 2014 18:28:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1193) Please merge topic/bernhard/x509-memory In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1193: --------------------------- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) > Please merge topic/bernhard/x509-memory > --------------------------------------- > > Key: BIT-1193 > URL: https://bro-tracker.atlassian.net/browse/BIT-1193 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Bernhard Amann > Assignee: Jon Siwek > Fix For: 2.3 > > > topic/bernhard/x509-memory contains a few fixes for the new ocsp verification features. Please merge :) -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From noreply at bro.org Tue May 20 00:00:17 2014 From: noreply at bro.org (Merge Tracker) Date: Tue, 20 May 2014 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405200700.s4K70HmJ031684@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ------------------------------------------------------- ce78432 [1] broctl Daniel Thayer 2014-05-19 Remove references to the now unused BROMAGIC 11d2d8e [2] bro Daniel Thayer 2014-05-19 Remove remaining references to BROMAGIC d421357 [3] bro Daniel Thayer 2014-05-19 Fix typos and formatting in event and BiF documentation Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [4] bro Mraoul [5] 2014-05-19 New Logging Writers based on librabbitmq [6] #4 [7] time-machine mareq [8] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [9] #3 [10] time-machine mareq [11] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [12] #2 [13] time-machine mareq [14] 2014-04-09 Query interval start/end is now taken into account. [15] #1 [16] time-machine mareq [17] 2014-03-19 TM-16: Really skip VLAN header for indexing. [18] [1] ce78432 https://github.com/bro/broctl/commit/ce7843251cc69e35224c87a188681cc1e0fb85e9 [2] 11d2d8e https://github.com/bro/bro/commit/11d2d8e549a6a7707db598c794a508bd0b27e100 [3] d421357 https://github.com/bro/bro/commit/d42135710440c5f937a82bc519621e7f6a21e7dd [4] Pull Request #9 https://github.com/bro/bro/pull/9 [5] Mraoul https://github.com/Mraoul [6] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [7] Pull Request #4 https://github.com/bro/time-machine/pull/4 [8] mareq https://github.com/mareq [9] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [10] Pull Request #3 https://github.com/bro/time-machine/pull/3 [11] mareq https://github.com/mareq [12] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [13] Pull Request #2 https://github.com/bro/time-machine/pull/2 [14] mareq https://github.com/mareq [15] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [16] Pull Request #1 https://github.com/bro/time-machine/pull/1 [17] mareq https://github.com/mareq [18] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Tue May 20 06:59:07 2014 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 20 May 2014 08:59:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1194) broctl deploy command In-Reply-To: References: Message-ID: Justin Azoff created BIT-1194: --------------------------------- Summary: broctl deploy command Key: BIT-1194 URL: https://bro-tracker.atlassian.net/browse/BIT-1194 Project: Bro Issue Tracker Issue Type: New Feature Components: BroControl Affects Versions: git/master Reporter: Justin Azoff (mostly notes for me right now) Currently broctl makes it too easy for an end user to do the wrong thing when changing the bro config. restart --clean is close, however, it does things in this order: stop -> clean -> check -> install -> start This is bad because in the event of a 'check' failure bro will not restart. So, I think what needs to be done is 'restart --clean' should only do: stop -> clean -> start and a new command 'broctl deploy' should do check -> install -> restart 'broctl deploy --clean' can do check -> stop -> clean -> install -> start Also, I think the 'install' operation should always run 'check', is there any reason it shouldn't? Would someone every want to force install a broken config? -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Tue May 20 08:19:07 2014 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 20 May 2014 10:19:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1194) broctl deploy command In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16604#comment-16604 ] Daniel Thayer commented on BIT-1194: ------------------------------------ > Also, I think the 'install' operation should always run 'check', is there any reason it shouldn't? Would someone every > want to force install a broken config? One exception is that 'check' will fail until the first time 'install' is run (because of broctl-config.sh). > broctl deploy command > --------------------- > > Key: BIT-1194 > URL: https://bro-tracker.atlassian.net/browse/BIT-1194 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > > (mostly notes for me right now) > Currently broctl makes it too easy for an end user to do the wrong thing when changing the bro config. > restart --clean is close, however, it does things in this order: > stop -> clean -> check -> install -> start > This is bad because in the event of a 'check' failure bro will not restart. > So, I think what needs to be done is 'restart --clean' should only do: > stop -> clean -> start > and a new command 'broctl deploy' should do > check -> install -> restart > 'broctl deploy --clean' can do > check -> stop -> clean -> install -> start > Also, I think the 'install' operation should always run 'check', is there any reason it shouldn't? Would someone every want to force install a broken config? -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Tue May 20 10:05:07 2014 From: jira at bro-tracker.atlassian.net (Justin Azoff (JIRA)) Date: Tue, 20 May 2014 12:05:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1194) broctl deploy command In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605#comment-16605 ] Justin Azoff commented on BIT-1194: ----------------------------------- Hmm, is that the only thing that it needs to work? if so, maybe makeConfig(..) just needs to be ran automatically anytime a change in broctl.cfg is detected. > broctl deploy command > --------------------- > > Key: BIT-1194 > URL: https://bro-tracker.atlassian.net/browse/BIT-1194 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > > (mostly notes for me right now) > Currently broctl makes it too easy for an end user to do the wrong thing when changing the bro config. > restart --clean is close, however, it does things in this order: > stop -> clean -> check -> install -> start > This is bad because in the event of a 'check' failure bro will not restart. > So, I think what needs to be done is 'restart --clean' should only do: > stop -> clean -> start > and a new command 'broctl deploy' should do > check -> install -> restart > 'broctl deploy --clean' can do > check -> stop -> clean -> install -> start > Also, I think the 'install' operation should always run 'check', is there any reason it shouldn't? Would someone every want to force install a broken config? -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Tue May 20 10:31:07 2014 From: jira at bro-tracker.atlassian.net (Daniel Thayer (JIRA)) Date: Tue, 20 May 2014 12:31:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1194) broctl deploy command In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16606#comment-16606 ] Daniel Thayer commented on BIT-1194: ------------------------------------ > Hmm, is that the only thing that it needs to work? if so, maybe makeConfig(..) just needs to be ran > automatically anytime a change in broctl.cfg is detected. Yes. I've thought about auto-update when broctl.cfg changes, but didn't implement it because that would mean config changes would take effect on the manager immediately, while the remote workers/proxies would require the user to do "install" (which users often forget to do, however broctl now outputs a warning in that case, so it should be less of a problem going forward). There's also the caveat that some option value changes don't really take effect until broctl initializes (e.g. SitePluginPath). > broctl deploy command > --------------------- > > Key: BIT-1194 > URL: https://bro-tracker.atlassian.net/browse/BIT-1194 > Project: Bro Issue Tracker > Issue Type: New Feature > Components: BroControl > Affects Versions: git/master > Reporter: Justin Azoff > > (mostly notes for me right now) > Currently broctl makes it too easy for an end user to do the wrong thing when changing the bro config. > restart --clean is close, however, it does things in this order: > stop -> clean -> check -> install -> start > This is bad because in the event of a 'check' failure bro will not restart. > So, I think what needs to be done is 'restart --clean' should only do: > stop -> clean -> start > and a new command 'broctl deploy' should do > check -> install -> restart > 'broctl deploy --clean' can do > check -> stop -> clean -> install -> start > Also, I think the 'install' operation should always run 'check', is there any reason it shouldn't? Would someone every want to force install a broken config? -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From noreply at bro.org Wed May 21 00:00:19 2014 From: noreply at bro.org (Merge Tracker) Date: Wed, 21 May 2014 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405210700.s4L70J8h019292@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Thu May 22 00:00:11 2014 From: noreply at bro.org (Merge Tracker) Date: Thu, 22 May 2014 00:00:11 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405220700.s4M70Bkg029675@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Fri May 23 00:00:20 2014 From: noreply at bro.org (Merge Tracker) Date: Fri, 23 May 2014 00:00:20 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405230700.s4N70Kac013719@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Fri May 23 17:12:07 2014 From: jira at bro-tracker.atlassian.net (Anthony Verez (JIRA)) Date: Fri, 23 May 2014 19:12:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject In-Reply-To: References: Message-ID: Anthony Verez created BIT-1195: ---------------------------------- Summary: SSL: subject overflow in issuer_subject Key: BIT-1195 URL: https://bro-tracker.atlassian.net/browse/BIT-1195 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.2, git/master Environment: Tested on Debian and Security Onion Reporter: Anthony Verez Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz Hi, I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) Steps to reproduce: 1. Start capturing 2. openssl s_client -connect 63.245.215.80:443 3. Stop capturing 4. Load the pcap in Bro Problem: * cat -t master_logs/ssl.log -> "Orga^Inization" * cat -t master_logs/x509.log -> "Orga^Inization" * cat -t 2.2_logs/x509.log -> "Orga^Inization" Whereas the openssl command above gives subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 I have attached: * the pcap * logs in both 2.2 and master (bro -r capture.pcap) Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Fri May 23 22:08:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Sat, 24 May 2014 00:08:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-1195: -------------------------------- Fix Version/s: 2.3 > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From jira at bro-tracker.atlassian.net Fri May 23 22:08:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Sat, 24 May 2014 00:08:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann reassigned BIT-1195: ----------------------------------- Assignee: Bernhard Amann > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-04-019#6322) From noreply at bro.org Sat May 24 00:00:18 2014 From: noreply at bro.org (Merge Tracker) Date: Sat, 24 May 2014 00:00:18 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405240700.s4O70IBk007615@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Sun May 25 00:00:15 2014 From: noreply at bro.org (Merge Tracker) Date: Sun, 25 May 2014 00:00:15 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405250700.s4P70FoW001963@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Mon May 26 00:00:17 2014 From: noreply at bro.org (Merge Tracker) Date: Mon, 26 May 2014 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405260700.s4Q70HcH013239@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From noreply at bro.org Tue May 27 00:00:17 2014 From: noreply at bro.org (Merge Tracker) Date: Tue, 27 May 2014 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405270700.s4R70HFj021183@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Tue May 27 14:42:07 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Tue, 27 May 2014 16:42:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1196) Add index of logs to documentation In-Reply-To: References: Message-ID: Robin Sommer created BIT-1196: --------------------------------- Summary: Add index of logs to documentation Key: BIT-1196 URL: https://bro-tracker.atlassian.net/browse/BIT-1196 Project: Bro Issue Tracker Issue Type: New Feature Components: Bro Reporter: Robin Sommer Fix For: 2.4 Our documentation should have an index of all logs files, with links to the corresponding field definitions. I think we should be able to auto-generate that. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From noreply at bro.org Wed May 28 00:00:15 2014 From: noreply at bro.org (Merge Tracker) Date: Wed, 28 May 2014 00:00:15 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405280700.s4S70FSW000574@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Wed May 28 09:52:08 2014 From: jira at bro-tracker.atlassian.net (Robin Sommer (JIRA)) Date: Wed, 28 May 2014 11:52:08 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1140) Bloomfilter hashing problem In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1140?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16700#comment-16700 ] Robin Sommer commented on BIT-1140: ----------------------------------- Ping. > Bloomfilter hashing problem > --------------------------- > > Key: BIT-1140 > URL: https://bro-tracker.atlassian.net/browse/BIT-1140 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Reporter: Robin Sommer > Assignee: Matthias Vallentin > Fix For: 2.3 > > Attachments: bloom-test2.bro, bloom-test-short.bro > > > It seems bloomfilter hashing isn't working correctly. Has that been confirmed? Is there a fix? -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From noreply at bro.org Thu May 29 00:00:16 2014 From: noreply at bro.org (Merge Tracker) Date: Thu, 29 May 2014 00:00:16 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405290700.s4T70GAA030574@bro-ids.icir.org> Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ---------- ---------- --------------------------------------------------------------------------- #9 [1] bro Mraoul [2] 2014-05-19 New Logging Writers based on librabbitmq [3] #4 [4] time-machine mareq [5] 2014-04-10 When deleting connections hashtable, delete stored connections as well. [6] #3 [7] time-machine mareq [8] 2014-04-10 Correct handling of Linux SLL header and VLAN headers. [9] #2 [10] time-machine mareq [11] 2014-04-09 Query interval start/end is now taken into account. [12] #1 [13] time-machine mareq [14] 2014-03-19 TM-16: Really skip VLAN header for indexing. [15] [1] Pull Request #9 https://github.com/bro/bro/pull/9 [2] Mraoul https://github.com/Mraoul [3] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [4] Pull Request #4 https://github.com/bro/time-machine/pull/4 [5] mareq https://github.com/mareq [6] Merge Pull Request #4 with git pull https://github.com/mareq/time-machine.git topic/mareq/memory-leaks [7] Pull Request #3 https://github.com/bro/time-machine/pull/3 [8] mareq https://github.com/mareq [9] Merge Pull Request #3 with git pull https://github.com/mareq/time-machine.git topic/mareq/linktype-linux-sll [10] Pull Request #2 https://github.com/bro/time-machine/pull/2 [11] mareq https://github.com/mareq [12] Merge Pull Request #2 with git pull https://github.com/mareq/time-machine.git topic/mareq/in-memory-query-interval [13] Pull Request #1 https://github.com/bro/time-machine/pull/1 [14] mareq https://github.com/mareq [15] Merge Pull Request #1 with git pull https://github.com/mareq/time-machine.git topic/mareq/tm-16 From jira at bro-tracker.atlassian.net Thu May 29 11:27:07 2014 From: jira at bro-tracker.atlassian.net (Andrew Hoying (JIRA)) Date: Thu, 29 May 2014 13:27:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1197) policy/misc/load-balancing.bro has an error In-Reply-To: References: Message-ID: Andrew Hoying created BIT-1197: ---------------------------------- Summary: policy/misc/load-balancing.bro has an error Key: BIT-1197 URL: https://bro-tracker.atlassian.net/browse/BIT-1197 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: 2.2 Reporter: Andrew Hoying Priority: Low policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From jira at bro-tracker.atlassian.net Thu May 29 13:42:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 29 May 2014 15:42:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1197) policy/misc/load-balancing.bro has an error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1197: --------------------------- Resolution: Fixed Status: Closed (was: Open) > policy/misc/load-balancing.bro has an error > ------------------------------------------- > > Key: BIT-1197 > URL: https://bro-tracker.atlassian.net/browse/BIT-1197 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Andrew Hoying > Priority: Low > > policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From jira at bro-tracker.atlassian.net Thu May 29 13:42:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 29 May 2014 15:42:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1197) policy/misc/load-balancing.bro has an error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1197: --------------------------- Fix Version/s: 2.3 > policy/misc/load-balancing.bro has an error > ------------------------------------------- > > Key: BIT-1197 > URL: https://bro-tracker.atlassian.net/browse/BIT-1197 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Andrew Hoying > Priority: Low > Fix For: 2.3 > > > policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From jira at bro-tracker.atlassian.net Thu May 29 13:43:07 2014 From: jira at bro-tracker.atlassian.net (Jon Siwek (JIRA)) Date: Thu, 29 May 2014 15:43:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1197) policy/misc/load-balancing.bro has an error In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16701#comment-16701 ] Jon Siwek commented on BIT-1197: -------------------------------- Thanks; fixed in git now. > policy/misc/load-balancing.bro has an error > ------------------------------------------- > > Key: BIT-1197 > URL: https://bro-tracker.atlassian.net/browse/BIT-1197 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Andrew Hoying > Priority: Low > Fix For: 2.3 > > > policy/misc/load-balancing.bro references the function PacketFilter::sample_filter, which fails when the script is compiled. The correct function name is PacketFilter::sampling_filter. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From noreply at bro.org Fri May 30 00:00:17 2014 From: noreply at bro.org (Merge Tracker) Date: Fri, 30 May 2014 00:00:17 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405300700.s4U70Hji002696@bro-ids.icir.org> Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------- 4aae8da [1] broctl Daniel Thayer 2014-05-29 Fix for capstats with PF_RING+DNA pfdnacluster_master Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ----------- ---------- ---------- -------------------------------------------- #9 [2] bro Mraoul [3] 2014-05-19 New Logging Writers based on librabbitmq [4] [1] 4aae8da https://github.com/bro/broctl/commit/4aae8daace0774636824c808310cf0d244cc8357 [2] Pull Request #9 https://github.com/bro/bro/pull/9 [3] Mraoul https://github.com/Mraoul [4] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers From jira at bro-tracker.atlassian.net Fri May 30 15:49:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 30 May 2014 17:49:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-1195: -------------------------------- Status: Merge Request (was: Open) > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From jira at bro-tracker.atlassian.net Fri May 30 15:49:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 30 May 2014 17:49:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16702#comment-16702 ] Bernhard Amann commented on BIT-1195: ------------------------------------- Fix is in topic/bernhard/ticket-1195 of bro and testing > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From jira at bro-tracker.atlassian.net Fri May 30 16:09:07 2014 From: jira at bro-tracker.atlassian.net (Anthony Verez (JIRA)) Date: Fri, 30 May 2014 18:09:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1195) SSL: subject overflow in issuer_subject In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703#comment-16703 ] Anthony Verez commented on BIT-1195: ------------------------------------ It works well now, thanks :-) > SSL: subject overflow in issuer_subject > --------------------------------------- > > Key: BIT-1195 > URL: https://bro-tracker.atlassian.net/browse/BIT-1195 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master, 2.2 > Environment: Tested on Debian and Security Onion > Reporter: Anthony Verez > Assignee: Bernhard Amann > Fix For: 2.3 > > Attachments: 2.2_logs.tar.gz, capture.pcap, master_logs.tar.gz > > > Hi, > I found a string overflow of subject into issuer_subject that can be seen in both ssl.log (2.2 and master) and x509.log (master) > Steps to reproduce: > 1. Start capturing > 2. openssl s_client -connect 63.245.215.80:443 > 3. Stop capturing > 4. Load the pcap in Bro > Problem: > * cat -t master_logs/ssl.log -> "Orga^Inization" > * cat -t master_logs/x509.log -> "Orga^Inization" > * cat -t 2.2_logs/x509.log -> "Orga^Inization" > Whereas the openssl command above gives > subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/serialNumber=C2543436/street=650 Castro St Ste 300/postalCode=94041/C=US/ST=CA/L=Mountain View/O=Mozilla Foundation/CN=bugzilla.mozilla.org > issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 > I have attached: > * the pcap > * logs in both 2.2 and master (bro -r capture.pcap) > Great job on beta 2.3 :-) -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From jira at bro-tracker.atlassian.net Fri May 30 16:23:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 30 May 2014 18:23:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16704#comment-16704 ] Bernhard Amann commented on BIT-1180: ------------------------------------- For input streams that have re-read enabled, should we perhaps not really die on errors, but still try to re-read the file upon each change to it? So if there is one file version that has whatever error, and latter ones don't have it, we will pick up the new version, even if we failed before? > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Bernhard Amann > Priority: High > Labels: input-framework > Fix For: 2.4 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From jira at bro-tracker.atlassian.net Fri May 30 16:23:07 2014 From: jira at bro-tracker.atlassian.net (Bernhard Amann (JIRA)) Date: Fri, 30 May 2014 18:23:07 -0500 (CDT) Subject: [Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update In-Reply-To: References: Message-ID: [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bernhard Amann updated BIT-1180: -------------------------------- Fix Version/s: 2.4 > Input framework subsiquient REREAD fails after file update > ----------------------------------------------------------- > > Key: BIT-1180 > URL: https://bro-tracker.atlassian.net/browse/BIT-1180 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: 2.2 > Reporter: Aashish Sharma > Assignee: Bernhard Amann > Priority: High > Labels: input-framework > Fix For: 2.4 > > > I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally, I see the following error: > Apr 6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line (empty) > After this failure/message, any subsequent updates on the file are ignored by the input framework. > From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the file is empty for a minuscule duration after which this error starts. > for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. > Please let me know if you need ways to reproduce this error condition or have more questions for me. -- This message was sent by Atlassian JIRA (v6.3-OD-05-016#6325) From noreply at bro.org Sat May 31 00:00:19 2014 From: noreply at bro.org (Merge Tracker) Date: Sat, 31 May 2014 00:00:19 -0700 Subject: [Bro-Dev] [Auto] Merge Status Message-ID: <201405310700.s4V70JF8031992@bro-ids.icir.org> Open Merge Requests =================== ID Component Reporter Assignee Updated For Version Priority Summary ------------ ----------- ------------- -------------- ---------- ------------- ---------- --------------------------------------- BIT-1195 [1] Bro Anthony Verez Bernhard Amann 2014-05-30 2.3 Normal SSL: subject overflow in issuer_subject Open Fastpath Commits ====================== Commit Component Author Date Summary ----------- ----------- ------------- ---------- ----------------------------------------------------- cb76145 [2] broctl Daniel Thayer 2014-05-30 Fix for capstats to display correct interface name 4aae8da [3] broctl Daniel Thayer 2014-05-29 Fix for capstats with PF_RING+DNA pfdnacluster_master Open GitHub Pull Requests ========================= Issue Component User Updated Title ------- ------------ ------------ ---------- -------------------------------------------- #9 [4] bro Mraoul [5] 2014-05-19 New Logging Writers based on librabbitmq [6] #3 [7] pysubnettree kitterma [8] 2014-05-30 Update MANIFEST.in [9] [1] BIT-1195 https://bro-tracker.atlassian.net/browse/BIT-1195 [2] cb76145 https://github.com/bro/broctl/commit/cb76145399484198c4079767a08f80db41c03363 [3] 4aae8da https://github.com/bro/broctl/commit/4aae8daace0774636824c808310cf0d244cc8357 [4] Pull Request #9 https://github.com/bro/bro/pull/9 [5] Mraoul https://github.com/Mraoul [6] Merge Pull Request #9 with git pull https://github.com/MITRECND/bro.git topic/rabbit_writers [7] Pull Request #3 https://github.com/bro/pysubnettree/pull/3 [8] kitterma https://github.com/kitterma [9] Merge Pull Request #3 with git pull https://github.com/kitterma/pysubnettree.git master